Skip to content
This repository has been archived by the owner on Aug 1, 2024. It is now read-only.

Commit

Permalink
Stops sanitizing the #src attribute for <img>, <video>, <audio>
Browse files Browse the repository at this point in the history 
… and `<source>`. These sinks don't execute javascript: URLs in modern browsers anymore.

RELNOTES: Stops sanitizing the #src attribute for `<img>`, `<video>`, `<audio>` and <source>.
PiperOrigin-RevId: 513533137
Change-Id: I038549c81200fafb0b6db6f1856b9744a51773c1
  • Loading branch information
@copybara-github
Closure Team authored and copybara-github committed Mar 2, 2023
1 parent b12e80d commit 6e384c9
Showing 1 changed file with 39 additions and 105 deletions.
144 changes: 39 additions & 105 deletions closure/goog/html/sanitizer/html_test_vectors.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,38 @@ goog.provide('goog.html.htmlTestVectors');
goog.setTestOnly();

goog.html.htmlTestVectors.HTML_TEST_VECTORS = [
{input: "<a href=\"javascript:alert('xss');\">foo</a>",
acceptable: [
"<a href=\"javascript:void(0);\">foo</a>",
"<a href=\"about:invalid#zGoSafez\">foo</a>",
"<a href=\"about:invalid#zCSafez\">foo</a>",
"<a>foo</a>",
"<a href=\"unsafe:javascript:alert('xss');\">foo</a>",
"<a href=\"about:invalid#zClosurez\">foo</a>",
"<a href=\"javascript:alert('xss');\" >foo</a>",
],
name: "a"},
{input: "<a href=javascript:alert(&quot;XSS&quot;)>foo</a>",
acceptable: [
"<a href=\"javascript:void(0);\">foo</a>",
"<a href=\"about:invalid#zGoSafez\">foo</a>",
"<a>foo</a>",
"<a href=\"about:invalid#zCSafez\">foo</a>",
"<a href=\"unsafe:javascript:alert(&#34;XSS&#34;)\">foo</a>",
"<a href=\"about:invalid#zClosurez\">foo</a>",
],
name: "a_quot"},
{input: "<a href=\"jav&#x09;ascript:alert('xss');\">foo</a>",
acceptable: [
"<a href=\"javascript:void(0);\">foo</a>",
"<a href=\"about:invalid#zGoSafez\">foo</a>",
"<a href=\"about:invalid#zCSafez\">foo</a>",
"<a>foo</a>",
"<a href=\"unsafe:jav&#9;ascript:alert('xss');\">foo</a>",
"<a href=\"about:invalid#zClosurez\">foo</a>",
"<a href=\"jav&#9;ascript:alert('xss');\">foo</a>",
],
name: "a_tab"},
{input: "<body onload=alert('xss')>",
acceptable: [
"",
Expand Down Expand Up @@ -67,19 +99,6 @@ goog.html.htmlTestVectors.HTML_TEST_VECTORS = [
"<iframe />",
],
name: "iframe_srcdoc"},
{input: "<img src=\"javascript:alert('xss');\">",
acceptable: [
"<img src=\"javascript:void(0);\">",
"<img src=\"about:invalid#zGoSafez\"/>",
"<img src=\"about:invalid#zCSafez\" />",
"<img src=\"about:invalid#zCSafez\">",
"<img>",
"<img />",
"<img src=\"unsafe:javascript:alert('xss');\">",
"<img src=\"about:invalid#zTSz\" />",
"<img src=\"about:invalid#zClosurez\" />",
],
name: "img"},
{input: "<!--<img src=\"--><img src=x onerror=alert('xss')//\">",
acceptable: [
"<img />",
Expand Down Expand Up @@ -109,19 +128,6 @@ goog.html.htmlTestVectors.HTML_TEST_VECTORS = [
"<img />",
],
name: "img_onerror"},
{input: "<img src=javascript:alert(&quot;XSS&quot;)>",
acceptable: [
"<img src=\"javascript:void(0);\">",
"<img src=\"about:invalid#zGoSafez\"/>",
"<img src=\"about:invalid#zCSafez\">",
"<img>",
"<img />",
"<img src=\"about:invalid#zCSafez\" />",
"<img src=\"unsafe:javascript:alert(&#34;XSS&#34;)\">",
"<img src=\"about:invalid#zTSz\" />",
"<img src=\"about:invalid#zClosurez\" />",
],
name: "img_quot"},
{input: "<style><img src=\"</style><img src=x onerror=alert('xss')//\">",
acceptable: [
"",
Expand All @@ -133,19 +139,6 @@ goog.html.htmlTestVectors.HTML_TEST_VECTORS = [
"<img src=\"javascript:void(0);\">",
],
name: "img_style"},
{input: "<img src=\"jav&#x09;ascript:alert('xss');\">",
acceptable: [
"<img src=\"javascript:void(0);\">",
"<img src=\"about:invalid#zGoSafez\"/>",
"<img src=\"about:invalid#zCSafez\">",
"<img src=\"about:invalid#zCSafez\" />",
"<img>",
"<img />",
"<img src=\"unsafe:jav&#9;ascript:alert('xss');\">",
"<img src=\"about:invalid#zTSz\" />",
"<img src=\"about:invalid#zClosurez\" />",
],
name: "img_tab"},
{input: "<input type=\"image\" src=\"javascript:alert('xss');\">",
acceptable: [
"",
Expand Down Expand Up @@ -278,17 +271,14 @@ goog.html.htmlTestVectors.HTML_TEST_VECTORS = [
"",
],
name: "svg"},
{input: "<img src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>",
{input: "<a src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>foo</a>",
acceptable: [
"<img src=\"javascript:void(0);\">",
"<img src=\"about:invalid#zGoSafez\"/>",
"<img src=\"about:invalid#zCSafez\">",
"<img>",
"<img />",
"<img src=\"about:invalid#zCSafez\" />",
"<img src=\"unsafe:javascript:alert('XSS')\">",
"<img src=\"about:invalid#zTSz\" />",
"<img src=\"about:invalid#zClosurez\" />",
"<a src=\"javascript:void(0);\">foo</a>",
"<a src=\"about:invalid#zGoSafez\">foo</a>",
"<a src=\"about:invalid#zCSafez\">foo</a>",
"<a src=\"unsafe:javascript:alert('XSS')\">foo</a>",
"<a src=\"about:invalid#zTSz\" />foo</a>",
"<a>foo</a>",
],
name: "unicode"},
{input: "<html></html>",
Expand Down Expand Up @@ -7939,20 +7929,6 @@ goog.html.htmlTestVectors.HTML_TEST_VECTORS = [
"<table><source><td></td></table>",
],
name: "contract_source_scriptinside"},
{input: "<source src=\"javascript:xss\">",
acceptable: [
"<source src=\"unsafe:javascript:xss\"></source>",
"<source src=\"unsafe:javascript:xss\">",
"<source src=\"unsafe:javascript:xss\"/>",
"<source></source>",
"<source>",
"<source/>",
"<source />",
"<span></span>",
"<span />",
"",
],
name: "contract_source_src"},
{input: "<source srcdoc=\"x\">",
acceptable: [
"<source></source>",
Expand Down Expand Up @@ -8057,20 +8033,6 @@ goog.html.htmlTestVectors.HTML_TEST_VECTORS = [
"<table><img><td></td></table>",
],
name: "contract_img_scriptinside"},
{input: "<img src=\"javascript:xss\">",
acceptable: [
"<img src=\"unsafe:javascript:xss\"></img>",
"<img src=\"unsafe:javascript:xss\">",
"<img src=\"unsafe:javascript:xss\"/>",
"<img></img>",
"<img>",
"<img/>",
"<img />",
"<span></span>",
"<span />",
"",
],
name: "contract_img_src"},
{input: "<img srcdoc=\"x\">",
acceptable: [
"<img></img>",
Expand Down Expand Up @@ -8540,20 +8502,6 @@ goog.html.htmlTestVectors.HTML_TEST_VECTORS = [
"<table><td></td></table>",
],
name: "contract_video_scriptinside"},
{input: "<video src=\"javascript:xss\">",
acceptable: [
"<video src=\"unsafe:javascript:xss\"></video>",
"<video src=\"unsafe:javascript:xss\">",
"<video src=\"unsafe:javascript:xss\"/>",
"<video></video>",
"<video>",
"<video/>",
"<video />",
"<span></span>",
"<span />",
"",
],
name: "contract_video_src"},
{input: "<video srcdoc=\"x\">",
acceptable: [
"<video></video>",
Expand Down Expand Up @@ -8658,20 +8606,6 @@ goog.html.htmlTestVectors.HTML_TEST_VECTORS = [
"<table><td></td></table>",
],
name: "contract_audio_scriptinside"},
{input: "<audio src=\"javascript:xss\">",
acceptable: [
"<audio src=\"unsafe:javascript:xss\"></audio>",
"<audio src=\"unsafe:javascript:xss\">",
"<audio src=\"unsafe:javascript:xss\"/>",
"<audio></audio>",
"<audio>",
"<audio/>",
"<audio />",
"<span></span>",
"<span />",
"",
],
name: "contract_audio_src"},
{input: "<audio srcdoc=\"x\">",
acceptable: [
"<audio></audio>",
Expand Down

0 comments on commit 6e384c9

Please sign in to comment.