Fix XSS vulnerability on table of content generation

lulalala · gjtorikian · commit e132fd5c7948 · 2018-06-25T21:31:15.000-04:00
diff --git a/README.md b/README.md
@@ -186,6 +186,7 @@ gem 'rouge'
 * `PlainTextInputFilter` - `escape_utils`
 * `SanitizationFilter` - `sanitize`
 * `SyntaxHighlightFilter` - `rouge`
+* `TableOfContentsFilter` - `escape_utils`
 * `TextileFilter` - `RedCloth`
 
 _Note:_ See [Gemfile](/Gemfile) `:test` block for version requirements.
diff --git a/lib/html/pipeline/toc_filter.rb b/lib/html/pipeline/toc_filter.rb
@@ -1,3 +1,5 @@
+HTML::Pipeline.require_dependency('escape_utils', 'TableOfContentsFilter')
+
 module HTML
   class Pipeline
     # HTML filter that adds an 'id' attribute to all headers
@@ -43,7 +45,7 @@ def call
           uniq = headers[id] > 0 ? "-#{headers[id]}" : ''
           headers[id] += 1
           if header_content = node.children.first
-            result[:toc] << %(<li><a href="##{id}#{uniq}">#{text}</a></li>\n)
+            result[:toc] << %(<li><a href="##{id}#{uniq}">#{EscapeUtils.escape_html(text)}</a></li>\n)
             header_content.add_previous_sibling(%(<a id="#{id}#{uniq}" class="anchor" href="##{id}#{uniq}" aria-hidden="true">#{anchor_icon}</a>))
           end
         end
diff --git a/test/html/pipeline/toc_filter_test.rb b/test/html/pipeline/toc_filter_test.rb
@@ -92,6 +92,12 @@ def test_all_header_tags_are_found_when_adding_anchors
     assert_equal 6, doc.search('a').size
   end
 
+  def test_toc_outputs_escaped_html
+    @orig = %(<h1>&lt;img src="x" onerror="alert(42)"&gt;</h1>)
+
+    refute_includes toc, %(<img src="x" onerror="alert(42)">)
+  end
+
   def test_toc_is_complete
     @orig = %(<h1>"Funky President" by James Brown</h1>
               <h2>"It's My Thing" by Marva Whitney</h2>
@@ -101,7 +107,7 @@ def test_toc_is_complete
               <h6>"Ruthless Villain" by Eazy-E</h6>
               <h7>"Be Thankful for What You Got" by William DeVaughn</h7>)
 
-    expected = %(<ul class="section-nav">\n<li><a href="#funky-president-by-james-brown">"Funky President" by James Brown</a></li>\n<li><a href="#its-my-thing-by-marva-whitney">"It's My Thing" by Marva Whitney</a></li>\n<li><a href="#boogie-back-by-roy-ayers">"Boogie Back" by Roy Ayers</a></li>\n<li><a href="#feel-good-by-fancy">"Feel Good" by Fancy</a></li>\n<li><a href="#funky-drummer-by-james-brown">"Funky Drummer" by James Brown</a></li>\n<li><a href="#ruthless-villain-by-eazy-e">"Ruthless Villain" by Eazy-E</a></li>\n</ul>)
+    expected = %(<ul class="section-nav">\n<li><a href="#funky-president-by-james-brown">&quot;Funky President&quot; by James Brown</a></li>\n<li><a href="#its-my-thing-by-marva-whitney">&quot;It&#39;s My Thing&quot; by Marva Whitney</a></li>\n<li><a href="#boogie-back-by-roy-ayers">&quot;Boogie Back&quot; by Roy Ayers</a></li>\n<li><a href="#feel-good-by-fancy">&quot;Feel Good&quot; by Fancy</a></li>\n<li><a href="#funky-drummer-by-james-brown">&quot;Funky Drummer&quot; by James Brown</a></li>\n<li><a href="#ruthless-villain-by-eazy-e">&quot;Ruthless Villain&quot; by Eazy-E</a></li>\n</ul>)
 
     assert_equal expected, toc
   end
