srcdoc in iframe not escaped correctly

Question

srcdoc in iframe not escaped correctly

pgasior opened this issue 4 years ago · comments

Describe the bug
Content in srcdoc attribute of iframe needs additional escaping of & character. HTML spec.
For example < needs to be escaped to &lt;
This shows when trying to display HTML escaped content inside <pre>
Report has iframe with content unescaped. When I open the attachment HTML file directly, it is escaped.

To Reproduce
Steps to reproduce the behavior:

Add HTML attachment with <pre><h1>should be escapedd</h1></pre>

Expected behavior
Escaped HTML tags remain escaped inside iframe in report

Attachments
JSFiddle with current behavior link
JSFiddle with expected behavior link

Benjamin Bischoff · Answer 1 · Sun Nov 01 2020 17:48:54 GMT+0800 (China Standard Time)

Thanks for reporting this!

Piotr Gąsior · Answer 2 · Mon Nov 02 2020 04:49:57 GMT+0800 (China Standard Time)

I think that this also applies to escaping " in Embedding.decodeData(string). It shouldn't be converted to ' but to ".
Citing the spec And remember to escape ampersands before quotation marks, to ensure quotation marks become " and not &quot;.

So if I understand this correctly fix would be in Embedding.java
decodedData.replaceAll("&", "&").replaceAll("\"", """);

Benjamin Bischoff · Answer 3 · Fri Nov 27 2020 17:54:06 GMT+0800 (China Standard Time)

Will be fixed in 2.6.0 (release planned for today).

gurshafriri · Answer 4 · Sun Nov 29 2020 23:29:40 GMT+0800 (China Standard Time)

👋 @laxersaz do you see this as a potential security issue?
if it is, we (at Snyk would like to add it to our vulnerability database.

Benjamin Bischoff · Answer 5 · Mon Nov 30 2020 15:47:11 GMT+0800 (China Standard Time)

I don't quite follow your question. I am not an expert in software security.