Release 4.1.0
[htmlpurifier-web.git] / security / 2008 / css-backslash.xhtml
blob0b7132893851c9c8bd25f16859ddb92c2d6b61df
1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
3 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4 <html
5 xmlns="http://www.w3.org/1999/xhtml"
6 xmlns:xi="http://www.w3.org/2001/XInclude"
7 xml:lang="en">
8 <head>
9 <title>CSS Backslash Full Disclosure - Security - HTML Purifier</title>
10 <xi:include href="common-meta.xml" xpointer="xpointer(/*/node())" />
11 <meta name="description" content="Full disclosure security page detailing the Shift_JIS CSS backslash attack." />
12 <meta name="keywords" content="HTMLPurifier, HTML Purifier, HTML, filter, filtering, standards, compliant, 3.1.1, attack, full disclosure, xss, security, shift_jis, backslash, css" />
13 </head>
14 <body>
16 <xi:include href="common-header.xml" xpointer="xpointer(/*/node())" />
18 <div id="main">
19 <h1 id="title"><abbr>CSS</abbr> Backslash Full Disclosure</h1>
21 <div id="content">
23 <p>
24 A poorly coded escaping algorithm for <abbr>CSS</abbr> strings
25 in the <code>font-family</code> property could allow a clever attacker
26 to escape from the string and execute arbitrary JavaScript via
27 <abbr>CSS</abbr>.
28 </p>
30 <p>
31 This vulnerability was reported privately to the vendor by
32 <a href="http://d.hatena.ne.jp/teracc/">Takeshi Terada</a>.
33 No active exploits are currently known.
34 </p>
36 <h2 id="Fix">Fix</h2>
38 <p>
39 This vulnerability was fixed in HTML Purifier 3.1.1 and 2.1.5.
40 </p>
42 <h2 id="Details">Details</h2>
44 <p>
45 The algorithm sucked. In it's old form, it used two string replaces:
46 </p>
48 <pre><![CDATA[
49 $font = str_replace("'", "\\'", $font);
50 $font = str_replace("\n", "\\\n", $font);
51 ]]></pre>
53 <p>
54 ...to escape magical characters. The problem with
55 this algorithm was the fact that backslashes
56 were not handled; thus, by prepending a single quote with a backslash
57 would break this primitive protection. A hotfix was applied for this,
58 however, this broke Unicode character escapes in CSS, which take
59 the form of \uXXXX.
60 </p>
62 <p>
63 The final solution was to rewrite all of the escaping code to iterate
64 through the value of <code>font-family</code>, performing appropriate
65 tests when a backslash was encountered of the later characters,
66 and translating UTF-8 escapes to their literal equivalents.
67 </p>
69 <h2 id="History">History</h2>
71 <p>
72 The vulnerability was reported on May 23, 2008 via email.
73 Two patches were committed to fix this issue, one on
74 <a href="http://repo.or.cz/w/htmlpurifier.git?a=commit;h=10530d7f815803493df150fa07080669796bd33a">May 24, 2008</a>
75 and one on <a href="http://repo.or.cz/w/htmlpurifier.git?a=commit;h=bb16d8eae571dd4e30e3a62cce03d436d46cefaf">May 25, 2008</a>.
76 HTML Purifier 3.1.1 was released on June 19, 2008.
77 </p>
79 </div>
80 </div>
82 </body>
83 </html>