From 1334134d34397966a7f7cfebd38639e9ba2c680e Mon Sep 17 00:00:00 2001 From: Greg Guthe Date: Thu, 28 Jan 2021 14:56:24 -0500 Subject: [PATCH 1/2] sanitizer: escape HTML comments fixes: bug 1689399 / GHSA vv2x-vrpj-qqpq --- bleach/html5lib_shim.py | 1 + bleach/sanitizer.py | 4 ++++ tests/test_clean.py | 47 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 52 insertions(+) diff --git a/bleach/html5lib_shim.py b/bleach/html5lib_shim.py index c71947ee..b886ca50 100644 --- a/bleach/html5lib_shim.py +++ b/bleach/html5lib_shim.py @@ -48,6 +48,7 @@ HTMLInputStream, ) # noqa: E402 module level import not at top of file from bleach._vendor.html5lib.serializer import ( + escape, HTMLSerializer, ) # noqa: E402 module level import not at top of file from bleach._vendor.html5lib._tokenizer import ( diff --git a/bleach/sanitizer.py b/bleach/sanitizer.py index bc66ad2a..0f5b7cc5 100644 --- a/bleach/sanitizer.py +++ b/bleach/sanitizer.py @@ -371,6 +371,10 @@ def sanitize_token(self, token): elif token_type == "Comment": if not self.strip_html_comments: + # call lxml.sax.saxutils to escape &, <, and > in addition to " and ' + token["data"] = html5lib_shim.escape( + token["data"], entities={'"': """, "'": "'"} + ) return token else: return None diff --git a/tests/test_clean.py b/tests/test_clean.py index 1cd58df0..7c565750 100644 --- a/tests/test_clean.py +++ b/tests/test_clean.py @@ -739,6 +739,53 @@ def test_namespace_rc_data_element_strip_false( ) +@pytest.mark.parametrize( + "namespace_tag, end_tag, data, expected", + [ + ( + "math", + "p", + "

", + ), + ( + "math", + "br", + "
", + ), + ( + "svg", + "p", + "

", + ), + ( + "svg", + "br", + "
", + ), + ], +) +def test_html_comments_escaped(namespace_tag, end_tag, data, expected): + # refs: bug 1689399 / GHSA-vv2x-vrpj-qqpq + # + # p and br can be just an end tag (e.g.

==

) + # + # In browsers: + # + # * img and other tags break out of the svg or math namespace (e.g. == ) + # * style does not (e.g. == ) + # * the breaking tag ejects trailing elements (e.g. == ) + # + # the ejected elements can trigger XSS + assert ( + clean(data, tags=[namespace_tag, end_tag, "style"], strip_comments=False) + == expected + ) + + def get_ids_and_tests(): """Retrieves regression tests from data/ directory From 842fcb4a05e59d9a22dafb8c51865ee79d753c03 Mon Sep 17 00:00:00 2001 From: Greg Guthe Date: Fri, 29 Jan 2021 11:22:55 -0500 Subject: [PATCH 2/2] Update for v3.3.0 release --- CHANGES | 19 +++++++++++++++++++ SECURITY.md | 4 ++-- bleach/__init__.py | 4 ++-- tests_website/index.html | 4 ++-- 4 files changed, 25 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index b93ae510..d4a0e500 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,25 @@ Bleach changes ============== +Version 3.3.0 (February 1st, 2021) +---------------------------------- + +**Backwards incompatible changes** + +* clean escapes HTML comments even when strip_comments=False + +**Security fixes** + +* Fix bug 1621692 / GHSA-m6xf-fq7q-8743. See the advisory for details. + +**Features** + +None + +**Bug fixes** + +None + Version 3.2.3 (January 26th, 2021) ---------------------------------- diff --git a/SECURITY.md b/SECURITY.md index 47b7d7a8..751dfdbb 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -7,8 +7,8 @@ currently being supported with security updates. | Version | Supported | | ------- | ------------------ | -| 3.2.x | :white_check_mark: | -| < 3.1 | :x: | +| 3.3.x | :white_check_mark: | +| < 3.2 | :x: | ## Reporting a Vulnerability diff --git a/bleach/__init__.py b/bleach/__init__.py index 02301f7e..6cc994c2 100644 --- a/bleach/__init__.py +++ b/bleach/__init__.py @@ -18,9 +18,9 @@ # yyyymmdd -__releasedate__ = "20210126" +__releasedate__ = "20210201" # x.y.z or x.y.z.dev0 -- semver -__version__ = "3.2.3" +__version__ = "3.3.0" VERSION = packaging.version.Version(__version__) diff --git a/tests_website/index.html b/tests_website/index.html index 5df8ed99..b4a92f9d 100644 --- a/tests_website/index.html +++ b/tests_website/index.html @@ -2,7 +2,7 @@ - Python Bleach 3.2.3 + Python Bleach 3.3.0 -

Python Bleach 3.2.3

+

Python Bleach 3.3.0

pypi version Build Status