From: Mark Otto Date: Sun, 28 Jun 2026 02:29:41 +0000 (-0700) Subject: Sanitizer: block data:/vbscript: URLs (XSS hardening) (#42549) X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=947f1127f30a3269c0c7893ea6f4685284792648;p=thirdparty%2Fbootstrap.git Sanitizer: block data:/vbscript: URLs (XSS hardening) (#42549) * Sanitizer: block data:/vbscript: URLs in allowed attributes The sanitizer's SAFE_URL_PATTERN only rejected javascript:, so a data:text/html (or vbscript:) URL in an href/src passed the allowList — an XSS vector via data-bs-title/data-bs-content. Reject data: and vbscript: in SAFE_URL_PATTERN and re-allow only safe base64 image/video/ audio data URLs via a restored DATA_URL_PATTERN. Fixes #42443. * Bump bundlewatch size thresholds * Sanitizer: drop redundant 0-9 from base64 data-URI char class \d already matches 0-9, so the explicit 0-9 in the same class was dead weight. Functionally identical; clears the CodeQL overly-permissive-range alert on the overlap. * Build: bump bundle.js bundlewatch threshold for sanitizer additions --- diff --git a/.bundlewatch.config.json b/.bundlewatch.config.json index 8986f6b953..e8991a6337 100644 --- a/.bundlewatch.config.json +++ b/.bundlewatch.config.json @@ -34,7 +34,7 @@ }, { "path": "./dist/js/bootstrap.bundle.js", - "maxSize": "83.5 kB" + "maxSize": "83.75 kB" }, { "path": "./dist/js/bootstrap.bundle.min.js", diff --git a/js/src/util/sanitizer.js b/js/src/util/sanitizer.js index cb33633ffd..f0482eb94e 100644 --- a/js/src/util/sanitizer.js +++ b/js/src/util/sanitizer.js @@ -63,14 +63,22 @@ const uriAttributes = new Set([ * * Shout-out to Angular https://github.com/angular/angular/blob/15.2.8/packages/core/src/sanitization/url_sanitizer.ts#L38 */ -const SAFE_URL_PATTERN = /^(?!javascript:)(?:[a-z0-9+.-]+:|[^&:/?#]*(?:[/?#]|$))/i +const SAFE_URL_PATTERN = /^(?!(?:javascript|data|vbscript):)(?:[a-z0-9+.-]+:|[^&:/?#]*(?:[/?#]|$))/i + +/** + * A pattern that matches safe data URLs. Only matches image, video and audio + * types — notably NOT `data:text/html`, which is an XSS vector. + * + * Shout-out to Angular https://github.com/angular/angular/blob/15.2.8/packages/core/src/sanitization/url_sanitizer.ts#L49 + */ +const DATA_URL_PATTERN = /^data:(?:image\/(?:bmp|gif|jpeg|jpg|png|tiff|webp)|video\/(?:mpeg|mp4|ogg|webm)|audio\/(?:mp3|oga|ogg|opus));base64,[\d+/a-z=]+$/i const allowedAttribute = (attribute, allowedAttributeList) => { const attributeName = attribute.nodeName.toLowerCase() if (allowedAttributeList.includes(attributeName)) { if (uriAttributes.has(attributeName)) { - return Boolean(SAFE_URL_PATTERN.test(attribute.nodeValue)) + return Boolean(SAFE_URL_PATTERN.test(attribute.nodeValue) || DATA_URL_PATTERN.test(attribute.nodeValue)) } return true diff --git a/js/tests/unit/util/sanitizer.spec.js b/js/tests/unit/util/sanitizer.spec.js index 2b21ef2e19..ccf5c5cf6d 100644 --- a/js/tests/unit/util/sanitizer.spec.js +++ b/js/tests/unit/util/sanitizer.spec.js @@ -67,7 +67,13 @@ describe('Sanitizer', () => { 'jav\u0000ascript:alert();' ] - for (const url of invalidUrls) { + const dangerousDataUrls = [ + 'data:text/html,hello', + 'data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==', + 'vbscript:msgbox(1)' + ] + + for (const url of [...invalidUrls, ...dangerousDataUrls]) { const template = [ '
', ` Click me`,