HTML having Quoted-Printable format characters is not sanitized properly

26 views

Skip to first unread message

Rasmita Mahapatra

unread,

Aug 30, 2018, 4:29:36 AM8/30/18

to OWASP Java HTML Sanitizer Support

Input: "<a title="Gibson, Darlene" href=3D"mailto:[email protected]">Gibson, Darlene</a>",

Post sanitization

<a title="Gibson, Darlene">Gibson, Darlene</a>

When I removed 3D, post sanitization

<a title="Gibson, Darlene" href="mailto:dgibson@ryerson.ca">Gibson, Darlene</a>

Is this a bug in sanitizer?

Mike Samuel

unread,

Aug 30, 2018, 10:40:09 AM8/30/18

to OWASP Java HTML Sanitizer Support

It doesn't look like a bug in the sanitizer.

> Input: "<a title="Gibson, Darlene" href=3D"mailto:[email protected]">Gibson, Darlene</a>"

This input is equivalent to

<a title="" href="3D%22mailto:[email protected]%22">Gibson, Darelene</a>

since the value of the href attribute starts at the 3D causing the rest to be parsed as part of an unquoted attribute.

The sanitizer then rejects the URL because the protocol 3D%22mailto is not on its whitelist.

If the input is Quoted-Printable, whatever calls the sanitizer should decode it first.

https://stackoverflow.com/questions/7306432/how-to-decode-quotable-chars-from-quotable-to-a-char addresses how to decode Quoted-Printable content in Java.

--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward

0 new messages