fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-10 20:44:28 +09:00
Code Issues Projects Releases Packages Wiki Activity

Disallow classes in user-submitted content

Browse source
This commit is contained in:
Kijin Sung 2016-12-08 17:45:03 +09:00
parent 5e5c2d918a
commit e9bfb0e298
2 changed files with 4 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
common/framework/filters/htmlfilter.php
View file

@ -104,6 +104,7 @@ class HTMLFilter
$config = \HTMLPurifier_Config::createDefault(); $config = \HTMLPurifier_Config::createDefault();
// Customize the default configuration. // Customize the default configuration.
$config->set('Attr.AllowedClasses', array());
$config->set('Attr.AllowedFrameTargets', array('_blank')); $config->set('Attr.AllowedFrameTargets', array('_blank'));
$config->set('Attr.DefaultImageAlt', ''); $config->set('Attr.DefaultImageAlt', '');
$config->set('Attr.EnableID', true); $config->set('Attr.EnableID', true);

6
tests/unit/framework/filters/HTMLFilterTest.php
View file

@ -8,12 +8,12 @@ class HTMLFilterTest extends \Codeception\TestCase\Test
// remove iframe // remove iframe
array( array(
'<div class="frame"><iframe src="path/to/file.html"></iframe><p><a href="#iframe">IFrame</a></p></div>', '<div class="frame"><iframe src="path/to/file.html"></iframe><p><a href="#iframe">IFrame</a></p></div>',
'<div class="frame"><iframe></iframe><p><a href="#iframe">IFrame</a></p></div>' '<div><iframe></iframe><p><a href="#iframe">IFrame</a></p></div>'
), ),
// expression // expression
array( array(
'<div class="dummy" style="xss:expr/*XSS*/ession(alert(\'XSS\'))">', '<div class="dummy" style="xss:expr/*XSS*/ession(alert(\'XSS\'))">',
'<div class="dummy"></div>' '<div></div>'
), ),
// no quotes and no semicolon - http://ha.ckers.org/xss.html // no quotes and no semicolon - http://ha.ckers.org/xss.html
array( array(
@ -153,7 +153,7 @@ class HTMLFilterTest extends \Codeception\TestCase\Test
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source)); $this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source));
$source = '<div somekey="somevalue" otherkey="othervalue" onload="alert(\'xss\');" id="foo" class="bar" editor_component="component_name"></div>'; $source = '<div somekey="somevalue" otherkey="othervalue" onload="alert(\'xss\');" id="foo" class="bar" editor_component="component_name"></div>';
$target = '<div somekey="somevalue" otherkey="othervalue" id="user_content_foo" class="bar" editor_component="component_name"></div>'; $target = '<div somekey="somevalue" otherkey="othervalue" id="user_content_foo" editor_component="component_name"></div>';
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source)); $this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source));
$source = '<div editor_component="component_name" style="width:400px;height:300px;" draggable dropzone contextmenu="whatever"></div>'; $source = '<div editor_component="component_name" style="width:400px;height:300px;" draggable dropzone contextmenu="whatever"></div>';