fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-12 13:32:16 +09:00
Code Issues Projects Releases Packages Wiki Activity

Perform tag filtering after HTMLPurifier is done with the content

Browse source
This commit is contained in:
Kijin Sung 2016-03-12 22:18:33 +09:00
parent f577b456ec
commit 143b65e840
2 changed files with 7 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

12
common/framework/security/htmlfilter.php
View file

@ -393,11 +393,6 @@ class HTMLFilter
*/ */
protected static function _preprocess($content) protected static function _preprocess($content)
{ {
// Remove tags not supported in Rhymix. Some of these may also be removed by HTMLPurifier.
$content = preg_replace_callback('!</?(?:html|body|head|title|meta|base|link|script|style|applet)\b[^>]*>!i', function($matches) {
return htmlspecialchars($matches[0], ENT_QUOTES, 'UTF-8');
}, $content);
// Encode widget and editor component properties so that they are not removed by HTMLPurifier. // Encode widget and editor component properties so that they are not removed by HTMLPurifier.
$content = self::_encodeWidgetsAndEditorComponents($content); $content = self::_encodeWidgetsAndEditorComponents($content);
return $content; return $content;
@ -415,7 +410,12 @@ class HTMLFilter
$allow_acts = array('procFileDownload'); $allow_acts = array('procFileDownload');
$deny_acts = array('dispMemberLogout', 'dispLayoutPreview'); $deny_acts = array('dispMemberLogout', 'dispLayoutPreview');
// Remove URLs that may be CSRF attempts. // Remove tags not supported in Rhymix. Some of these may also have been removed by HTMLPurifier.
$content = preg_replace_callback('!</?(?:html|body|head|title|meta|base|link|script|style|applet)\b[^>]*>!i', function($matches) {
return htmlspecialchars($matches[0], ENT_QUOTES, 'UTF-8');
}, $content);
// Remove link URLs that may be CSRF attempts.
$content = preg_replace_callback('!\b(src|href|data|value)="([^"]+)"!i', function($matches) use($allow_acts, $deny_acts) { $content = preg_replace_callback('!\b(src|href|data|value)="([^"]+)"!i', function($matches) use($allow_acts, $deny_acts) {
$url = preg_replace('!\s+!', '', htmlspecialchars_decode(rawurldecode($matches[2]))); $url = preg_replace('!\s+!', '', htmlspecialchars_decode(rawurldecode($matches[2])));
if (preg_match('!\bact=((disp|proc)[^&]+)!i', $url, $urlmatches)) if (preg_match('!\bact=((disp|proc)[^&]+)!i', $url, $urlmatches))

2
tests/unit/framework/SecurityTest.php
View file

@ -11,7 +11,7 @@ class SecurityTest extends \Codeception\TestCase\Test
$this->assertEquals('foobar', Rhymix\Framework\Security::sanitize('foo<p>bar</p>', 'strip')); $this->assertEquals('foobar', Rhymix\Framework\Security::sanitize('foo<p>bar</p>', 'strip'));
// HTML (more thorough tests in HTMLFilterTest) // HTML (more thorough tests in HTMLFilterTest)
$this->assertEquals('<p>safe&lt;script&gt;&lt;/script&gt;</p>', Rhymix\Framework\Security::sanitize('<p>safe<script></script></p>', 'html')); $this->assertEquals('<p>safe</p>', Rhymix\Framework\Security::sanitize('<p>safe<script></script></p>', 'html'));
// Filename (more thorough tests in FilenameFilterTest) // Filename (more thorough tests in FilenameFilterTest)
$this->assertEquals('foo(bar).xls', Rhymix\Framework\Security::sanitize('foo<bar>.xls', 'filename')); $this->assertEquals('foo(bar).xls', Rhymix\Framework\Security::sanitize('foo<bar>.xls', 'filename'));