Merge pull request #10586 from creative-commoners/pulls/4.11/cve-2022-37429
Sanitise XSS
This commit is contained in:
Guy Sartorelli
GitHub
commit
20de819d2b
|
|
@ -347,9 +347,9 @@ class HTMLEditorSanitiser
|
|||
}
|
||||
|
||||
// Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
|
||||
$regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/i';
|
||||
$regex = '/^\s*' . implode('\s*', str_split('javascript:')) . '/i';
|
||||
// Strip out javascript execution in href or src attributes.
|
||||
foreach (['src', 'href'] as $dangerAttribute) {
|
||||
foreach (['src', 'href', 'data'] as $dangerAttribute) {
|
||||
if ($el->hasAttribute($dangerAttribute)) {
|
||||
if (preg_match($regex, $el->getAttribute($dangerAttribute))) {
|
||||
$el->removeAttribute($dangerAttribute);
|
||||
|
|
|
|||
|
|
@ -104,6 +104,30 @@ class HTMLEditorSanitiserTest extends FunctionalTest
|
|||
'<iframe></iframe>',
|
||||
'Mixed case javascript in the src attribute of an iframe is completely removed'
|
||||
],
|
||||
[
|
||||
'iframe[src]',
|
||||
"<iframe src=\"java\tscript:alert(0);\"></iframe>",
|
||||
'<iframe></iframe>',
|
||||
'Javascript with tab elements the src attribute of an iframe is completely removed'
|
||||
],
|
||||
[
|
||||
'object[data]',
|
||||
'<object data="OK"></object>',
|
||||
'<object data="OK"></object>',
|
||||
'Object with OK content in the data attribute is retained'
|
||||
],
|
||||
[
|
||||
'object[data]',
|
||||
'<object data=javascript:alert()>',
|
||||
'<object></object>',
|
||||
'Object with dangerous content in data attribute is completely removed'
|
||||
],
|
||||
[
|
||||
'img[src]',
|
||||
'<img src="https://owasp.org/myimage.jpg" style="url:xss" onerror="alert(1)">',
|
||||
'<img src="https://owasp.org/myimage.jpg">',
|
||||
'XSS vulnerable attributes starting with on or style are removed via configuration'
|
||||
],
|
||||
];
|
||||
|
||||
$config = HTMLEditorConfig::get('htmleditorsanitisertest');
|
||||
|
|
|
|||
Loading…
Reference in New Issue