Skip to content

Prevent a HTML sanitization vulnerability

Compare
Choose a tag to compare
@grafana-dee grafana-dee released this 18 Oct 13:39
· 72 commits to main since this release

CVE-2021-42576

A vulnerability was discovered by https://github.com/TomAnthony https://www.tomanthony.co.uk/ which allowed the contents of a style tag to be leaked unsanitized by bluemonday into the HTML output. Further it was demonstrated that if the form elements select and option were allowed by the policy that this could result in a successful XSS.

You would only be vulnerable to if if you allowed style, select and option in your HTML sanitization policy:

p := bluemonday.NewPolicy()
p.AllowElements("style","select")
html := p.Sanitize(`<select><option><style><script>alert(1)</script>`)
fmt.Println(html)

bluemonday very strongly recommends not allowing the style element in a policy. It is fundamentally unsafe as we do not have a CSS sanitizer and the content is passed through unmodified.

bluemonday has been updated to explicitly suppress style and script elements by default even if you do allow them by policy as these are considered unsafe. If you have a use-case for using bluemonday whilst trusting the input then you can assert this via p.AllowUnsafe(true) which will let style and script through if the policy also allows them.

Note: the policies shipped with bluemonday are not vulnerable to this.