From d2c58f3bbc03846c460acddd38203387cd06416c Mon Sep 17 00:00:00 2001 From: Guy Sartorelli Date: Tue, 19 Apr 2022 15:11:30 +1200 Subject: [PATCH] [CVE-2022-28803] Block XSS in links and iframes. --- src/Forms/HTMLEditor/HTMLEditorSanitiser.php | 11 +++++++++ .../HTMLEditor/HTMLEditorSanitiserTest.php | 24 +++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/src/Forms/HTMLEditor/HTMLEditorSanitiser.php b/src/Forms/HTMLEditor/HTMLEditorSanitiser.php index 9cc194de1..1caff953e 100644 --- a/src/Forms/HTMLEditor/HTMLEditorSanitiser.php +++ b/src/Forms/HTMLEditor/HTMLEditorSanitiser.php @@ -345,6 +345,17 @@ class HTMLEditorSanitiser foreach ($elementRule->attributesForced as $attr => $forced) { $el->setAttribute($attr, $forced); } + + // Matches "javascript:" with any arbitrary linebreaks inbetween the characters. + $regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/'; + // Strip out javascript execution in href or src attributes. + foreach (['src', 'href'] as $dangerAttribute) { + if ($el->hasAttribute($dangerAttribute)) { + if (preg_match($regex, $el->getAttribute($dangerAttribute))) { + $el->removeAttribute($dangerAttribute); + } + } + } } if ($el->tagName === 'a' && $linkRelValue !== null) { diff --git a/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php b/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php index 97da89c97..6c1ba3b0d 100644 --- a/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php +++ b/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php @@ -74,6 +74,30 @@ class HTMLEditorSanitiserTest extends FunctionalTest 'Test', 'noopener rel attribute is unchanged when link_rel_value is null' ], + [ + 'a[href|target|rel]', + 'Test', + 'Test', + 'Javascript in the href attribute of a link is completely removed' + ], + [ + 'a[href|target|rel]', + 'Test', + 'Test', + 'Javascript in the href attribute of a link is completely removed even for multiline markup' + ], + [ + 'map[name],area[href|shape|coords]', + '', + '', + 'Javascript in the href attribute of a map\'s clickable area is completely removed' + ], + [ + 'iframe[src]', + '', + '', + 'Javascript in the src attribute of an iframe is completely removed' + ], ]; $config = HTMLEditorConfig::get('htmleditorsanitisertest');