[WARNING] Don't trust strip_links()
Published about 7 years ago

After coming across Ticket 8864 I tried to play around a bit more with link tags. And guess what, they’re more broken than I ever thought. And it’s not just rails, but firefox too.

For example consider the following html code

<html>
<head><title>Seriously, wtf !?</head>
<body>
  <href onMouseover="alert(document.location)">whatever
</body>
</html>

<html>
<head><title>Seriously, wtf !?</head>
<body>
<href onMouseover="alert(document.location)">whatever
</body>
<
/
html>

This actually work in Firefox. But it looks fine(blank) in Safari/IE ( No I don’t use Windows. I asked a friend to check it. )

Result ? Applications that depend on strip_links() for stripping link tags are open to XSS attacks.

I feel this is a critical issue in firefox and it’s not just related to rails. And in very special cases, it could be really risky.

I’ve submitted my modified version of strip_links patch anyways.

Wait and watch.