🔒 Vditor XSS 安全漏洞 Fix Vanessa219/vditor#1274

88250 · Aug 4, 2022 · e8092b6 · e8092b6
1 parent bd16ecc
commit e8092b6
Show file tree

Hide file tree

Showing 5 changed files with 7 additions and 4 deletions.
diff --git a/javascript/lute.min.js b/javascript/lute.min.js
diff --git a/javascript/lute.min.js.map b/javascript/lute.min.js.map
diff --git a/render/sanitizer.go b/render/sanitizer.go
@@ -189,7 +189,8 @@ func sanitizeAttrs(attrs []*html.Attribute) (ret []*html.Attribute) {
 			continue
 		}
 		if "src" == attr.Key {
-			if strings.HasPrefix(attr.Val, "data:image/svg+xml") || strings.HasPrefix(attr.Val, "javascript") {
+			val := strings.TrimSpace(attr.Val)
+			if strings.HasPrefix(val, "data:image/svg+xml") || strings.HasPrefix(val, "data:text/html") || strings.HasPrefix(val, "javascript") {
 				continue
 			}
 		}

diff --git a/test/m2v_test.go b/test/m2v_test.go
@@ -20,6 +20,7 @@ import (
 
 var md2VditorDOMTests = []parseTest{
 
+	{"24", "<form ><iframe/src=\"data:text/html,<script>alert('xss');</script>\"></iframe>", "<div class=\"vditor-wysiwyg__block\" data-type=\"html-block\" data-block=\"0\"><pre><code>&lt;form &gt;&lt;iframe/src=&quot;data:text/html,&lt;script&gt;alert('xss');&lt;/script&gt;&quot;&gt;&lt;/iframe&gt;</code></pre><pre class=\"vditor-wysiwyg__preview\" data-render=\"2\"><form><iframe></iframe></pre></div>"},
 	{"23", "[**foo**][bar]\n\n[bar]:https://github.com", "<p data-block=\"0\">\u200b<span data-type=\"link-ref\" data-link-label=\"bar\">foo</span>\u200b</p><div data-block=\"0\" data-type=\"link-ref-defs-block\">[bar]: https://github.com\n</div>"},
 	{"22", "<span class=\"vditor-comment\" data-cmtids=\"20201105091940-wtpsc3a\">foo</span>", "<p data-block=\"0\"><span class=\"vditor-comment\" data-cmtids=\"20201105091940-wtpsc3a\">foo</span></p>"},
 	{"21", "<span class=\"vditor-comment\" data-cmtids=\"20201105091940-wtpsc3a\">foo</span>b", "<p data-block=\"0\"><span class=\"vditor-comment\" data-cmtids=\"20201105091940-wtpsc3a\">foo</span>b</p>"},
@@ -59,6 +60,7 @@ func TestMd2VditorDOM(t *testing.T) {
 	luteEngine.RenderOptions.ToC = true
 	luteEngine.ParseOptions.KramdownBlockIAL = true
 	luteEngine.RenderOptions.KramdownBlockIAL = true
+	luteEngine.RenderOptions.Sanitize = true
 
 	for _, test := range md2VditorDOMTests {
 		md := luteEngine.Md2VditorDOM(test.from)

diff --git a/test/spin_wysiwyg_test.go b/test/spin_wysiwyg_test.go
@@ -18,7 +18,7 @@ import (
 
 var spinVditorDOMTests = []*parseTest{
 
-	{"158", "<form ><iframe/src=\"data:text/html,<script>alert('xss');</script>\"></iframe>", "<div class=\"vditor-wysiwyg__block\" data-type=\"html-block\" data-block=\"0\"><pre><code>&lt;form&gt;&lt;iframe src=&quot;data:text/html,&lt;script&gt;alert('xss');&lt;/script&gt;&quot;&gt;&lt;/iframe&gt;&lt;/form&gt;</code></pre><pre class=\"vditor-wysiwyg__preview\" data-render=\"2\"><form><iframe src=\"data:text/html,&lt;script&gt;alert(&#39;xss&#39;);&lt;/script&gt;\"></iframe></form></pre></div>"},
+	{"158", "<form ><iframe/src=\"data:text/html,<script>alert('xss');</script>\"></iframe>", "<div class=\"vditor-wysiwyg__block\" data-type=\"html-block\" data-block=\"0\"><pre><code>&lt;form&gt;&lt;iframe src=&quot;data:text/html,&lt;script&gt;alert('xss');&lt;/script&gt;&quot;&gt;&lt;/iframe&gt;&lt;/form&gt;</code></pre><pre class=\"vditor-wysiwyg__preview\" data-render=\"2\"><form><iframe></iframe></form></pre></div>"},
 	{"157", "<p>[ToC]</p><h1 data-block=\"0\" id=\"wysiwyg-foo--bar1_1\" data-marker=\"#\">foo <code data-marker=\"`\">&lt;script&gt;</code> bar</h1>", "<div class=\"vditor-toc\" data-block=\"0\" data-type=\"toc-block\" contenteditable=\"false\"><ul><li><span data-target-id=\"wysiwyg-foo--bar\">foo <code>&lt;script&gt;</code> bar</span></li></ul></div><h1 data-block=\"0\" id=\"wysiwyg-foo--bar\" data-marker=\"#\">foo <code data-marker=\"`\">\u200b&lt;script&gt;</code>\u200b bar</h1>"},
 	{"156", "<p data-block=\"0\"><span class=\"vditor-comment\" data-cmtids=\"20220331213230-cb3a3hv\">foo</span><code data-type=\"html-inline\">&lt;span&gt;</code>bar&lt;/span&gt;<wbr></p>", "<p data-block=\"0\"><span class=\"vditor-comment\" data-cmtids=\"20220331213230-cb3a3hv\">foo</span>\u200b<code data-type=\"html-inline\">\u200b&lt;span&gt;</code>bar<code data-type=\"html-inline\">\u200b&lt;/span&gt;</code><wbr></p>"},
 	{"155", "<p data-block=\"0\"><code data-type=\"html-inline\">&lt;span&gt;</code>foo&lt;/span&gt;<wbr></p>", "<p data-block=\"0\">\u200b<code data-type=\"html-inline\">\u200b&lt;span&gt;</code>foo<code data-type=\"html-inline\">\u200b&lt;/span&gt;</code><wbr></p>"},