diff options
author | Stefan Behnel <stefan_ml@behnel.de> | 2021-11-11 12:20:57 +0100 |
---|---|---|
committer | Stefan Behnel <stefan_ml@behnel.de> | 2021-11-11 13:19:30 +0100 |
commit | 12fa9669007180a7bb87d990c375cf91ca5b664a (patch) | |
tree | a6b00384d0ba10462013dc505ada14bb58a9f05e | |
parent | 24a459910130afc8a16bdecdde35ca9d5aa47f1d (diff) | |
download | python-lxml-12fa9669007180a7bb87d990c375cf91ca5b664a.tar.gz |
Cleaner: Prevent "@import" from re-occurring in the CSS after replacements, e.g. "@@importimport".
Reported as GHSL-2021-1037
-rw-r--r-- | src/lxml/html/clean.py | 2 | ||||
-rw-r--r-- | src/lxml/html/tests/test_clean.py | 20 |
2 files changed, 22 insertions, 0 deletions
diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py index 0494357e..25844e87 100644 --- a/src/lxml/html/clean.py +++ b/src/lxml/html/clean.py @@ -541,6 +541,8 @@ class Cleaner(object): return True if 'expression(' in style: return True + if '@import' in style: + return True if '</noscript' in style: # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">' return True diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py index 45c2e83a..d395d514 100644 --- a/src/lxml/html/tests/test_clean.py +++ b/src/lxml/html/tests/test_clean.py @@ -123,6 +123,26 @@ class CleanerTest(unittest.TestCase): b'<math><style>/* deleted */</style></math>', lxml.html.tostring(clean_html(s))) + def test_sneaky_import_in_style(self): + # Prevent "@@importimport" -> "@import" replacement. + style_codes = [ + "@@importimport(extstyle.css)", + "@ @ import import(extstyle.css)", + "@ @ importimport(extstyle.css)", + "@@ import import(extstyle.css)", + "@ @import import(extstyle.css)", + "@@importimport()", + ] + for style_code in style_codes: + html = '<style>%s</style>' % style_code + s = lxml.html.fragment_fromstring(html) + + cleaned = lxml.html.tostring(clean_html(s)) + self.assertEqual( + b'<style>/* deleted */</style>', + cleaned, + "%s -> %s" % (style_code, cleaned)) + def test_formaction_attribute_in_button_input(self): # The formaction attribute overrides the form's action and should be # treated as a malicious link attribute |