Fix hex escape issue in style element

mganss · Dec 23, 2020 · a3a7602 · a3a7602
1 parent 0963175
commit a3a7602
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/src/HtmlSanitizer/HtmlSanitizer.cs b/src/HtmlSanitizer/HtmlSanitizer.cs
@@ -743,7 +743,7 @@ private void SanitizeStyleSheets(IHtmlDocument dom, string baseUrl)
  else i++;
  }
 
- styleTag.InnerHtml = styleSheet.ToCss();
+ styleTag.InnerHtml = styleSheet.ToCss().Replace("<", "\\3c");
  }
  }
 

diff --git a/test/HtmlSanitizer.Tests/Tests.cs b/test/HtmlSanitizer.Tests/Tests.cs
@@ -3201,6 +3201,19 @@ public void PreParsedDocumentWithContextTest()
 
  Assert.Equal("<html><head></head><body><div>hi</div></body></html>", returnedDocument.ToHtml());
  }
+
+ [Fact]
+ public void StyleByPassTest()
+ {
+ var sanitizer = new HtmlSanitizer();
+
+ sanitizer.AllowedTags.Add("style");
+
+ var html = "aaabc<style>x[x='\\3c /style>\\3c img src onerror=alert(1)>']{}</style>";
+ var sanitized = sanitizer.Sanitize(html, "http://www.example.com");
+
+ Assert.Equal("aaabc<style>x[x=\"\\3c/style>\\3cimg src onerror=alert(1)>\"] { }</style>", sanitized);
+ }
  }
 }