fix(core): block dangerous data: and vbscript: URLs in URL sanitizer#67692
Open
bangel251022 wants to merge 2 commits intoangular:mainfrom
Open
fix(core): block dangerous data: and vbscript: URLs in URL sanitizer#67692bangel251022 wants to merge 2 commits intoangular:mainfrom
bangel251022 wants to merge 2 commits intoangular:mainfrom
Conversation
The URL sanitizer previously only blocked `javascript:` URLs via a negative lookahead. This left other potentially dangerous URL schemes unblocked, including `data:text/html` (which can execute scripts in some environments), `vbscript:` (script execution in legacy IE), and bare `data:` URIs with no explicit media type. This change extends the URL sanitizer to also block: - `vbscript:` URLs - `data:` URLs except for safe media subtypes (image/*, video/*, audio/*) Safe media data: URIs (e.g. `data:image/png;base64,...`) continue to be allowed as they are commonly used for inline images and do not execute scripts when loaded via `<img src>`. This resolves a longstanding TODO in html_sanitizer.ts to special-case `data:image/` URIs, which has been open since the sanitizer was first written. Applications that rely on non-media `data:` URLs (e.g. `data:text/plain` or `data:application/pdf`) in sanitized contexts should use `bypassSecurityTrustUrl()` to explicitly mark them as trusted.
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The URL sanitizer (
_sanitizeUrl) currently only blocksjavascript:URLs. This leaves other potentially dangerous URL schemes unblocked:data:text/html— can execute scripts in older browsers and certain WebView environmentsvbscript:— script execution in legacy Internet Explorerdata:with no subtype (e.g.data:,<script>...) — defaults to text/plain but has been used in XSS attacksdata:application/xhtml+xml,data:text/xml— can contain executable script contentChanges
This PR extends the URL sanitizer regex to block
vbscript:and dangerousdata:subtypes while continuing to allow safe media data URIs:data:image/*— allowed (inline images)data:video/*— allowed (inline video)data:audio/*— allowed (inline audio)data:text/html— blockeddata:application/*— blockeddata:text/*— blockeddata:,(bare) — blockedvbscript:*— blockedThis also resolves a longstanding TODO in
html_sanitizer.tsthat has been open since the sanitizer was originally written:Security Note
data:image/svg+xmlis allowed because SVG loaded via<img src>is sandboxed by browsers (scripts do not execute). For<a href>contexts, modern browsers (Chrome 60+, Firefox 59+) block top-level navigation todata:URLs entirely.Migration
Applications that rely on non-media
data:URLs (e.g.data:text/plain,data:application/pdf) in sanitized URL contexts should useDomSanitizer.bypassSecurityTrustUrl()to explicitly mark them as trusted.Test Plan
vbscript:URL variants (3 cases, case-insensitive)data:URLs (9 cases including base64, bare data:, various MIME types)data:image/*test cases (svg+xml, gif)valid→invalidfor invalid URL test cases)