[libhtml-scrubber-perl] 02/03: Test and fix for JVN53973084

Sat Nov 11 13:46:16 UTC 2017

This is an automated email from the git hooks/post-receive script.

fsfs pushed a commit to annotated tag release/0.15
in repository libhtml-scrubber-perl.

commit e1978cc37867e85c06a84a4651745235010cd6cd
Author: Nigel Metheringham <nigelm at cpan.org>
Date:   Sat Oct 10 15:01:14 2015 +0100

    Test and fix for JVN53973084
    
    Malformed tags can pass through as comments.
    Thus comments are now only passed through if
    they are well formed - currently defined as
    matching a regular expression.
---
 Changes              |  3 +++
 lib/HTML/Scrubber.pm |  6 +++++-
 t/jvn53973084.t      | 21 +++++++++++++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/Changes b/Changes
index 3b69546..80143d8 100644
--- a/Changes
+++ b/Changes
@@ -1,6 +1,9 @@
 Revision history for Perl extension HTML::Scrubber.
 
 {{$NEXT}}
+    - Minor spelling check avoidance tweaks
+    - Enforce comments to be well formed, to resolve potential security issue
+      described in JVN53973084
 
 0.14      2015-04-02 17:20:41+01:00 Europe/London
     - Travis integration  (thanks to mrcaron)
diff --git a/lib/HTML/Scrubber.pm b/lib/HTML/Scrubber.pm
index 8322152..2a7b173 100644
--- a/lib/HTML/Scrubber.pm
+++ b/lib/HTML/Scrubber.pm
@@ -446,7 +446,11 @@ sub _scrub_str {
         }
     }
     elsif ( $e eq 'comment' ) {
-        $outstr .= $text if $s->{_comment};
+        if ( $s->{_comment} ) {
+
+            # only copy comments through if they are well formed...
+            $outstr .= $text if ( $text =~ m|^<!--.*-->$|ms );
+        }
     }
     elsif ( $e eq 'process' ) {
         $outstr .= $text if $s->{_process};
diff --git a/t/jvn53973084.t b/t/jvn53973084.t
new file mode 100644
index 0000000..7767609
--- /dev/null
+++ b/t/jvn53973084.t
@@ -0,0 +1,21 @@
+# Tests related to JVN53973084
+
+use strict;
+use warnings;
+use Test::More;
+
+use_ok('HTML::Scrubber');
+
+my @allow = qw[
+    hr
+];
+
+my $html_1 = q[<hr><a href="javascript:alert(1)"<hr>abc];
+my $html_2 = q[<img src="javascript:alert(1)"];
+foreach my $comment_value ( 0, 1 ) {
+    my $scrubber = HTML::Scrubber->new( allow => \@allow, comment => $comment_value );
+    is( $scrubber->scrub($html_1), '<hr>abc', "correct result (1) - with comment => $comment_value" );
+    is( $scrubber->scrub($html_2), '',            "correct result (2) - with comment => $comment_value" );
+}
+
+done_testing;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libhtml-scrubber-perl.git

