mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
[CVE-2022-28803] Block XSS in links and iframes.
This commit is contained in:
parent
0bc3ed4d2c
commit
d2c58f3bbc
@ -345,6 +345,17 @@ class HTMLEditorSanitiser
|
|||||||
foreach ($elementRule->attributesForced as $attr => $forced) {
|
foreach ($elementRule->attributesForced as $attr => $forced) {
|
||||||
$el->setAttribute($attr, $forced);
|
$el->setAttribute($attr, $forced);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
|
||||||
|
$regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/';
|
||||||
|
// Strip out javascript execution in href or src attributes.
|
||||||
|
foreach (['src', 'href'] as $dangerAttribute) {
|
||||||
|
if ($el->hasAttribute($dangerAttribute)) {
|
||||||
|
if (preg_match($regex, $el->getAttribute($dangerAttribute))) {
|
||||||
|
$el->removeAttribute($dangerAttribute);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($el->tagName === 'a' && $linkRelValue !== null) {
|
if ($el->tagName === 'a' && $linkRelValue !== null) {
|
||||||
|
@ -74,6 +74,30 @@ class HTMLEditorSanitiserTest extends FunctionalTest
|
|||||||
'<a href="/test" target="_blank">Test</a>',
|
'<a href="/test" target="_blank">Test</a>',
|
||||||
'noopener rel attribute is unchanged when link_rel_value is null'
|
'noopener rel attribute is unchanged when link_rel_value is null'
|
||||||
],
|
],
|
||||||
|
[
|
||||||
|
'a[href|target|rel]',
|
||||||
|
'<a href="javascript:alert(0);">Test</a>',
|
||||||
|
'<a>Test</a>',
|
||||||
|
'Javascript in the href attribute of a link is completely removed'
|
||||||
|
],
|
||||||
|
[
|
||||||
|
'a[href|target|rel]',
|
||||||
|
'<a href="' . implode("\n", str_split(' javascript:')) . '">Test</a>',
|
||||||
|
'<a>Test</a>',
|
||||||
|
'Javascript in the href attribute of a link is completely removed even for multiline markup'
|
||||||
|
],
|
||||||
|
[
|
||||||
|
'map[name],area[href|shape|coords]',
|
||||||
|
'<map name="test"><area shape="rect" coords="34,44,270,350" href="javascript:alert(0);"></map>',
|
||||||
|
'<map name="test"><area shape="rect" coords="34,44,270,350"></map>',
|
||||||
|
'Javascript in the href attribute of a map\'s clickable area is completely removed'
|
||||||
|
],
|
||||||
|
[
|
||||||
|
'iframe[src]',
|
||||||
|
'<iframe src="javascript:alert(0);"></iframe>',
|
||||||
|
'<iframe></iframe>',
|
||||||
|
'Javascript in the src attribute of an iframe is completely removed'
|
||||||
|
],
|
||||||
];
|
];
|
||||||
|
|
||||||
$config = HTMLEditorConfig::get('htmleditorsanitisertest');
|
$config = HTMLEditorConfig::get('htmleditorsanitisertest');
|
||||||
|
Loading…
Reference in New Issue
Block a user