From aa879e7326b0af6b6fee9ae472bb9a7aa9e23034 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Sat, 25 Feb 2017 17:37:58 +0900
Subject: [PATCH] Improve HTMLFilter handling of editor component properties

---
 common/framework/filters/htmlfilter.php         | 9 +++++++--
 tests/unit/framework/filters/HTMLFilterTest.php | 8 ++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/common/framework/filters/htmlfilter.php b/common/framework/filters/htmlfilter.php
index 9afe6879a..7ee1fa77e 100644
--- a/common/framework/filters/htmlfilter.php
+++ b/common/framework/filters/htmlfilter.php
@@ -516,11 +516,16 @@ class HTMLFilter
 				{
 					return $attr[0];
 				}
-				if (preg_match('/^(?:on|data-|(?:accesskey|class|contextmenu|contenteditable|dir|draggable|dropzone|editor_component|hidden|id|lang|name|style|tabindex|title)$)/', $attrkey))
+				if (preg_match('/^(?:on|data-|(?:accesskey|class|contextmenu|contenteditable|dir|draggable|dropzone|editor_component|hidden|id|lang|name|style|tabindex|title|rx_encoded_properties)$)/i', $attrkey))
 				{
 					return $attr[0];
 				}
-				$attrs[$attrkey] = htmlspecialchars_decode($attr[2]);
+				$attrval = utf8_normalize_spaces(utf8_clean(html_entity_decode($attr[2])));
+				if (preg_match('/^javascript:/i', preg_replace('/\s+/', '', $attrval)))
+				{
+					return '';
+				}
+				$attrs[$attrkey] = $attrval;
 				return '';
 			}, $match[0]);
 			if ($tag === 'img' && !preg_match('/\ssrc="/', $html))
diff --git a/tests/unit/framework/filters/HTMLFilterTest.php b/tests/unit/framework/filters/HTMLFilterTest.php
index 5c676c29a..790b044a6 100644
--- a/tests/unit/framework/filters/HTMLFilterTest.php
+++ b/tests/unit/framework/filters/HTMLFilterTest.php
@@ -187,6 +187,14 @@ class HTMLFilterTest extends \Codeception\TestCase\Test
 		$target = '<img src="./foo/bar.jpg" alt="My Picture" style="width:320px;height:240px;" width="320" height="240" />';
 		$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, false, false));
 		
+		$source = '<img src="./foo/bar.jpg" alt="Picture" editor_component="component_name" editor_component_property="java Script:alert()" />';
+		$target = '<img src="./foo/bar.jpg" alt="Picture" editor_component="component_name" />';
+		$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source));
+		
+		$source = '<img src="./foo/bar.jpg" alt="Picture" editor_component="component_name" rx_encoded_properties="alert()" />';
+		$target = '<img src="./foo/bar.jpg" alt="Picture" editor_component="component_name" />';
+		$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source));
+		
 		$source = '<img somekey="somevalue" otherkey="othervalue" onkeypress="alert(\'xss\');" editor_component="component_name" />';
 		$target = '';
 		$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, false, false));