Skip to content
This repository was archived by the owner on Aug 1, 2024. It is now read-only.

Commit 6e384c9

Browse files
Closure Teamcopybara-github
Closure Team
authored and
copybara-github
committed
Stops sanitizing the #src attribute for <img>, <video>, <audio> and <source>. These sinks don't execute javascript: URLs in modern browsers anymore.
RELNOTES: Stops sanitizing the #src attribute for `<img>`, `<video>`, `<audio>` and <source>. PiperOrigin-RevId: 513533137 Change-Id: I038549c81200fafb0b6db6f1856b9744a51773c1
1 parent b12e80d commit 6e384c9

File tree

1 file changed

+39
-105
lines changed

1 file changed

+39
-105
lines changed

closure/goog/html/sanitizer/html_test_vectors.js

Lines changed: 39 additions & 105 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,38 @@ goog.provide('goog.html.htmlTestVectors');
1111
goog.setTestOnly();
1212

1313
goog.html.htmlTestVectors.HTML_TEST_VECTORS = [
14+
{input: "<a href=\"javascript:alert('xss');\">foo</a>",
15+
acceptable: [
16+
"<a href=\"javascript:void(0);\">foo</a>",
17+
"<a href=\"about:invalid#zGoSafez\">foo</a>",
18+
"<a href=\"about:invalid#zCSafez\">foo</a>",
19+
"<a>foo</a>",
20+
"<a href=\"unsafe:javascript:alert('xss');\">foo</a>",
21+
"<a href=\"about:invalid#zClosurez\">foo</a>",
22+
"<a href=\"javascript:alert('xss');\" >foo</a>",
23+
],
24+
name: "a"},
25+
{input: "<a href=javascript:alert(&quot;XSS&quot;)>foo</a>",
26+
acceptable: [
27+
"<a href=\"javascript:void(0);\">foo</a>",
28+
"<a href=\"about:invalid#zGoSafez\">foo</a>",
29+
"<a>foo</a>",
30+
"<a href=\"about:invalid#zCSafez\">foo</a>",
31+
"<a href=\"unsafe:javascript:alert(&#34;XSS&#34;)\">foo</a>",
32+
"<a href=\"about:invalid#zClosurez\">foo</a>",
33+
],
34+
name: "a_quot"},
35+
{input: "<a href=\"jav&#x09;ascript:alert('xss');\">foo</a>",
36+
acceptable: [
37+
"<a href=\"javascript:void(0);\">foo</a>",
38+
"<a href=\"about:invalid#zGoSafez\">foo</a>",
39+
"<a href=\"about:invalid#zCSafez\">foo</a>",
40+
"<a>foo</a>",
41+
"<a href=\"unsafe:jav&#9;ascript:alert('xss');\">foo</a>",
42+
"<a href=\"about:invalid#zClosurez\">foo</a>",
43+
"<a href=\"jav&#9;ascript:alert('xss');\">foo</a>",
44+
],
45+
name: "a_tab"},
1446
{input: "<body onload=alert('xss')>",
1547
acceptable: [
1648
"",
@@ -67,19 +99,6 @@ goog.html.htmlTestVectors.HTML_TEST_VECTORS = [
6799
"<iframe />",
68100
],
69101
name: "iframe_srcdoc"},
70-
{input: "<img src=\"javascript:alert('xss');\">",
71-
acceptable: [
72-
"<img src=\"javascript:void(0);\">",
73-
"<img src=\"about:invalid#zGoSafez\"/>",
74-
"<img src=\"about:invalid#zCSafez\" />",
75-
"<img src=\"about:invalid#zCSafez\">",
76-
"<img>",
77-
"<img />",
78-
"<img src=\"unsafe:javascript:alert('xss');\">",
79-
"<img src=\"about:invalid#zTSz\" />",
80-
"<img src=\"about:invalid#zClosurez\" />",
81-
],
82-
name: "img"},
83102
{input: "<!--<img src=\"--><img src=x onerror=alert('xss')//\">",
84103
acceptable: [
85104
"<img />",
@@ -109,19 +128,6 @@ goog.html.htmlTestVectors.HTML_TEST_VECTORS = [
109128
"<img />",
110129
],
111130
name: "img_onerror"},
112-
{input: "<img src=javascript:alert(&quot;XSS&quot;)>",
113-
acceptable: [
114-
"<img src=\"javascript:void(0);\">",
115-
"<img src=\"about:invalid#zGoSafez\"/>",
116-
"<img src=\"about:invalid#zCSafez\">",
117-
"<img>",
118-
"<img />",
119-
"<img src=\"about:invalid#zCSafez\" />",
120-
"<img src=\"unsafe:javascript:alert(&#34;XSS&#34;)\">",
121-
"<img src=\"about:invalid#zTSz\" />",
122-
"<img src=\"about:invalid#zClosurez\" />",
123-
],
124-
name: "img_quot"},
125131
{input: "<style><img src=\"</style><img src=x onerror=alert('xss')//\">",
126132
acceptable: [
127133
"",
@@ -133,19 +139,6 @@ goog.html.htmlTestVectors.HTML_TEST_VECTORS = [
133139
"<img src=\"javascript:void(0);\">",
134140
],
135141
name: "img_style"},
136-
{input: "<img src=\"jav&#x09;ascript:alert('xss');\">",
137-
acceptable: [
138-
"<img src=\"javascript:void(0);\">",
139-
"<img src=\"about:invalid#zGoSafez\"/>",
140-
"<img src=\"about:invalid#zCSafez\">",
141-
"<img src=\"about:invalid#zCSafez\" />",
142-
"<img>",
143-
"<img />",
144-
"<img src=\"unsafe:jav&#9;ascript:alert('xss');\">",
145-
"<img src=\"about:invalid#zTSz\" />",
146-
"<img src=\"about:invalid#zClosurez\" />",
147-
],
148-
name: "img_tab"},
149142
{input: "<input type=\"image\" src=\"javascript:alert('xss');\">",
150143
acceptable: [
151144
"",
@@ -278,17 +271,14 @@ goog.html.htmlTestVectors.HTML_TEST_VECTORS = [
278271
"",
279272
],
280273
name: "svg"},
281-
{input: "<img src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>",
274+
{input: "<a src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>foo</a>",
282275
acceptable: [
283-
"<img src=\"javascript:void(0);\">",
284-
"<img src=\"about:invalid#zGoSafez\"/>",
285-
"<img src=\"about:invalid#zCSafez\">",
286-
"<img>",
287-
"<img />",
288-
"<img src=\"about:invalid#zCSafez\" />",
289-
"<img src=\"unsafe:javascript:alert('XSS')\">",
290-
"<img src=\"about:invalid#zTSz\" />",
291-
"<img src=\"about:invalid#zClosurez\" />",
276+
"<a src=\"javascript:void(0);\">foo</a>",
277+
"<a src=\"about:invalid#zGoSafez\">foo</a>",
278+
"<a src=\"about:invalid#zCSafez\">foo</a>",
279+
"<a src=\"unsafe:javascript:alert('XSS')\">foo</a>",
280+
"<a src=\"about:invalid#zTSz\" />foo</a>",
281+
"<a>foo</a>",
292282
],
293283
name: "unicode"},
294284
{input: "<html></html>",
@@ -7939,20 +7929,6 @@ goog.html.htmlTestVectors.HTML_TEST_VECTORS = [
79397929
"<table><source><td></td></table>",
79407930
],
79417931
name: "contract_source_scriptinside"},
7942-
{input: "<source src=\"javascript:xss\">",
7943-
acceptable: [
7944-
"<source src=\"unsafe:javascript:xss\"></source>",
7945-
"<source src=\"unsafe:javascript:xss\">",
7946-
"<source src=\"unsafe:javascript:xss\"/>",
7947-
"<source></source>",
7948-
"<source>",
7949-
"<source/>",
7950-
"<source />",
7951-
"<span></span>",
7952-
"<span />",
7953-
"",
7954-
],
7955-
name: "contract_source_src"},
79567932
{input: "<source srcdoc=\"x\">",
79577933
acceptable: [
79587934
"<source></source>",
@@ -8057,20 +8033,6 @@ goog.html.htmlTestVectors.HTML_TEST_VECTORS = [
80578033
"<table><img><td></td></table>",
80588034
],
80598035
name: "contract_img_scriptinside"},
8060-
{input: "<img src=\"javascript:xss\">",
8061-
acceptable: [
8062-
"<img src=\"unsafe:javascript:xss\"></img>",
8063-
"<img src=\"unsafe:javascript:xss\">",
8064-
"<img src=\"unsafe:javascript:xss\"/>",
8065-
"<img></img>",
8066-
"<img>",
8067-
"<img/>",
8068-
"<img />",
8069-
"<span></span>",
8070-
"<span />",
8071-
"",
8072-
],
8073-
name: "contract_img_src"},
80748036
{input: "<img srcdoc=\"x\">",
80758037
acceptable: [
80768038
"<img></img>",
@@ -8540,20 +8502,6 @@ goog.html.htmlTestVectors.HTML_TEST_VECTORS = [
85408502
"<table><td></td></table>",
85418503
],
85428504
name: "contract_video_scriptinside"},
8543-
{input: "<video src=\"javascript:xss\">",
8544-
acceptable: [
8545-
"<video src=\"unsafe:javascript:xss\"></video>",
8546-
"<video src=\"unsafe:javascript:xss\">",
8547-
"<video src=\"unsafe:javascript:xss\"/>",
8548-
"<video></video>",
8549-
"<video>",
8550-
"<video/>",
8551-
"<video />",
8552-
"<span></span>",
8553-
"<span />",
8554-
"",
8555-
],
8556-
name: "contract_video_src"},
85578505
{input: "<video srcdoc=\"x\">",
85588506
acceptable: [
85598507
"<video></video>",
@@ -8658,20 +8606,6 @@ goog.html.htmlTestVectors.HTML_TEST_VECTORS = [
86588606
"<table><td></td></table>",
86598607
],
86608608
name: "contract_audio_scriptinside"},
8661-
{input: "<audio src=\"javascript:xss\">",
8662-
acceptable: [
8663-
"<audio src=\"unsafe:javascript:xss\"></audio>",
8664-
"<audio src=\"unsafe:javascript:xss\">",
8665-
"<audio src=\"unsafe:javascript:xss\"/>",
8666-
"<audio></audio>",
8667-
"<audio>",
8668-
"<audio/>",
8669-
"<audio />",
8670-
"<span></span>",
8671-
"<span />",
8672-
"",
8673-
],
8674-
name: "contract_audio_src"},
86758609
{input: "<audio srcdoc=\"x\">",
86768610
acceptable: [
86778611
"<audio></audio>",

0 commit comments

Comments
 (0)