[CVE-2022-37429] Sanitise XSS

2024-10-22 14:05:37 +02:00 · 2022-11-21 13:06:40 +13:00 · 2022-11-21 13:06:40 +13:00 · fe13856769
commit fe13856769
parent 17f1c7ceed
2 changed files with 26 additions and 2 deletions
--- a/src/Forms/HTMLEditor/HTMLEditorSanitiser.php
+++ b/src/Forms/HTMLEditor/HTMLEditorSanitiser.php
@ -347,9 +347,9 @@ class HTMLEditorSanitiser
                }

                // Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
-                $regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/i';
+                $regex = '/^\s*' . implode('\s*', str_split('javascript:')) . '/i';
                // Strip out javascript execution in href or src attributes.
-                foreach (['src', 'href'] as $dangerAttribute) {
+                foreach (['src', 'href', 'data'] as $dangerAttribute) {
                    if ($el->hasAttribute($dangerAttribute)) {
                        if (preg_match($regex, $el->getAttribute($dangerAttribute))) {
                            $el->removeAttribute($dangerAttribute);
--- a/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
+++ b/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
@ -104,6 +104,30 @@ class HTMLEditorSanitiserTest extends FunctionalTest
                '<iframe></iframe>',
                'Mixed case javascript in the src attribute of an iframe is completely removed'
            ],
+            [
+                'iframe[src]',
+                "<iframe src=\"java\tscript:alert(0);\"></iframe>",
+                '<iframe></iframe>',
+                'Javascript with tab elements the src attribute of an iframe is completely removed'
+            ],
+            [
+                'object[data]',
+                '<object data="OK"></object>',
+                '<object data="OK"></object>',
+                'Object with OK content in the data attribute is retained'
+            ],
+            [
+                'object[data]',
+                '<object data=javascript:alert()>',
+                '<object></object>',
+                'Object with dangerous content in data attribute is completely removed'
+            ],
+            [
+                'img[src]',
+                '<img src="https://owasp.org/myimage.jpg" style="url:xss" onerror="alert(1)">',
+                '<img src="https://owasp.org/myimage.jpg">',
+                'XSS vulnerable attributes starting with on or style are removed via configuration'
+            ],
        ];

        $config = HTMLEditorConfig::get('htmleditorsanitisertest');