[CVE-2024-32981] Disallow data:text/html in data attributes

This commit is contained in:
Guy Sartorelli 2024-04-16 15:49:58 +12:00 committed by Steve Boyd
parent c13ec34113
commit b8d20dc9d5
2 changed files with 26 additions and 2 deletions

View File

@ -347,7 +347,7 @@ class HTMLEditorSanitiser
} }
// Matches "javascript:" with any arbitrary linebreaks inbetween the characters. // Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
$regex = '/^\s*' . implode('\s*', str_split('javascript:')) . '/i'; $regex = '#^\s*(' . implode('\s*', str_split('javascript:')) . '|' . implode('\s*', str_split('data:text/html;')) . ')#i';
// Strip out javascript execution in href or src attributes. // Strip out javascript execution in href or src attributes.
foreach (['src', 'href', 'data'] as $dangerAttribute) { foreach (['src', 'href', 'data'] as $dangerAttribute) {
if ($el->hasAttribute($dangerAttribute)) { if ($el->hasAttribute($dangerAttribute)) {

View File

@ -120,7 +120,31 @@ class HTMLEditorSanitiserTest extends FunctionalTest
'object[data]', 'object[data]',
'<object data=javascript:alert()>', '<object data=javascript:alert()>',
'<object></object>', '<object></object>',
'Object with dangerous content in data attribute is completely removed' 'Object with dangerous javascript content in data attribute is completely removed'
],
[
'object[data]',
'<object data="javascript:alert()">',
'<object></object>',
'Object with dangerous javascript content in data attribute with quotes is completely removed'
],
[
'object[data]',
'<object data="data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4=">',
'<object></object>',
'Object with dangerous html content in data attribute is completely removed'
],
[
'object[data]',
'<object data="' . implode("\n", str_split(' DATA:TEXT/HTML;')) . 'base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4=">',
'<object></object>',
'Object with split upper-case dangerous html content in data attribute is completely removed'
],
[
'object[data]',
'<object data="data:text/xml;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4=">',
'<object data="data:text/xml;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4="></object>',
'Object with safe xml content in data attribute is retained'
], ],
[ [
'img[src]', 'img[src]',