Skip to content
Snippets Groups Projects
Commit c18e6eda authored by catch's avatar catch
Browse files

Issue #2552837 by smustgrave, pwolanin, alexpott: XSS::filter and filter_xss...

Issue #2552837 by smustgrave, pwolanin, alexpott: XSS::filter and filter_xss can create malformed attributes when you would expect them to be stripped

(cherry picked from commit 4421948a)
parent 5421bfe2
No related branches found
No related tags found
14 merge requests!8394[warning] array_flip(): Can only flip STRING and INTEGER values, when saving a non-revisionable custom content entity,!7780issue 3443822: fix for 'No route found for the specified format html. Supported formats: json, xml.',!5013Issue #3071143: Table Render Array Example Is Incorrect,!4848Issue #1566662: Update module should send notifications on Thursdays,!4792Issue #2230689: Remove redundant "Italic" style,!4220Issue #3368223: Link field > Access to internal links is not checked on display.,!3884Issue #3356842,!3870Issue #3087868,!3812Draft: Issue #3339373 by alexpott, andypost, mondrake:...,!3686Issue #3219967 against 9.5.x,!3683Issue #2939397: Clearing AliasManager cache with root path raises warning,!2205Quote all names in the regions section.,!1459Issue #3087632: menu_name max length is too long,!866Issue #2845319: The highlighting of the 'Home' menu-link does not respect query strings and fragment identifiers
......@@ -265,6 +265,10 @@ protected static function attributes($attributes) {
break;
case 2:
// Once we've finished processing the attribute value continue to look
// for attributes.
$mode = 0;
$working = 1;
// Attribute value, a URL after href= for instance.
if (preg_match('/^"([^"]*)"(\s+|$)/', $attributes, $match)) {
$value = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]);
......@@ -272,8 +276,6 @@ protected static function attributes($attributes) {
if (!$skip) {
$attributes_array[] = "$attribute_name=\"$value\"";
}
$working = 1;
$mode = 0;
$attributes = preg_replace('/^"[^"]*"(\s+|$)/', '', $attributes);
break;
}
......@@ -284,8 +286,6 @@ protected static function attributes($attributes) {
if (!$skip) {
$attributes_array[] = "$attribute_name='$value'";
}
$working = 1;
$mode = 0;
$attributes = preg_replace("/^'[^']*'(\s+|$)/", '', $attributes);
break;
}
......@@ -296,15 +296,13 @@ protected static function attributes($attributes) {
if (!$skip) {
$attributes_array[] = "$attribute_name=\"$value\"";
}
$working = 1;
$mode = 0;
$attributes = preg_replace("%^[^\s\"']+(\s+|$)%", '', $attributes);
}
break;
}
if ($working == 0) {
// Not well formed; remove and try again.
// Not well-formed; remove and try again.
$attributes = preg_replace('/
^
(
......
......@@ -107,7 +107,7 @@ public function providerTestFilterXss() {
// Default SRC tag by leaving it empty.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Default_SRC_tag_by_leaving_it_empty
$data[] = ['<IMG SRC= onmouseover="alert(\'xxs\')">', '<IMG nmouseover="alert(&#039;xxs&#039;)">'];
$data[] = ['<IMG SRC= onmouseover="alert(\'xxs\')">', '<IMG>'];
// Default SRC tag by leaving it out entirely.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Default_SRC_tag_by_leaving_it_out_entirely
......
......@@ -535,6 +535,24 @@ public function providerTestAttributes() {
'Link tag with numeric data attribute',
['a'],
],
[
'<img src= onmouseover="script(\'alert\');">',
'<img>',
'Image tag with malformed SRC',
['img'],
],
[
'Body"></iframe><img/src="x"/onerror="alert(document.domain)"/><"',
'Body"&gt;<img />&lt;"',
'Image tag with malformed SRC',
['img'],
],
[
'<img/src="x"/onerror="alert(document.domain)"/>',
'<img />',
'Image tag with malformed SRC',
['img'],
],
];
}
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment