fix: Sanitize security advisory HTML at ingestion to prevent stored XSS (#17024)

stevejalim · web-flow · commit 572925175867 · 2026-02-09T15:01:48.000+04:00
Advisory HTML from upstream YAML/markdown was stored unsanitized and
rendered with |safe. Add sanitize_advisory_html() using the existing
justhtml-backed sanitize_html utility with an allowlist of tags and
attributes needed by the CVE partial template and markdown output.

Called in update_db_from_file() immediately after parsing, before
the HTML reaches the database.

Jira: WT-646
diff --git a/bedrock/security/management/commands/update_security_advisories.py b/bedrock/security/management/commands/update_security_advisories.py
@@ -13,6 +13,7 @@
 
 from dateutil.parser import parse as parsedate
 
+from bedrock.base.sanitization import sanitize_html
 from bedrock.security.models import HallOfFamer, MitreCVE, Product, SecurityAdvisory
 from bedrock.security.utils import (
     FILENAME_RE,
@@ -36,6 +37,55 @@
 HOF_FILES = ["client.yml", "web.yml"]
 HOF_DIRECTORY = "bug-bounty-hof"
 
+# Allowlists for advisory HTML sanitization.
+# Tags come from markdown output and the security/partials/cve.html template.
+ADVISORY_ALLOWED_TAGS = frozenset(
+    {
+        # Markdown output
+        "a",
+        "abbr",
+        "b",
+        "blockquote",
+        "br",
+        "code",
+        "del",
+        "em",
+        "h1",
+        "h2",
+        "h3",
+        "h4",
+        "h5",
+        "h6",
+        "hr",
+        "i",
+        "img",
+        "li",
+        "ol",
+        "p",
+        "pre",
+        "small",
+        "strong",
+        "ul",
+        # CVE partial template structure
+        "section",
+        "dl",
+        "dt",
+        "dd",
+        "span",
+    }
+)
+ADVISORY_ALLOWED_ATTRS = {
+    "*": ["class", "id"],
+    "a": ["href"],
+    "img": ["src", "srcset", "alt"],
+    "span": ["class"],
+}
+
+
+def sanitize_advisory_html(html):
+    """Sanitize advisory HTML using an allowlist of tags and attributes."""
+    return sanitize_html(html, ADVISORY_ALLOWED_TAGS, ADVISORY_ALLOWED_ATTRS)
+
 
 def fix_product_name(name):
     if "seamonkey" in name.lower():
@@ -178,6 +228,7 @@ def update_db_from_file(filename):
         raise RuntimeError(f"Unknown file type {filename}")
 
     data, html = parser(filename)
+    html = sanitize_advisory_html(html)
     if "advisories" in data:
         add_or_update_cve(data)
     return add_or_update_advisory(data, html)
diff --git a/bedrock/security/tests/test_commands.py b/bedrock/security/tests/test_commands.py
@@ -12,6 +12,113 @@
 from bedrock.security.models import Product
 
 
+class TestSanitizeAdvisoryHtml:
+    """Verify advisory HTML sanitization strips dangerous content."""
+
+    def test_strips_script_tags(self):
+        html = '<p>Safe</p><script>alert("xss")</script>'
+        result = update_security_advisories.sanitize_advisory_html(html)
+        assert "<script" not in result
+        assert "Safe" in result
+
+    def test_strips_event_handlers(self):
+        html = '<img src=x onerror=alert("XSS")>'
+        result = update_security_advisories.sanitize_advisory_html(html)
+        assert "onerror" not in result
+
+    def test_strips_javascript_urls(self):
+        html = "<a href=\"javascript:alert('xss')\">click</a>"
+        result = update_security_advisories.sanitize_advisory_html(html)
+        assert "javascript:" not in result.lower()
+
+    def test_preserves_safe_advisory_html(self):
+        """Tags used by the CVE partial template and markdown must survive."""
+        html = (
+            '<section class="cve">'
+            '<h4 id="CVE-2024-0001"><a href="#CVE-2024-0001">'
+            '<span class="anchor">#</span>CVE-2024-0001: Title</a></h4>'
+            '<dl class="summary"><dt>Reporter</dt><dd>Alice</dd>'
+            '<dt>Impact</dt><dd><span class="level critical">critical</span></dd></dl>'
+            "<h5>Description</h5><p>A <strong>bad</strong> thing.</p>"
+            "<h5>References</h5><ul><li>"
+            '<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=12345">Bug 12345</a>'
+            "</li></ul></section>"
+        )
+        result = update_security_advisories.sanitize_advisory_html(html)
+        # All structural tags preserved
+        for tag in ["<section", "<h4", "<h5", "<dl", "<dt", "<dd", "<span", "<a ", "<ul", "<li", "<p>", "<strong>"]:
+            assert tag in result
+        assert 'href="https://bugzilla.mozilla.org' in result
+        assert 'id="CVE-2024-0001"' in result
+        assert 'class="cve"' in result
+
+    def test_preserves_markdown_output_tags(self):
+        """Standard markdown output tags must survive."""
+        html = (
+            "<h1>Title</h1><h2>Sub</h2><h3>Sub2</h3>"
+            "<p><em>emphasis</em> and <code>code</code></p>"
+            "<pre><code>block</code></pre>"
+            "<blockquote><p>quote</p></blockquote>"
+            "<ol><li>one</li></ol><ul><li>two</li></ul>"
+            "<hr><br>"
+        )
+        result = update_security_advisories.sanitize_advisory_html(html)
+        for tag in ["<h1>", "<h2>", "<h3>", "<em>", "<code>", "<pre>", "<blockquote>", "<ol>", "<hr", "<br"]:
+            assert tag in result
+
+    def test_strips_svg_tags(self):
+        html = '<p>ok</p><svg onload="alert(1)"></svg>'
+        result = update_security_advisories.sanitize_advisory_html(html)
+        assert "<svg" not in result
+
+    def test_strips_iframe_tags(self):
+        html = '<p>ok</p><iframe src="https://evil.com"></iframe>'
+        result = update_security_advisories.sanitize_advisory_html(html)
+        assert "<iframe" not in result
+
+    def test_strips_disallowed_attrs_on_allowed_tags(self):
+        html = '<span class="ok" onclick="bad()">text</span>'
+        result = update_security_advisories.sanitize_advisory_html(html)
+        assert 'class="ok"' in result
+        assert "onclick" not in result
+
+    def test_preserves_additional_allowlisted_tags(self):
+        html = (
+            "<p><del>removed</del> <b>bold</b> <i>italic</i> "
+            "<small>fine print</small> <abbr>abbr</abbr></p>"
+            '<img src="https://example.com/pic.png" alt="pic">'
+        )
+        result = update_security_advisories.sanitize_advisory_html(html)
+        for tag in ["<del>", "<b>", "<i>", "<small>", "<abbr>", "<img "]:
+            assert tag in result
+        assert 'src="https://example.com/pic.png"' in result
+        assert 'alt="pic"' in result
+
+    def test_strips_javascript_img_src(self):
+        html = '<img src="javascript:alert(1)" alt="x">'
+        result = update_security_advisories.sanitize_advisory_html(html)
+        assert "javascript:" not in result.lower()
+
+    @patch.object(update_security_advisories, "add_or_update_advisory")
+    @patch.object(update_security_advisories, "parse_md_file")
+    def test_update_db_from_file_sanitizes_html(self, mock_parser, mock_add):
+        """Integration: update_db_from_file must sanitize before storing."""
+        mock_parser.return_value = (
+            {
+                "mfsa_id": "2024-01",
+                "title": "T",
+                "impact": "high",
+                "fixed_in": ["Firefox 99"],
+                "announced": "January 1, 2024",
+            },
+            '<p>ok</p><script>alert("xss")</script>',
+        )
+        update_security_advisories.update_db_from_file("/fake/path/mfsa2024-01.md")
+        _data, html = mock_add.call_args[0]
+        assert "<script" not in html
+        assert "<p>ok</p>" in html
+
+
 def test_fix_product_name():
     """Should fix SeaMonkey and strip '.0' from names."""
     assert update_security_advisories.fix_product_name("Seamonkey 2.2") == "SeaMonkey 2.2"
