Skip to content
Snippets Groups Projects
Commit 4421948a authored by catch's avatar catch
Browse files

Issue #2552837 by smustgrave, pwolanin, alexpott: XSS::filter and filter_xss...

Issue #2552837 by smustgrave, pwolanin, alexpott: XSS::filter and filter_xss can create malformed attributes when you would expect them to be stripped
parent ba56921e
No related branches found
No related tags found
27 merge requests!54479.5.x SF update,!5014Issue #3071143: Table Render Array Example Is Incorrect,!4868Issue #1428520: Improve menu parent link selection,!4289Issue #1344552 by marcingy, Niklas Fiekas, Ravi.J, aleevas, Eduardo Morales...,!4114Issue #2707291: Disable body-level scrolling when a dialog is open as a modal,!4100Issue #3249600: Add support for PHP 8.1 Enums as allowed values for list_* data types,!3630Issue #2815301 by Chi, DanielVeza, kostyashupenko, smustgrave: Allow to create...,!2378Issue #2875033: Optimize joins and table selection in SQL entity query implementation,!2334Issue #3228209: Add hasRole() method to AccountInterface,!2062Issue #3246454: Add weekly granularity to views date sort,!1591Issue #3199697: Add JSON:API Translation experimental module,!1484Exposed filters get values from URL when Ajax is on,!1255Issue #3238922: Refactor (if feasible) uses of the jQuery serialize function to use vanillaJS,!1162Issue #3100350: Unable to save '/' root path alias,!1105Issue #3025039: New non translatable field on translatable content throws error,!1073issue #3191727: Focus states on mobile second level navigation items fixed,!925Issue #2339235: Remove taxonomy hard dependency on node module,!877Issue #2708101: Default value for link text is not saved,!872Draft: Issue #3221319: Race condition when creating menu links and editing content deletes menu links,!844Resolve #3036010 "Updaters",!617Issue #3043725: Provide a Entity Handler for user cancelation,!579Issue #2230909: Simple decimals fail to pass validation,!560Move callback classRemove outside of the loop,!555Issue #3202493,!485Sets the autocomplete attribute for username/password input field on login form.,!30Issue #3182188: Updates composer usage to point at ./vendor/bin/composer,!23Issue #2879087: Use comment access handler instead of hardcoding permissions
......@@ -265,6 +265,10 @@ protected static function attributes($attributes) {
break;
case 2:
// Once we've finished processing the attribute value continue to look
// for attributes.
$mode = 0;
$working = 1;
// Attribute value, a URL after href= for instance.
if (preg_match('/^"([^"]*)"(\s+|$)/', $attributes, $match)) {
$value = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]);
......@@ -272,8 +276,6 @@ protected static function attributes($attributes) {
if (!$skip) {
$attributes_array[] = "$attribute_name=\"$value\"";
}
$working = 1;
$mode = 0;
$attributes = preg_replace('/^"[^"]*"(\s+|$)/', '', $attributes);
break;
}
......@@ -284,8 +286,6 @@ protected static function attributes($attributes) {
if (!$skip) {
$attributes_array[] = "$attribute_name='$value'";
}
$working = 1;
$mode = 0;
$attributes = preg_replace("/^'[^']*'(\s+|$)/", '', $attributes);
break;
}
......@@ -296,15 +296,13 @@ protected static function attributes($attributes) {
if (!$skip) {
$attributes_array[] = "$attribute_name=\"$value\"";
}
$working = 1;
$mode = 0;
$attributes = preg_replace("%^[^\s\"']+(\s+|$)%", '', $attributes);
}
break;
}
if ($working == 0) {
// Not well formed; remove and try again.
// Not well-formed; remove and try again.
$attributes = preg_replace('/
^
(
......
......@@ -107,7 +107,7 @@ public function providerTestFilterXss() {
// Default SRC tag by leaving it empty.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Default_SRC_tag_by_leaving_it_empty
$data[] = ['<IMG SRC= onmouseover="alert(\'xxs\')">', '<IMG nmouseover="alert(&#039;xxs&#039;)">'];
$data[] = ['<IMG SRC= onmouseover="alert(\'xxs\')">', '<IMG>'];
// Default SRC tag by leaving it out entirely.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Default_SRC_tag_by_leaving_it_out_entirely
......
......@@ -525,6 +525,24 @@ public function providerTestAttributes() {
'Link tag with numeric data attribute',
['a'],
],
[
'<img src= onmouseover="script(\'alert\');">',
'<img>',
'Image tag with malformed SRC',
['img'],
],
[
'Body"></iframe><img/src="x"/onerror="alert(document.domain)"/><"',
'Body"&gt;<img />&lt;"',
'Image tag with malformed SRC',
['img'],
],
[
'<img/src="x"/onerror="alert(document.domain)"/>',
'<img />',
'Image tag with malformed SRC',
['img'],
],
];
}
......
  • catch @catch

    mentioned in commit 0217ee0a

    ·

    mentioned in commit 0217ee0a

    Toggle commit list
  • catch @catch

    mentioned in commit c18e6eda

    ·

    mentioned in commit c18e6eda

    Toggle commit list
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment