tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

Merge branch '5.2' into 5

Browse Source
This commit is contained in:
Steve Boyd 2024-07-17 12:02:37 +12:00
commit db665a8dd8
3 changed files with 28 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Forms/HTMLEditor/HTMLEditorSanitiser.php
View File

@ -343,7 +343,7 @@ class HTMLEditorSanitiser
} }
// Matches "javascript:" with any arbitrary linebreaks inbetween the characters. // Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
$regex = '/^\s*' . implode('\s*', str_split('javascript:')) . '/i'; $regex = '#^\s*(' . implode('\s*', str_split('javascript:')) . '|' . implode('\s*', str_split('data:text/html;')) . ')#i';
// Strip out javascript execution in href or src attributes. // Strip out javascript execution in href or src attributes.
foreach (['src', 'href', 'data'] as $dangerAttribute) { foreach (['src', 'href', 'data'] as $dangerAttribute) {
if ($el->hasAttribute($dangerAttribute)) { if ($el->hasAttribute($dangerAttribute)) {

3
src/Forms/HTMLEditor/TinyMCEConfig.php
View File

@ -322,7 +322,8 @@ class TinyMCEConfig extends HTMLEditorConfig implements i18nEntityProvider
. "-div[id|dir|class|align|style],-span[class|align|style],-pre[class|align],address[class|align]," . "-div[id|dir|class|align|style],-span[class|align|style],-pre[class|align],address[class|align],"
. "-h1[id|dir|class|align|style],-h2[id|dir|class|align|style],-h3[id|dir|class|align|style]," . "-h1[id|dir|class|align|style],-h2[id|dir|class|align|style],-h3[id|dir|class|align|style],"
. "-h4[id|dir|class|align|style],-h5[id|dir|class|align|style],-h6[id|dir|class|align|style],hr[class]," . "-h4[id|dir|class|align|style],-h5[id|dir|class|align|style],-h6[id|dir|class|align|style],hr[class],"
. "dd[id|class|title|dir],dl[id|class|title|dir],dt[id|class|title|dir]," . "dd[id|class|title|dir],dl[id|class|title|dir],dt[id|class|title|dir],",
'convert_unsafe_embeds' => true, // SS-2024-001
]; ];
protected $settings = []; protected $settings = [];

26
tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
View File

@ -120,7 +120,31 @@ class HTMLEditorSanitiserTest extends FunctionalTest
'object[data]', 'object[data]',
'<object data=javascript:alert()>', '<object data=javascript:alert()>',
'<object></object>', '<object></object>',
'Object with dangerous content in data attribute is completely removed' 'Object with dangerous javascript content in data attribute is completely removed'
],
[
'object[data]',
'<object data="javascript:alert()">',
'<object></object>',
'Object with dangerous javascript content in data attribute with quotes is completely removed'
],
[
'object[data]',
'<object data="data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4=">',
'<object></object>',
'Object with dangerous html content in data attribute is completely removed'
],
[
'object[data]',
'<object data="' . implode("\n", str_split(' DATA:TEXT/HTML;')) . 'base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4=">',
'<object></object>',
'Object with split upper-case dangerous html content in data attribute is completely removed'
],
[
'object[data]',
'<object data="data:text/xml;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4=">',
'<object data="data:text/xml;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4="></object>',
'Object with safe xml content in data attribute is retained'
], ],
[ [
'img[src]', 'img[src]',