mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
[CVE-2024-32981] Disallow data:text/html
in data attributes
This commit is contained in:
parent
c13ec34113
commit
b8d20dc9d5
@ -347,7 +347,7 @@ class HTMLEditorSanitiser
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
|
// Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
|
||||||
$regex = '/^\s*' . implode('\s*', str_split('javascript:')) . '/i';
|
$regex = '#^\s*(' . implode('\s*', str_split('javascript:')) . '|' . implode('\s*', str_split('data:text/html;')) . ')#i';
|
||||||
// Strip out javascript execution in href or src attributes.
|
// Strip out javascript execution in href or src attributes.
|
||||||
foreach (['src', 'href', 'data'] as $dangerAttribute) {
|
foreach (['src', 'href', 'data'] as $dangerAttribute) {
|
||||||
if ($el->hasAttribute($dangerAttribute)) {
|
if ($el->hasAttribute($dangerAttribute)) {
|
||||||
|
@ -120,7 +120,31 @@ class HTMLEditorSanitiserTest extends FunctionalTest
|
|||||||
'object[data]',
|
'object[data]',
|
||||||
'<object data=javascript:alert()>',
|
'<object data=javascript:alert()>',
|
||||||
'<object></object>',
|
'<object></object>',
|
||||||
'Object with dangerous content in data attribute is completely removed'
|
'Object with dangerous javascript content in data attribute is completely removed'
|
||||||
|
],
|
||||||
|
[
|
||||||
|
'object[data]',
|
||||||
|
'<object data="javascript:alert()">',
|
||||||
|
'<object></object>',
|
||||||
|
'Object with dangerous javascript content in data attribute with quotes is completely removed'
|
||||||
|
],
|
||||||
|
[
|
||||||
|
'object[data]',
|
||||||
|
'<object data="data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4=">',
|
||||||
|
'<object></object>',
|
||||||
|
'Object with dangerous html content in data attribute is completely removed'
|
||||||
|
],
|
||||||
|
[
|
||||||
|
'object[data]',
|
||||||
|
'<object data="' . implode("\n", str_split(' DATA:TEXT/HTML;')) . 'base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4=">',
|
||||||
|
'<object></object>',
|
||||||
|
'Object with split upper-case dangerous html content in data attribute is completely removed'
|
||||||
|
],
|
||||||
|
[
|
||||||
|
'object[data]',
|
||||||
|
'<object data="data:text/xml;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4=">',
|
||||||
|
'<object data="data:text/xml;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4="></object>',
|
||||||
|
'Object with safe xml content in data attribute is retained'
|
||||||
],
|
],
|
||||||
[
|
[
|
||||||
'img[src]',
|
'img[src]',
|
||||||
|
Loading…
Reference in New Issue
Block a user