Fixes in parser to address bypass of the library and XSS attacks

OWASP · Dec 15, 2023 · 9b25635 · 9b25635
1 parent 35c506c
commit 9b25635
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 1 deletion.
diff --git a/src/main/java/org/owasp/html/HtmlLexer.java b/src/main/java/org/owasp/html/HtmlLexer.java
@@ -476,6 +476,7 @@ private static enum State {
     COMMENT,
     COMMENT_DASH,
     COMMENT_DASH_DASH,
+    COMMENT_DASH_AFTER_BANG,
     DIRECTIVE,
     DONE,
     BOGUS_COMMENT,
@@ -640,17 +641,28 @@ && canonicalElementName(start + 2, end)
                 case BANG:
                   if ('-' == ch) {
                     state = State.BANG_DASH;
+                  } else if('>' == ch) { // <!> is a valid html comment
+                    state = State.DONE;
+                    type = HtmlTokenType.COMMENT;
                   } else {
                     state = State.DIRECTIVE;
                   }
                   break;
                 case BANG_DASH:
                   if ('-' == ch) {
-                    state = State.COMMENT;
+                    state = State.COMMENT_DASH_AFTER_BANG;
                   } else {
                     state = State.DIRECTIVE;
                   }
                   break;
+                case COMMENT_DASH_AFTER_BANG:
+                  if ('>' == ch) { // <!--> is a valid html comment
+                    state = State.DONE;
+                    type = HtmlTokenType.COMMENT;
+                  }else{
+                    state = State.COMMENT;
+                  }
+                  break;
                 case COMMENT:
                   if ('-' == ch) {
                     state = State.COMMENT_DASH;

diff --git a/src/test/java/org/owasp/html/HtmlLexerTest.java b/src/test/java/org/owasp/html/HtmlLexerTest.java
@@ -121,6 +121,31 @@ public static final void testShortTags() {
         "TAGEND: >");
   }
 
+  @Test
+  public static final void testCommentDeclarationWith0CommentsAndXss() throws Exception
+  {
+    //check https://datatracker.ietf.org/doc/html/rfc1866#section-3.2.5
+    assertTokens("<!><img src=1 onError=alert(\"nice\")>",
+            "COMMENT: <!>",
+            "TAGBEGIN: <img",
+            "ATTRNAME: src",
+            "ATTRVALUE: 1",
+            "ATTRNAME: onError",
+            "ATTRVALUE: alert(\"nice\")",
+            "TAGEND: >"
+    );
+  }
+
+  @Test
+  public static final void testCommentDeclarationWith0CommentsAndTag() throws Exception
+  {
+    assertTokens("<!--><img>",
+            "COMMENT: <!-->",
+            "TAGBEGIN: <img",
+            "TAGEND: >"
+    );
+  }
+
   private static void lex(String input, Appendable out) throws Exception {
     HtmlLexer lexer = new HtmlLexer(input);
     int maxTypeLength = 0;