formaction attr allowing javascript in Cleaner() if safe_attrs_only is set

Bug #1888153 reported by Kevin Chung
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxml
Fix Released
Medium
Unassigned

Bug Description

Python : sys.version_info(major=3, minor=8, micro=3, releaselevel='final', serial=0)
lxml.etree : (4, 5, 2, 0)
libxml used : (2, 9, 10)
libxml compiled : (2, 9, 10)
libxslt used : (1, 1, 34)
libxslt compiled : (1, 1, 34)

The following script creates a form with a button with formaction which still allows XSS through when clicking the button.

```
from lxml.html.clean import Cleaner
cleaner = Cleaner(
    forms=False,
    safe_attrs_only=False,
)
cleaner.clean_html("""<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>""")
```

However, this same kind of idea doesn't apply to action on the form which is somewhat equivalent:

```
In [1]: cleaner.clean_html("""<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>""")
Out[1]: '<div><form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button></div>'

In [2]: cleaner.clean_html("""<form id="test" action="javascript:alert(1)"></form><button form="test" type="submit">X</button>""")
Out[2]: '<div><form id="test" action=""></form><button form="test" type="submit">X</button></div>'
```

safe_attrs_only is an unsafe setting to disable but it seems to respect the javascript setting so I would argue that formaction should be added to the list of attributes that are removed by the javascript setting.

CVE References

Revision history for this message
Kevin Chung (kchung) wrote :

I believe the issue is that lxml isn't treating a button as a "link" and not running formaction through `doc.rewrite_links()`

https://github.com/lxml/lxml/blob/34aa8896f99f93a43f3c61fc66beb459ce163acd/src/lxml/html/clean.py#L300

From there iterlinks() is called which doesn't see a button as a link.

I'm not sure if you would want to modify iterlinks() or add a special case for button in the clean function.

Revision history for this message
Kevin Chung (kchung) wrote :

A similar issue exists with:

<input type="submit" formaction="javascript:alert(1)">

Revision history for this message
scoder (scoder) wrote :

Thanks for the report. This seems worth fixing. If "formaction" is not currently looked at for links, then it should be.

PR welcome.

Changed in lxml:
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Kevin Chung (kchung) wrote :

PR created: https://github.com/lxml/lxml/pull/316
Also requested a CVE from Mitre.

Revision history for this message
Kevin Chung (kchung) wrote :

This has been allocated CVE-2021-28957.

scoder (scoder)
Changed in lxml:
milestone: none → 4.6.3
status: Confirmed → Fix Committed
scoder (scoder)
information type: Private Security → Public Security
scoder (scoder)
Changed in lxml:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.