Merge pull request from GHSA-f5ww-cq3m-q3g7

Escape `</` to prevent a style element from being closed prematurely

Author: rgrove

HISTORY.md

@@ -1,5 +1,22 @@
 # Sanitize History
 
+## 6.0.2 (2023-07-06)
+
+### Bug Fixes
+
+* CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS
+  (cross-site scripting). This issue affects Sanitize versions 3.0.0 through
+  6.0.1.
+
+  When using Sanitize's relaxed config or a custom config that allows `<style>`
+  elements and one or more CSS at-rules, carefully crafted input could be used
+  to sneak arbitrary HTML through Sanitize.
+
+  See the following security advisory for additional details:
+  [GHSA-f5ww-cq3m-q3g7](https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7)
+
+  Thanks to @cure53 for finding this issue.
+
 ## 6.0.1 (2023-01-27)
 
 ### Bug Fixes

lib/sanitize/transformers/clean_css.rb

@@ -48,6 +48,7 @@ def call(env)
     if css.strip.empty?
       node.unlink
     else
+      css.gsub!('</', '<\/')
       node.children.unlink
       node << Nokogiri::XML::Text.new(css, node.document)
     end

lib/sanitize/version.rb

@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 class Sanitize
-  VERSION = '6.0.1'
+  VERSION = '6.0.2'
 end

test/test_malicious_css.rb

@@ -39,4 +39,17 @@
   it 'should not allow behaviors' do
     _(@s.properties(%[behavior: url(xss.htc);])).must_equal ''
   end
+
+  describe 'sanitization bypass via CSS at-rule in HTML <style> element' do
+    before do
+      @s = Sanitize.new(Sanitize::Config::RELAXED)
+    end
+
+    it 'is not possible to prematurely end a <style> element' do
+      assert_equal(
+        %[<style>@media<\\/style><iframe srcdoc='<script>alert(document.domain)<\\/script>'>{}</style>],
+        @s.fragment(%[<style>@media</sty/**/le><iframe srcdoc='<script>alert(document.domain)</script>'></style>])
+      )
+    end
+  end
 end