No error messages for removed IFRAME tags. Childless IFRAME, SCRIPT, LINK tags always removed despite policy configuration.
Closed this issue · 12 comments
I was looking for ways to throw an exception on a validation failure (ie
remove or truncate). I was hoping that all validation failures would be
logged to errorMessages, but this does not seem to be the case.
Specifically, the anchor tag below throws an exception but the iframe tag
does not.
Exception from line 5
<a href="javascript:alert('hacked!');">click me</a>
No Exception
<iframe src='http://www.google.com'></iframe>
1. AntiSamy antiSamy = new AntiSamy();
2. CleanResults cleanResults = antiSamy.scan(canonical, SLASHDOT_POLICY);
3.
4. if(!cleanResults.getErrorMessages().isEmpty()) {
5. throw getException(name);
6. }
After further testing, it seems that iframe, link, and script tags without
child nodes are removed without an error message. Specifically, these tags
are not in the allowedEmptyTags array, so they are nuked. This also means
that these tags will always be removed despite the policy setting.
No Error Message
<iframe src='http://www.hacker.com/fishing.html'></iframe>
<link rel="stylesheet" type="text/css"
href="http://www.hacker.com/takeover.css"/>
<script src='http://www.hacker.com/takeover.js'></script>
Error Message
<iframe src='http://www.hacker.com/fishing.html'> </iframe>
<script src='http://www.hacker.com/takeover.js'> </script>
Original issue reported on code.google.com by wmlu...@gmail.com
on 13 May 2009 at 6:07
Original comment by arshan.d...@gmail.com
on 11 Jun 2009 at 1:18
Original comment by arshan.d...@gmail.com
on 11 Jun 2009 at 1:18
- Changed state: Accepted
I also noticed that if I included the AntiSamy-bin.1.3.jar from inside the
AntiSamyDemoWarApp.war that it worked correctly. Script injections were
correctly
flagged as errors.
Doing a diff on the two jar files shows that something was changed in
AntiSamyDOMScanner AntiSamy and Policy. I wonder if the jar included in
AntiSamyDemoWarApp was a pre-release of 1.3 or a more current build since 1.3.
Original comment by cam.morris@gmail.com
on 2 Jul 2009 at 5:07
I have some additional junit tests that I was using to debug (Attached). Maybe
this
can help.
Original comment by cam.morris@gmail.com
on 2 Jul 2009 at 5:09
Attachments:
I just checked out from subversion the latest and re-ran the tests and they
still
fail. So I'm assuming that the version inside of the AntiSamyDemoWarApp is a
pre-release version of 1.3
Original comment by cam.morris@gmail.com
on 2 Jul 2009 at 8:11
One more note. The 1.2 build of antisamy works correctly for this issue also.
Original comment by cam.morris@gmail.com
on 2 Jul 2009 at 8:27
Original comment by arshan.d...@gmail.com
on 3 Aug 2009 at 2:50
- Added labels: Priority-High
- Removed labels: Priority-Medium
Original comment by arshan.d...@gmail.com
on 3 Aug 2009 at 3:16
- Changed state: Fixed
How has this been fixed? I didn't see any related check-ins while browsing the
repository.
Original comment by wmlu...@gmail.com
on 17 Aug 2009 at 6:36
This does appear to be a real issue, can it be reopened?
Original comment by lanc...@gmail.com
on 3 Sep 2009 at 10:14
Yes I agree that this is still an issue. I made my own build to get around it.
I
just commented out where empty elements are removed in AntiSamyDOMScanner.
Attached
is the diff if you want to do the same.
Original comment by cam.morris@gmail.com
on 3 Sep 2009 at 10:35
Attachments:
There is another issue, if you try and clean the fragment:
<iframe src="http://www.google.com></frame>
It will show no errors, but the clean string returned is an empty string. The
reason
it is not showing errors is that string is parses to an empty dom object it
looks
like so then the AntiSamyDOMScanner never gets to look at it. That string will
still
render as an iframe however so it should show as an error
Original comment by lanc...@gmail.com
on 15 Sep 2009 at 4:43