fix: Ignore tag style, if sanitize cant parse CSS inside it #506

Author: shevnv

src/transform/sanitize.ts

@@ -560,7 +560,9 @@ function sanitizeStyleTags(dom: cheerio.CheerioAPI, cssWhiteList: CssWhiteList)
             });
 
             dom(element).text(css.stringify(parsedCSS));
-        } catch {}
+        } catch {
+            dom(element).remove();
+        }
     });
 }
 

test/__snapshots__/xss.test.ts.snap

@@ -284,11 +284,7 @@ exports[` meta 1`] = `""`;
 
 exports[` style sheet 1`] = `""`;
 
-exports[` style tag 1`] = `
-<style type="text/javascript">
-  alert('XSS');
-</style>
-`;
+exports[` style tag 1`] = `""`;
 
 exports[` style tag using background 1`] = `
 <style type="text/css">
@@ -311,3 +307,12 @@ exports[` style tags with broken up JavaScript for XSS 1`] = `
 `;
 
 exports[` style tags with broken up JavaScript for XSS part 2 1`] = `<img>`;
+
+exports[` svg with style tag and foreignObject inside 1`] = `
+<p>
+  <svg>
+    <style>
+    </style>
+  </svg>
+</p>
+`;

test/xss.test.ts

@@ -112,6 +112,10 @@ const ckecks = [
         'style tag using background',
         `<style type="text/css">body{background:url("javascript:alert('XSS')")}</style>`,
     ],
+    [
+        'svg with style tag and foreignObject inside',
+        '<svg><style><foreignObject><img src="a" onerror=alert(1)/></foreignObject></style></svg>',
+    ],
     ['Anonymous HTML with style attribute', `<xss style="xss:expression(alert('XSS'))">`],
     ['Local htc file', `<xss style="behavior: url(xss.htc);">`],
     ['US-ASCII encoding', `¼script¾alert(¢XSS¢)¼/script¾`],