A poorly coded escaping algorithm for CSS strings
in the font-family property could allow a clever attacker
to escape from the string and execute arbitrary JavaScript via
CSS.
This vulnerability was reported privately to the vendor by Takeshi Terada. No active exploits are currently known.
Fix
This vulnerability was fixed in HTML Purifier 3.1.1 and 2.1.5.
Details
The algorithm sucked. In it's old form, it used two string replaces:
$font = str_replace("'", "\\'", $font);
$font = str_replace("\n", "\\\n", $font);
...to escape magical characters. The problem with this algorithm was the fact that backslashes were not handled; thus, by prepending a single quote with a backslash would break this primitive protection. A hotfix was applied for this, however, this broke Unicode character escapes in CSS, which take the form of \uXXXX.
The final solution was to rewrite all of the escaping code to iterate
through the value of font-family, performing appropriate
tests when a backslash was encountered of the later characters,
and translating UTF-8 escapes to their literal equivalents.
History
The vulnerability was reported on May 23, 2008 via email. Two patches were committed to fix this issue, one on May 24, 2008 and one on May 25, 2008. HTML Purifier 3.1.1 was released on June 19, 2008.