fix: Ignore tag style, if sanitize cant parse CSS inside it #506 (#507)

diplodoc-platform · Sep 17, 2024 · 182985d · 182985d
1 parent 3c37ab2
commit 182985d
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 6 deletions.
diff --git a/src/transform/sanitize.ts b/src/transform/sanitize.ts
@@ -560,7 +560,9 @@ function sanitizeStyleTags(dom: cheerio.CheerioAPI, cssWhiteList: CssWhiteList)
             });
 
             dom(element).text(css.stringify(parsedCSS));
-        } catch {}
+        } catch {
+            dom(element).remove();
+        }
     });
 }
 

diff --git a/test/__snapshots__/xss.test.ts.snap b/test/__snapshots__/xss.test.ts.snap
@@ -284,11 +284,7 @@ exports[` meta 1`] = `""`;
 
 exports[` style sheet 1`] = `""`;
 
-exports[` style tag 1`] = `
-<style type="text/javascript">
-  alert('XSS');
-</style>
-`;
+exports[` style tag 1`] = `""`;
 
 exports[` style tag using background 1`] = `
 <style type="text/css">
@@ -311,3 +307,12 @@ exports[` style tags with broken up JavaScript for XSS 1`] = `
 `;
 
 exports[` style tags with broken up JavaScript for XSS part 2 1`] = `<img>`;
+
+exports[` svg with style tag and foreignObject inside 1`] = `
+<p>
+  <svg>
+    <style>
+    </style>
+  </svg>
+</p>
+`;
diff --git a/test/xss.test.ts b/test/xss.test.ts
@@ -112,6 +112,10 @@ const ckecks = [
         'style tag using background',
         `<style type="text/css">body{background:url("javascript:alert('XSS')")}</style>`,
     ],
+    [
+        'svg with style tag and foreignObject inside',
+        '<svg><style><foreignObject><img src="a" onerror=alert(1)/></foreignObject></style></svg>',
+    ],
     ['Anonymous HTML with style attribute', `<xss style="xss:expression(alert('XSS'))">`],
     ['Local htc file', `<xss style="behavior: url(xss.htc);">`],
     ['US-ASCII encoding', `¼script¾alert(¢XSS¢)¼/script¾`],