tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #10586 from creative-commoners/pulls/4.11/cve-2022-37429

Browse Source 
Sanitise XSS
This commit is contained in:
Guy Sartorelli 2022-11-21 13:30:30 +13:00 committed by GitHub
commit 20de819d2b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/Forms/HTMLEditor/HTMLEditorSanitiser.php
View File

@ -347,9 +347,9 @@ class HTMLEditorSanitiser
} }
// Matches "javascript:" with any arbitrary linebreaks inbetween the characters. // Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
$regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/i'; $regex = '/^\s*' . implode('\s*', str_split('javascript:')) . '/i';
// Strip out javascript execution in href or src attributes. // Strip out javascript execution in href or src attributes.
foreach (['src', 'href'] as $dangerAttribute) { foreach (['src', 'href', 'data'] as $dangerAttribute) {
if ($el->hasAttribute($dangerAttribute)) { if ($el->hasAttribute($dangerAttribute)) {
if (preg_match($regex, $el->getAttribute($dangerAttribute))) { if (preg_match($regex, $el->getAttribute($dangerAttribute))) {
$el->removeAttribute($dangerAttribute); $el->removeAttribute($dangerAttribute);

24
tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
View File

@ -104,6 +104,30 @@ class HTMLEditorSanitiserTest extends FunctionalTest
'<iframe></iframe>', '<iframe></iframe>',
'Mixed case javascript in the src attribute of an iframe is completely removed' 'Mixed case javascript in the src attribute of an iframe is completely removed'
], ],
[
'iframe[src]',
"<iframe src=\"java\tscript:alert(0);\"></iframe>",
'<iframe></iframe>',
'Javascript with tab elements the src attribute of an iframe is completely removed'
],
[
'object[data]',
'<object data="OK"></object>',
'<object data="OK"></object>',
'Object with OK content in the data attribute is retained'
],
[
'object[data]',
'<object data=javascript:alert()>',
'<object></object>',
'Object with dangerous content in data attribute is completely removed'
],
[
'img[src]',
'<img src="https://owasp.org/myimage.jpg" style="url:xss" onerror="alert(1)">',
'<img src="https://owasp.org/myimage.jpg">',
'XSS vulnerable attributes starting with on or style are removed via configuration'
],
]; ];
$config = HTMLEditorConfig::get('htmleditorsanitisertest'); $config = HTMLEditorConfig::get('htmleditorsanitisertest');