Merge pull request #10586 from creative-commoners/pulls/4.11/cve-2022-37429

Sanitise XSS
This commit is contained in:
Guy Sartorelli 2022-11-21 13:30:30 +13:00 committed by GitHub
commit 20de819d2b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 26 additions and 2 deletions

View File

@ -347,9 +347,9 @@ class HTMLEditorSanitiser
} }
// Matches "javascript:" with any arbitrary linebreaks inbetween the characters. // Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
$regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/i'; $regex = '/^\s*' . implode('\s*', str_split('javascript:')) . '/i';
// Strip out javascript execution in href or src attributes. // Strip out javascript execution in href or src attributes.
foreach (['src', 'href'] as $dangerAttribute) { foreach (['src', 'href', 'data'] as $dangerAttribute) {
if ($el->hasAttribute($dangerAttribute)) { if ($el->hasAttribute($dangerAttribute)) {
if (preg_match($regex, $el->getAttribute($dangerAttribute))) { if (preg_match($regex, $el->getAttribute($dangerAttribute))) {
$el->removeAttribute($dangerAttribute); $el->removeAttribute($dangerAttribute);

View File

@ -104,6 +104,30 @@ class HTMLEditorSanitiserTest extends FunctionalTest
'<iframe></iframe>', '<iframe></iframe>',
'Mixed case javascript in the src attribute of an iframe is completely removed' 'Mixed case javascript in the src attribute of an iframe is completely removed'
], ],
[
'iframe[src]',
"<iframe src=\"java\tscript:alert(0);\"></iframe>",
'<iframe></iframe>',
'Javascript with tab elements the src attribute of an iframe is completely removed'
],
[
'object[data]',
'<object data="OK"></object>',
'<object data="OK"></object>',
'Object with OK content in the data attribute is retained'
],
[
'object[data]',
'<object data=javascript:alert()>',
'<object></object>',
'Object with dangerous content in data attribute is completely removed'
],
[
'img[src]',
'<img src="https://owasp.org/myimage.jpg" style="url:xss" onerror="alert(1)">',
'<img src="https://owasp.org/myimage.jpg">',
'XSS vulnerable attributes starting with on or style are removed via configuration'
],
]; ];
$config = HTMLEditorConfig::get('htmleditorsanitisertest'); $config = HTMLEditorConfig::get('htmleditorsanitisertest');