Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Whitelist.addProtocols() cannot only allow base64 image instead of all data uri #1297

Open
Fermiz opened this issue Jan 13, 2020 · 1 comment

Comments

@Fermiz
Copy link

Fermiz commented Jan 13, 2020

Recently I want to do a feature to anti XSS, using Jsoup Cleaner, the requirement is: only supports url which starts with http, https or data:image (base64 image);

I use the following code like:

whitelist.addProtocols("img", "src", "http", "https", "data:image")
Jsoup.clean(html, whitelist);

I found it works well with ordinary urls, but removed src attribute which contains base64 image ; I look into the source code, found that it compare urls in this way:

 url.startWith(protocol:xxxxxx)

the extra : makes data:image: setting not match;

but if I set it into ("http", "https", "data"), other data url like data:text/html, <script>alert('xss')</script> would be allowed, which is dangerous.

I have to override the isSafeAttribute(String tagName, Element el, Attribute attr) method to implement my requirement.

Is there any better ideas?

@filiptvrdon
Copy link

filiptvrdon commented Mar 23, 2023

Great insight @Fermiz! You described my current issue better than I could, thanks!

I've found this question on SO
which helped and my code now seems to work using this:

safelist.addAttributes("img", "height", "src", "width");
safelist.addProtocols("img", "src", "http", "https", "data");

In hope this helps someone in the future
Best

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants