Skip to content

Sanitizer fails to treat some attributes as URLs #153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gsnedders opened this issue May 19, 2014 · 0 comments
Closed

Sanitizer fails to treat some attributes as URLs #153

gsnedders opened this issue May 19, 2014 · 0 comments
Labels
sanitizer
Milestone
0.9999

Comments

@gsnedders
Copy link
Member

background, datasrc, dynsrc, lowsrc, ping, and poster are included in allowed_attributes and omitted from attr_val_is_uri. On the upside, no browser appears to run scripts in these attributes, so while it is a potential XSS hole in the sanitizer gives some unknown browser, it isn't in any known browser.
@gsnedders gsnedders changed the title [Security placeholder] Sanitizer fails to treat some attributes as URLs May 19, 2014
@gsnedders gsnedders added this to the 0.9999 milestone May 19, 2014
gsnedders added a commit that referenced this issue Apr 29, 2015
@gsnedders
Fix #153: Sanitizer fails to treat some attributes as URLs
a5efb0e 
Despite how this sounds, this has no known security implications.
No known version of IE (5.5 to current), Firefox (3 to current),
Safari (6 to current), Chrome (1 to current), or Opera (12 to current)
will run any script provided in these attributes.
gsnedders added a commit that referenced this issue Apr 29, 2015
@gsnedders
fixup! Fix #153: Sanitizer fails to treat some attributes as URLs
f9888c9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
sanitizer
Projects
None yet
Milestone
0.9999
Development

No branches or pull requests
1 participant
@gsnedders