diff --git a/config/config.inc.php b/config/config.inc.php index 189964f13..775cd5b26 100644 --- a/config/config.inc.php +++ b/config/config.inc.php @@ -29,7 +29,7 @@ define('__ZBXE__', __XE__); /** * Display XE's full version. */ -define('__XE_VERSION__', '1.8.14'); +define('__XE_VERSION__', '1.8.15'); define('__XE_VERSION_ALPHA__', (stripos(__XE_VERSION__, 'alpha') !== false)); define('__XE_VERSION_BETA__', (stripos(__XE_VERSION__, 'beta') !== false)); define('__XE_VERSION_RC__', (stripos(__XE_VERSION__, 'rc') !== false)); diff --git a/config/func.inc.php b/config/func.inc.php index 47e6678ce..9486177ac 100644 --- a/config/func.inc.php +++ b/config/func.inc.php @@ -1212,6 +1212,24 @@ function removeSrcHack($match) } } + $filter_arrts = array('style', 'src', 'href'); + + if($tag === 'object') array_push($filter_arrts, 'data'); + if($tag === 'param') array_push($filter_arrts, 'value'); + + foreach($filter_arrts as $attr) + { + if(!isset($attrs[$attr])) continue; + + $attr_value = rawurldecode($attrs[$attr]); + $attr_value = htmlspecialchars_decode($attr_value, ENT_COMPAT); + $attr_value = preg_replace('/\s+|[\t\n\r]+/', '', $attr_value); + if(preg_match('@(\?|&|;)(act=)@i', $attr_value)) + { + unset($attrs[$attr]); + } + } + if(isset($attrs['style']) && preg_match('@(?:/\*|\*/|\n|:\s*expression\s*\()@i', $attrs['style'])) { unset($attrs['style']); diff --git a/modules/layout/layout.view.php b/modules/layout/layout.view.php index 178f37a65..50b134560 100644 --- a/modules/layout/layout.view.php +++ b/modules/layout/layout.view.php @@ -316,6 +316,12 @@ class layoutView extends layout */ function dispLayoutPreview() { + if(!checkCSRF()) + { + $this->stop('msg_invalid_request'); + return new Object(-1, 'msg_invalid_request'); + } + // admin check // this act is admin view but in normal view because do not load admin css/js files $logged_info = Context::get('logged_info'); diff --git a/tests/unit/FuncIncTest.class.php b/tests/unit/FuncIncTest.class.php deleted file mode 100644 index 265e6b072..000000000 --- a/tests/unit/FuncIncTest.class.php +++ /dev/null @@ -1,53 +0,0 @@ -

IFrame

', - '
<iframe src="path/to/file.html"></iframe>

IFrame

' - ), - // expression - array( - '
', - '
' - ), - // no quotes and no semicolon - http://ha.ckers.org/xss.html - array( - '', - '' - ), - // embedded encoded tab to break up XSS - http://ha.ckers.org/xss.html - array( - '', - '' - ), - // issue 178 - array( - "", - '' - ), - // issue 534 - array( - '*/" onerror="console.log(\'Yet another XSS\')">', - '*/" onerror="console.log(\'Yet another XSS\')">' - ), - // issue 602 - array( - 'test', - 'test' - ) - ); - } - - /** - * @dataProvider provider - */ - public function testXss($source, $expected) - { - $result = removeHackTag($source); - $this->assertEquals($result, $expected); - } -} diff --git a/tests/unit/FuncIncTest.php b/tests/unit/FuncIncTest.php index bb7e86fa7..de22cbd30 100644 --- a/tests/unit/FuncIncTest.php +++ b/tests/unit/FuncIncTest.php @@ -29,7 +29,7 @@ class FuncIncTest extends \Codeception\TestCase\Test ), // issue 178 array( - "", + '', 'invalid.jpg' ), // issue 534 @@ -41,6 +41,23 @@ class FuncIncTest extends \Codeception\TestCase\Test array( 'test', '' + ), + // issue #1813 https://github.com/xpressengine/xe-core/issues/1813 + array( + 'dummy', + 'dummy' + ), + array( + 'dummy', + 'dummy' + ), + array( + "\"dummy\"", + 'dummy' + ), + array( + "\"dummy\"", + 'dummy' ) ); }