|
 |
581ca5 |
diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
|
|
|
581ca5 |
index 0492fca..5225a5e 100644
|
|
|
581ca5 |
--- a/src/lxml/html/clean.py
|
|
|
581ca5 |
+++ b/src/lxml/html/clean.py
|
|
|
581ca5 |
@@ -75,18 +75,25 @@ _looks_like_tag_content = re.compile(
|
|
|
581ca5 |
|
|
|
581ca5 |
# All kinds of schemes besides just javascript: that can cause
|
|
|
581ca5 |
# execution:
|
|
|
581ca5 |
-_is_image_dataurl = re.compile(
|
|
|
581ca5 |
- r'^data:image/.+;base64', re.I).search
|
|
|
581ca5 |
+_find_image_dataurls = re.compile(
|
|
|
581ca5 |
+ r'^data:image/(.+);base64,', re.I).findall
|
|
|
581ca5 |
_is_possibly_malicious_scheme = re.compile(
|
|
|
581ca5 |
- r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):',
|
|
|
581ca5 |
- re.I).search
|
|
|
581ca5 |
+ r'(javascript|jscript|livescript|vbscript|data|about|mocha):',
|
|
|
581ca5 |
+ re.I).findall
|
|
|
581ca5 |
+# SVG images can contain script content
|
|
|
581ca5 |
+_is_unsafe_image_type = re.compile(r"(xml|svg)", re.I).findall
|
|
|
581ca5 |
+
|
|
|
581ca5 |
def _is_javascript_scheme(s):
|
|
|
581ca5 |
- if _is_image_dataurl(s):
|
|
|
581ca5 |
- return None
|
|
|
581ca5 |
- return _is_possibly_malicious_scheme(s)
|
|
|
581ca5 |
+ is_image_url = False
|
|
|
581ca5 |
+ for image_type in _find_image_dataurls(s):
|
|
|
581ca5 |
+ is_image_url = True
|
|
|
581ca5 |
+ if _is_unsafe_image_type(image_type):
|
|
|
581ca5 |
+ return True
|
|
|
581ca5 |
+ if is_image_url:
|
|
|
581ca5 |
+ return False
|
|
|
581ca5 |
+ return bool(_is_possibly_malicious_scheme(s))
|
|
|
581ca5 |
|
|
|
581ca5 |
_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
|
|
|
581ca5 |
-# FIXME: should data: be blocked?
|
|
|
581ca5 |
|
|
|
581ca5 |
# FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
|
|
|
581ca5 |
_conditional_comment_re = re.compile(
|
|
|
581ca5 |
@@ -514,6 +521,8 @@ class Cleaner(object):
|
|
|
581ca5 |
return True
|
|
|
581ca5 |
if 'expression(' in style:
|
|
|
581ca5 |
return True
|
|
|
581ca5 |
+ if '@import' in style:
|
|
|
581ca5 |
+ return True
|
|
|
581ca5 |
if '
|
|
|
581ca5 |
# e.g. ' ">'
|
|
|
581ca5 |
return True
|
|
|
581ca5 |
diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
|
|
|
581ca5 |
index e40cdad..4fab442 100644
|
|
|
581ca5 |
--- a/src/lxml/html/tests/test_clean.py
|
|
|
581ca5 |
+++ b/src/lxml/html/tests/test_clean.py
|
|
|
581ca5 |
@@ -1,3 +1,6 @@
|
|
|
581ca5 |
+import base64
|
|
|
581ca5 |
+import gzip
|
|
|
581ca5 |
+import io
|
|
|
581ca5 |
import unittest, sys
|
|
|
581ca5 |
from lxml.tests.common_imports import make_doctest
|
|
|
581ca5 |
from lxml.etree import LIBXML_VERSION
|
|
|
581ca5 |
@@ -89,6 +92,73 @@ class CleanerTest(unittest.TestCase):
|
|
|
581ca5 |
b'<math><style>/* deleted */</style></math>',
|
|
|
581ca5 |
lxml.html.tostring(clean_html(s)))
|
|
|
581ca5 |
|
|
|
581ca5 |
+ def test_sneaky_import_in_style(self):
|
|
|
581ca5 |
+ # Prevent "@@importimport" -> "@import" replacement.
|
|
|
581ca5 |
+ style_codes = [
|
|
|
581ca5 |
+ "@@importimport(extstyle.css)",
|
|
|
581ca5 |
+ "@ @ import import(extstyle.css)",
|
|
|
581ca5 |
+ "@ @ importimport(extstyle.css)",
|
|
|
581ca5 |
+ "@@ import import(extstyle.css)",
|
|
|
581ca5 |
+ "@ @import import(extstyle.css)",
|
|
|
581ca5 |
+ "@@importimport()",
|
|
|
581ca5 |
+ ]
|
|
|
581ca5 |
+ for style_code in style_codes:
|
|
|
581ca5 |
+ html = '<style>%s</style>' % style_code
|
|
|
581ca5 |
+ s = lxml.html.fragment_fromstring(html)
|
|
|
581ca5 |
+
|
|
|
581ca5 |
+ cleaned = lxml.html.tostring(clean_html(s))
|
|
|
581ca5 |
+ self.assertEqual(
|
|
|
581ca5 |
+ b'<style>/* deleted */</style>',
|
|
|
581ca5 |
+ cleaned,
|
|
|
581ca5 |
+ "%s -> %s" % (style_code, cleaned))
|
|
|
581ca5 |
+
|
|
|
581ca5 |
+ def test_svg_data_links(self):
|
|
|
581ca5 |
+ # Remove SVG images with potentially insecure content.
|
|
|
581ca5 |
+ svg = b'<svg onload="alert(123)" />'
|
|
|
581ca5 |
+ gzout = io.BytesIO()
|
|
|
581ca5 |
+ f = gzip.GzipFile(fileobj=gzout, mode='wb')
|
|
|
581ca5 |
+ f.write(svg)
|
|
|
581ca5 |
+ f.close()
|
|
|
581ca5 |
+ svgz = gzout.getvalue()
|
|
|
581ca5 |
+ svg_b64 = base64.b64encode(svg).decode('ASCII')
|
|
|
581ca5 |
+ svgz_b64 = base64.b64encode(svgz).decode('ASCII')
|
|
|
581ca5 |
+ urls = [
|
|
|
581ca5 |
+ "data:image/svg+xml;base64," + svg_b64,
|
|
|
581ca5 |
+ "data:image/svg+xml-compressed;base64," + svgz_b64,
|
|
|
581ca5 |
+ ]
|
|
|
581ca5 |
+ for url in urls:
|
|
|
581ca5 |
+ html = ' ' % url
|
|
|
581ca5 |
+ s = lxml.html.fragment_fromstring(html)
|
|
|
581ca5 |
+
|
|
|
581ca5 |
+ cleaned = lxml.html.tostring(clean_html(s))
|
|
|
581ca5 |
+ self.assertEqual(
|
|
|
581ca5 |
+ b'![]() ',
|
|
|
581ca5 |
+ cleaned,
|
|
|
581ca5 |
+ "%s -> %s" % (url, cleaned))
|
|
|
581ca5 |
+
|
|
|
581ca5 |
+ def test_image_data_links(self):
|
|
|
581ca5 |
+ data = b'123'
|
|
|
581ca5 |
+ data_b64 = base64.b64encode(data).decode('ASCII')
|
|
|
581ca5 |
+ urls = [
|
|
|
581ca5 |
+ "data:image/jpeg;base64," + data_b64,
|
|
|
581ca5 |
+ "data:image/apng;base64," + data_b64,
|
|
|
581ca5 |
+ "data:image/png;base64," + data_b64,
|
|
|
581ca5 |
+ "data:image/gif;base64," + data_b64,
|
|
|
581ca5 |
+ "data:image/webp;base64," + data_b64,
|
|
|
581ca5 |
+ "data:image/bmp;base64," + data_b64,
|
|
|
581ca5 |
+ "data:image/tiff;base64," + data_b64,
|
|
|
581ca5 |
+ "data:image/x-icon;base64," + data_b64,
|
|
|
581ca5 |
+ ]
|
|
|
581ca5 |
+ for url in urls:
|
|
|
581ca5 |
+ html = '' % url
|
|
|
581ca5 |
+ s = lxml.html.fragment_fromstring(html)
|
|
|
581ca5 |
+
|
|
|
581ca5 |
+ cleaned = lxml.html.tostring(clean_html(s))
|
|
|
581ca5 |
+ self.assertEqual(
|
|
|
581ca5 |
+ html.encode("UTF-8"),
|
|
|
581ca5 |
+ cleaned,
|
|
|
581ca5 |
+ "%s -> %s" % (url, cleaned))
|
|
|
581ca5 |
+
|
|
|
581ca5 |
def test_formaction_attribute_in_button_input(self):
|
|
|
581ca5 |
# The formaction attribute overrides the form's action and should be
|
|
|
581ca5 |
# treated as a malicious link attribute
|