Detect encoded script markup

2021-05-19 12:29:37 +01:00 · 2021-05-19 12:29:37 +01:00 · fd30083696
parent 39c798c157
commit fd30083696
2 changed files with 33 additions and 26 deletions
--- a/tests.py
+++ b/tests.py
@ -2268,6 +2268,11 @@ def testDangerousMarkup():
        '.innerHTML = "evil";</script></p>'
    assert(dangerousMarkup(content, allowLocalNetworkAccess))

+    content = '<p>This is a valid-looking message. But wait... ' + \
+        '&lt;script&gt;document.getElementById("concentrated")' + \
+        '.innerHTML = "evil";&lt;/script&gt;</p>'
+    assert(dangerousMarkup(content, allowLocalNetworkAccess))
+
    content = '<p>This html contains more than you expected... ' + \
        '<script language="javascript">document.getElementById("abc")' + \
        '.innerHTML = "def";</script></p>'
@ -3646,8 +3651,6 @@ def testSpoofGeolocation() -> None:
                                              "%Y-%m-%d %H:%M")
        coords = spoofGeolocation('', 'new york, usa', currTime,
                                  decoySeed, citiesList)
-        #coords = spoofGeolocation('', 'berlin, germany', currTime,
-        #                          decoySeed, citiesList)
        longitude = coords[1]
        if coords[3] == 'W':
            longitude = -coords[1]
--- a/utils.py
+++ b/utils.py
@ -663,32 +663,36 @@ def getLocalNetworkAddresses() -> []:
 def dangerousMarkup(content: str, allowLocalNetworkAccess: bool) -> bool:
    """Returns true if the given content contains dangerous html markup
    """
-    if '<' not in content:
-        return False
-    if '>' not in content:
-        return False
-    contentSections = content.split('<')
-    invalidPartials = ()
-    if not allowLocalNetworkAccess:
-        invalidPartials = getLocalNetworkAddresses()
-    invalidStrings = ('script', 'canvas', 'style', 'abbr',
-                      'frame', 'iframe', 'html', 'body',
-                      'hr', 'allow-popups', 'allow-scripts')
-    for markup in contentSections:
-        if '>' not in markup:
+    separators = (['<', '>'], ['&lt;', '&gt;'])
+    for separatorStyle in separators:
+        startChar = separatorStyle[0]
+        endChar = separatorStyle[1]
+        if startChar not in content:
            continue
-        markup = markup.split('>')[0].strip()
-        for partialMatch in invalidPartials:
-            if partialMatch in markup:
-                return True
-        if ' ' not in markup:
-            for badStr in invalidStrings:
-                if badStr in markup:
-                    return True
-        else:
-            for badStr in invalidStrings:
-                if badStr + ' ' in markup:
+        if endChar not in content:
+            continue
+        contentSections = content.split(startChar)
+        invalidPartials = ()
+        if not allowLocalNetworkAccess:
+            invalidPartials = getLocalNetworkAddresses()
+        invalidStrings = ('script', 'canvas', 'style', 'abbr',
+                          'frame', 'iframe', 'html', 'body',
+                          'hr', 'allow-popups', 'allow-scripts')
+        for markup in contentSections:
+            if endChar not in markup:
+                continue
+            markup = markup.split(endChar)[0].strip()
+            for partialMatch in invalidPartials:
+                if partialMatch in markup:
                    return True
+            if ' ' not in markup:
+                for badStr in invalidStrings:
+                    if badStr in markup:
+                        return True
+            else:
+                for badStr in invalidStrings:
+                    if badStr + ' ' in markup:
+                        return True
    return False