-
-
Notifications
You must be signed in to change notification settings - Fork 690
/
hooks-sanitize-css-demo.html
164 lines (152 loc) · 6.6 KB
/
hooks-sanitize-css-demo.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
<!doctype html>
<html>
<head>
<script src="../dist/purify.js"></script>
</head>
<body>
<!-- Our DIV to receive content -->
<div id="sanitized"></div>
<!-- Now let's sanitize that content -->
<script>
/* jshint globalstrict:true */
/* global DOMPurify */
'use strict';
window.onload = function(){
// Specify dirty HTML
let dirty = document.getElementById('payload').value;
// We can allow all (default elements) but SVG
const config = {
FORBID_TAGS: ['svg'] // SVG is not yet supported. Too messy.
};
// Specify CSS property whitelist
const allowed_properties = [
'color',
'background',
'border',
'padding',
'margin',
'font-family',
'content',
'padding'
];
// Specify if CSS functions are permitted
const allow_css_functions = true;
/**
* Take CSS property-value pairs and validate against white-list,
* then add the styles to an array of property-value pairs
*/
function validateStyles(output, styles) {
Object.keys(styles).forEach(function(index) {
if (styles.hasOwnProperty(index)) {
let normalizedKey = styles[index].replace(/([A-Z])/g, '-$1').toLowerCase();
if (allowed_properties.includes(normalizedKey)) {
let value = styles[normalizedKey];
output.push(`${normalizedKey}:${value};`);
}
}
});
}
/**
* Take CSS rules and analyze them, create string wrapper to
* apply them to the DOM later on. Note that only selector rules
* are supported right now
*/
function addCSSRules(output, cssRules) {
Array.from(cssRules).reverse().forEach(rule => {
// check for rules with selector
if (rule.type === 1 && rule.selectorText) {
output.push(`${rule.selectorText}{`);
if (rule.style) {
validateStyles(output, rule.style);
}
output.push('}');
}
});
}
// Add a hook to enforce CSS element sanitization
DOMPurify.addHook('uponSanitizeElement', function(node, data) {
if (data.tagName === 'style') {
let output = [];
addCSSRules(output, node.sheet.cssRules);
node.textContent = output.join("\n");
}
});
// Add a hook to enforce CSS attribute sanitization
DOMPurify.addHook('afterSanitizeAttributes', function(node) {
// Nasty hack to fix baseURI + CSS problems in Chrome
if (!node.ownerDocument.baseURI) {
let base = document.createElement('base');
base.href = document.baseURI;
node.ownerDocument.head.appendChild(base);
}
// Check all style attribute values and validate them
if (node.hasAttribute('style')) {
let output = [];
validateStyles(output, node.style);
// re-add styles in case any are left
if (output.length) {
node.setAttribute('style', output.join(""));
} else {
node.removeAttribute('style');
}
}
});
// Clean HTML string and write into our DIV
let clean = DOMPurify.sanitize(dirty, config);
document.getElementById('sanitized').innerHTML = clean;
}
</script>
<!-- Here we cage our payload in a TEXTAREA -->
<textarea id="payload">
<a href="#" style="border:1ps solid blue;color:red;background:url(/images/test.gif)">ABC</a>
<style>
big {
list-style: url(https://leaking.via/css-list-style);
list-style-image: url(https://leaking.via/css-list-style-image);
background: url(https://leaking.via/css-background);
background-image: url(https://leaking.via/css-background-image);
border-image: url(https://leaking.via/css-border-image);
border-image-source: url(https://leaking.via/css-border-image-source);
shape-outside: url(https://leaking.via/css-shape-outside);
cursor: url(https://leaking.via/css-cursor), auto;
color:red;
}
</style>
<big>DEF</big>
<svg>
<style>
circle {
fill: green;
mask: url(https://leaking.via/svg-css-mask#foo);
filter: url(https://leaking.via/svg-css-filter#foo);
clip-path: url(https://leaking.via/svg-css-clip-path#foo);
}
</style>
<circle r="40"></circle>
</svg>
<style>
@media all, not print and not monochrome, (min-width: 1px) {
body {
background: url(https://leaking.via/css-media-query);
font-family: expression(alert('url()'));
-webkit-animation: rotate-a-bit;
-webkit-animation-duration: 1s;
}
}
@font-face {
font-family: leak;
src: url(test.woff);
}
strong {
font-family: leak;
color:blue;
background: url("/images/test.gif");
}
strong:after {
content: 'hola!';
}
</style>
<strong>GHI</strong>
</textarea>
</body>
</html>