tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #11307 from creative-commoners/pulls/5.2/cve-2024-32981

Browse Source 
[CVE-2024-32981] Disallow `data:text/html` in data attributes
This commit is contained in:
Guy Sartorelli 2024-07-17 11:37:13 +12:00 committed by GitHub
commit ff6ab16871
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Forms/HTMLEditor/HTMLEditorSanitiser.php
View File

@ -347,7 +347,7 @@ class HTMLEditorSanitiser
} }
// Matches "javascript:" with any arbitrary linebreaks inbetween the characters. // Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
$regex = '/^\s*' . implode('\s*', str_split('javascript:')) . '/i'; $regex = '#^\s*(' . implode('\s*', str_split('javascript:')) . '|' . implode('\s*', str_split('data:text/html;')) . ')#i';
// Strip out javascript execution in href or src attributes. // Strip out javascript execution in href or src attributes.
foreach (['src', 'href', 'data'] as $dangerAttribute) { foreach (['src', 'href', 'data'] as $dangerAttribute) {
if ($el->hasAttribute($dangerAttribute)) { if ($el->hasAttribute($dangerAttribute)) {

26
tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
View File

@ -120,7 +120,31 @@ class HTMLEditorSanitiserTest extends FunctionalTest
'object[data]', 'object[data]',
'<object data=javascript:alert()>', '<object data=javascript:alert()>',
'<object></object>', '<object></object>',
'Object with dangerous content in data attribute is completely removed' 'Object with dangerous javascript content in data attribute is completely removed'
],
[
'object[data]',
'<object data="javascript:alert()">',
'<object></object>',
'Object with dangerous javascript content in data attribute with quotes is completely removed'
],
[
'object[data]',
'<object data="data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4=">',
'<object></object>',
'Object with dangerous html content in data attribute is completely removed'
],
[
'object[data]',
'<object data="' . implode("\n", str_split(' DATA:TEXT/HTML;')) . 'base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4=">',
'<object></object>',
'Object with split upper-case dangerous html content in data attribute is completely removed'
],
[
'object[data]',
'<object data="data:text/xml;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4=">',
'<object data="data:text/xml;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4="></object>',
'Object with safe xml content in data attribute is retained'
], ],
[ [
'img[src]', 'img[src]',