Scan for JS code also in CSS comments

frenzymadness · frenzymadness · commit c5d816f86eb3 · 2024-11-12T13:18:24.000+01:00
The `Cleaner()` now scans for hidden JavaScript code embedded
within CSS comments. In certain contexts, such as within `&lt;svg&gt;`
or `&lt;math&gt;` tags, `&lt;style&gt;` tags may lose their intended function,
allowing comments like `/* foo */` to potentially be executed by
the browser.
diff --git a/lxml_html_clean/clean.py b/lxml_html_clean/clean.py
@@ -581,22 +581,27 @@ def _has_sneaky_javascript(self, style):
         that and remove only the Javascript from the style; this catches
         more sneaky attempts.
         """
-        style = self._substitute_comments('', style)
-        style = style.replace('\\', '')
         style = _substitute_whitespace('', style)
         style = style.lower()
-        if _has_javascript_scheme(style):
-            return True
-        if 'expression(' in style:
-            return True
-        if '@import' in style:
-            return True
-        if '</noscript' in style:
-            # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
-            return True
-        if _looks_like_tag_content(style):
-            # e.g. '<math><style><img src=x onerror=alert(1)></style></math>'
-            return True
+
+        for with_comments in True, False:
+            if not with_comments:
+                style = self._substitute_comments('', style)
+
+            style = style.replace('\\', '')
+
+            if _has_javascript_scheme(style):
+                return True
+            if 'expression(' in style:
+                return True
+            if '@import' in style:
+                return True
+            if '</noscript' in style:
+                # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
+                return True
+            if _looks_like_tag_content(style):
+                # e.g. '<math><style><img src=x onerror=alert(1)></style></math>'
+                return True
         return False
 
     def clean_html(self, html):
diff --git a/tests/test_clean.py b/tests/test_clean.py
@@ -127,6 +127,23 @@ def test_sneaky_js_in_math_style(self):
             b'<math><style>/* deleted */</style></math>',
             lxml.html.tostring(clean_html(s)))
 
+    def test_sneaky_js_in_style_comment_math_svg(self):
+        for tag in "svg", "math":
+            html = f'<{tag}><style>/*<img src onerror=alert(origin)>*/'
+            s = lxml.html.fragment_fromstring(html)
+
+            self.assertEqual(
+                f'<{tag}><style>/* deleted */</style></{tag}>'.encode(),
+                lxml.html.tostring(clean_html(s)))
+
+    def test_sneaky_js_in_style_comment_noscript(self):
+        html = '<noscript><style>/*</noscript><img src onerror=alert(origin)>*/'
+        s = lxml.html.fragment_fromstring(html)
+
+        self.assertEqual(
+            b'<noscript><style>/* deleted */</style></noscript>',
+            lxml.html.tostring(clean_html(s)))
+
     def test_sneaky_import_in_style(self):
         # Prevent "@@importimport" -> "@import" replacement etc.
         style_codes = [
