Commit edd570f7 authored by catch's avatar catch
Browse files

Issue #3162972 by longwave, jungle: Fix or ignore 32 words used in XSS tests and related methods

parent 7e9fbc3c
......@@ -2,6 +2,8 @@
namespace Drupal\Component\Utility;
// cspell:ignore ckers kses harnhammar
/**
* Provides helper to filter for cross-site scripting.
*
......@@ -154,7 +156,7 @@ protected static function split($string, $html_tags, $class) {
}
$slash = trim($matches[1]);
$elem = &$matches[2];
$attrlist = &$matches[3];
$attributes = &$matches[3];
$comment = &$matches[4];
if ($comment) {
......@@ -177,11 +179,11 @@ protected static function split($string, $html_tags, $class) {
}
// Is there a closing XHTML slash at the end of the attributes?
$attrlist = preg_replace('%(\s?)/\s*$%', '\1', $attrlist, -1, $count);
$attributes = preg_replace('%(\s?)/\s*$%', '\1', $attributes, -1, $count);
$xhtml_slash = $count ? ' /' : '';
// Clean up attributes.
$attr2 = implode(' ', $class::attributes($attrlist));
$attr2 = implode(' ', $class::attributes($attributes));
$attr2 = preg_replace('/[<>]/', '', $attr2);
$attr2 = strlen($attr2) ? ' ' . $attr2 : '';
......@@ -255,10 +257,10 @@ protected static function attributes($attributes) {
case 2:
// Attribute value, a URL after href= for instance.
if (preg_match('/^"([^"]*)"(\s+|$)/', $attributes, $match)) {
$thisval = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]);
$value = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]);
if (!$skip) {
$attributes_array[] = "$attribute_name=\"$thisval\"";
$attributes_array[] = "$attribute_name=\"$value\"";
}
$working = 1;
$mode = 0;
......@@ -267,10 +269,10 @@ protected static function attributes($attributes) {
}
if (preg_match("/^'([^']*)'(\s+|$)/", $attributes, $match)) {
$thisval = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]);
$value = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]);
if (!$skip) {
$attributes_array[] = "$attribute_name='$thisval'";
$attributes_array[] = "$attribute_name='$value'";
}
$working = 1; $mode = 0;
$attributes = preg_replace("/^'[^']*'(\s+|$)/", '', $attributes);
......@@ -278,10 +280,10 @@ protected static function attributes($attributes) {
}
if (preg_match("%^([^\s\"']+)(\s+|$)%", $attributes, $match)) {
$thisval = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]);
$value = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]);
if (!$skip) {
$attributes_array[] = "$attribute_name=\"$thisval\"";
$attributes_array[] = "$attribute_name=\"$value\"";
}
$working = 1; $mode = 0;
$attributes = preg_replace("%^[^\s\"']+(\s+|$)%", '', $attributes);
......
......@@ -166,9 +166,9 @@ public static function isVisibleElement($element) {
* @param array $map
* An associative array whose keys are element property names and whose
* values are the HTML attribute names to set on the corresponding
* property; e.g., array('#propertyname' => 'attributename'). If both names
* are identical except for the leading '#', then an attribute name value is
* sufficient and no property name needs to be specified.
* property; e.g., array('#property_name' => 'attribute_name'). If both
* names are identical except for the leading '#', then an attribute name
* value is sufficient and no property name needs to be specified.
*/
public static function setAttributes(array &$element, array $map) {
foreach ($map as $property => $attribute) {
......
......@@ -67,7 +67,6 @@ arrowstop
arrowthick
arrowthickstop
arrr
ascript
asdf
asdrsad
assertable
......@@ -77,8 +76,6 @@ atomentry
atomfeed
atomrendererfeed
atsign
attributename
attrlist
attrval
attrvals
auditable
......@@ -128,7 +125,6 @@ backtraces
bakeware
bangpow
barbar
barbaz
barchart
barfoo
barmm
......@@ -157,7 +153,6 @@ berne
bgblue
bgcolor
bgred
bgsound
bigpipe
bikeshed
bikesheds
......@@ -197,7 +192,6 @@ browserkit
browsertest
browsertestbase
brûlée
bscript
bubbleable
buildable
buildinfo
......@@ -268,7 +262,6 @@ cillum
circlesmall
cjds
ckeditor
ckers
claro's
classloader
classmap
......@@ -499,7 +492,6 @@ dublincoreentry
dublincorefeed
dublincorerendererentry
dublincorerendererfeed
dynsrc
défaut
détruire
eacute
......@@ -550,7 +542,6 @@ errrf
eslintignore
eslinting
espagnol
ession
estraven
etag
etags
......@@ -635,7 +626,6 @@ foobaz
foofoo
foomm
foos
fooÿñ
formatless
formattable
formatter's
......@@ -708,7 +698,6 @@ hardcode
hardcodes
hardcoding
harkonnen
harnhammar
hasdata
hasher
hashmarks
......@@ -851,7 +840,6 @@ kolkata
kontex
kpresenter
kristiaan
kses
kspread
kthxbai
kword
......@@ -891,7 +879,6 @@ linkification
linksby
lisu
litererally
livescript
llamaids
llamasarelame
llame
......@@ -955,7 +942,6 @@ membersonly
menulist
merhaba
messagekey
metacharacters
metainformation
metapackage
metapackages
......@@ -1005,7 +991,6 @@ mostrar
moutons
moyenne
mple
msgbox
msgctxt
msgid
msgstr
......@@ -1079,7 +1064,6 @@ nbchoices
nblocks
ncck
ncontent
ncript
ndash
ndelay
ndocs
......@@ -1095,14 +1079,11 @@ newname
newnode
newstr
newterm
nfocus
nids
nightlies
nightwatch
nightwatchjs
nmedi
nmenu
nmouseover
nmsgid
nmsgstr
nntp
......@@ -1140,9 +1121,7 @@ nosniff
nostart
nosuchcolumn
nosuchindex
nosuchscheme
nosuchtable
nosuchtag
notag
notawordenglish
notawordgerman
......@@ -1151,7 +1130,6 @@ nothere
notnull
notsimpletest
nourriture
noxss
nplurals
npoll
nprofile
......@@ -1178,7 +1156,6 @@ onecol
oneplusfourgrid
onetwo
onewidgetfield
onmediaerror
onoff
opendocument
openid
......@@ -1325,14 +1302,12 @@ presave
presentationml
presetid
presetname
pression
pretransaction
preuninstall
processlist
projecta
projectb
proname
propertyname
prophesize
prophesized
prophesizing
......@@ -1444,7 +1419,6 @@ revisioning
revlog
revpub
ribisi
ript
ritchie
robloach
robo
......@@ -1484,12 +1458,10 @@ schipulcon
scorewords
screenreader
screenreaders
scri
scriptable
scriptlet
scrollable
scrollbars
scrscriptipt
sdeeeee
searchdirs
searchfield
......@@ -1674,7 +1646,6 @@ takeshita
tappable
targetdir
tarz
tascript
taskless
tatou
tbodies
......@@ -1751,7 +1722,6 @@ theseer
theseparator
thingie
thirdcolumn
thisval
threadentry
threadingrendererentry
threecol
......@@ -1852,7 +1822,6 @@ ungroupable
ungrouped
unhashed
unhide
unicoded
unidecode
unidecoder
unindented
......@@ -1947,7 +1916,6 @@ vals
vampirize
vancode
varchar
vbscript
veeeery
vendored
veniam
......
......@@ -6,6 +6,10 @@
use Drupal\Tests\UnitTestCase;
use Drupal\filter\Plugin\FilterInterface;
// cspell:ignore ascript attributename bgsound bscript ckers cript datafld
// cspell:ignore dataformatas datasrc dynsrc ession livescript msgbox nmouseover
// cspell:ignore noxss pression ript scri scriptlet unicoded vbscript
/**
* @coversDefaultClass \Drupal\editor\EditorXssFilter\Standard
* @group editor
......@@ -464,6 +468,7 @@ public function providerTestFilterXss() {
// You can EMBED SVG which can contain your XSS vector.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#You_can_EMBED_SVG_which_can_contain_your_XSS_vector
// cspell:disable-next-line
$data[] = ['<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>', ''];
// XML data island with CDATA obfuscation.
......
......@@ -33,9 +33,9 @@ public function testToString($text, $expected, $message) {
*/
public function providerToString() {
// Checks that invalid multi-byte sequences are escaped.
$tests[] = ["Foo\xC0barbaz", 'Foo�barbaz', 'Escapes invalid sequence "Foo\xC0barbaz"'];
$tests[] = ["Foo\xC0bar", 'Foo�bar', 'Escapes invalid sequence "Foo\xC0bar"'];
$tests[] = ["\xc2\"", '�&quot;', 'Escapes invalid sequence "\xc2\""'];
$tests[] = ["Fooÿñ", "Fooÿñ", 'Does not escape valid sequence "Fooÿñ"'];
$tests[] = ["Foo ÿñ", "Foo ÿñ", 'Does not escape valid sequence "Foo ÿñ"'];
// Checks that special characters are escaped.
$script_tag = $this->prophesize(MarkupInterface::class);
......
......@@ -7,6 +7,10 @@
use Drupal\Component\Utility\Xss;
use PHPUnit\Framework\TestCase;
// cspell:ignore ascript barbaz ckers cript CVEs dynsrc fooÿñ metacharacters
// cspell:ignore msgbox ncript nfocus nmedi nosuchscheme nosuchtag onmediaerror
// cspell:ignore scrscriptipt tascript vbscript
/**
* XSS Filtering tests.
*
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment