Commit edd570f7 authored by catch's avatar catch
Browse files

Issue #3162972 by longwave, jungle: Fix or ignore 32 words used in XSS tests and related methods

parent 7e9fbc3c
...@@ -2,6 +2,8 @@ ...@@ -2,6 +2,8 @@
namespace Drupal\Component\Utility; namespace Drupal\Component\Utility;
// cspell:ignore ckers kses harnhammar
/** /**
* Provides helper to filter for cross-site scripting. * Provides helper to filter for cross-site scripting.
* *
...@@ -154,7 +156,7 @@ protected static function split($string, $html_tags, $class) { ...@@ -154,7 +156,7 @@ protected static function split($string, $html_tags, $class) {
} }
$slash = trim($matches[1]); $slash = trim($matches[1]);
$elem = &$matches[2]; $elem = &$matches[2];
$attrlist = &$matches[3]; $attributes = &$matches[3];
$comment = &$matches[4]; $comment = &$matches[4];
if ($comment) { if ($comment) {
...@@ -177,11 +179,11 @@ protected static function split($string, $html_tags, $class) { ...@@ -177,11 +179,11 @@ protected static function split($string, $html_tags, $class) {
} }
// Is there a closing XHTML slash at the end of the attributes? // Is there a closing XHTML slash at the end of the attributes?
$attrlist = preg_replace('%(\s?)/\s*$%', '\1', $attrlist, -1, $count); $attributes = preg_replace('%(\s?)/\s*$%', '\1', $attributes, -1, $count);
$xhtml_slash = $count ? ' /' : ''; $xhtml_slash = $count ? ' /' : '';
// Clean up attributes. // Clean up attributes.
$attr2 = implode(' ', $class::attributes($attrlist)); $attr2 = implode(' ', $class::attributes($attributes));
$attr2 = preg_replace('/[<>]/', '', $attr2); $attr2 = preg_replace('/[<>]/', '', $attr2);
$attr2 = strlen($attr2) ? ' ' . $attr2 : ''; $attr2 = strlen($attr2) ? ' ' . $attr2 : '';
...@@ -255,10 +257,10 @@ protected static function attributes($attributes) { ...@@ -255,10 +257,10 @@ protected static function attributes($attributes) {
case 2: case 2:
// Attribute value, a URL after href= for instance. // Attribute value, a URL after href= for instance.
if (preg_match('/^"([^"]*)"(\s+|$)/', $attributes, $match)) { if (preg_match('/^"([^"]*)"(\s+|$)/', $attributes, $match)) {
$thisval = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]); $value = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]);
if (!$skip) { if (!$skip) {
$attributes_array[] = "$attribute_name=\"$thisval\""; $attributes_array[] = "$attribute_name=\"$value\"";
} }
$working = 1; $working = 1;
$mode = 0; $mode = 0;
...@@ -267,10 +269,10 @@ protected static function attributes($attributes) { ...@@ -267,10 +269,10 @@ protected static function attributes($attributes) {
} }
if (preg_match("/^'([^']*)'(\s+|$)/", $attributes, $match)) { if (preg_match("/^'([^']*)'(\s+|$)/", $attributes, $match)) {
$thisval = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]); $value = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]);
if (!$skip) { if (!$skip) {
$attributes_array[] = "$attribute_name='$thisval'"; $attributes_array[] = "$attribute_name='$value'";
} }
$working = 1; $mode = 0; $working = 1; $mode = 0;
$attributes = preg_replace("/^'[^']*'(\s+|$)/", '', $attributes); $attributes = preg_replace("/^'[^']*'(\s+|$)/", '', $attributes);
...@@ -278,10 +280,10 @@ protected static function attributes($attributes) { ...@@ -278,10 +280,10 @@ protected static function attributes($attributes) {
} }
if (preg_match("%^([^\s\"']+)(\s+|$)%", $attributes, $match)) { if (preg_match("%^([^\s\"']+)(\s+|$)%", $attributes, $match)) {
$thisval = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]); $value = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]);
if (!$skip) { if (!$skip) {
$attributes_array[] = "$attribute_name=\"$thisval\""; $attributes_array[] = "$attribute_name=\"$value\"";
} }
$working = 1; $mode = 0; $working = 1; $mode = 0;
$attributes = preg_replace("%^[^\s\"']+(\s+|$)%", '', $attributes); $attributes = preg_replace("%^[^\s\"']+(\s+|$)%", '', $attributes);
......
...@@ -166,9 +166,9 @@ public static function isVisibleElement($element) { ...@@ -166,9 +166,9 @@ public static function isVisibleElement($element) {
* @param array $map * @param array $map
* An associative array whose keys are element property names and whose * An associative array whose keys are element property names and whose
* values are the HTML attribute names to set on the corresponding * values are the HTML attribute names to set on the corresponding
* property; e.g., array('#propertyname' => 'attributename'). If both names * property; e.g., array('#property_name' => 'attribute_name'). If both
* are identical except for the leading '#', then an attribute name value is * names are identical except for the leading '#', then an attribute name
* sufficient and no property name needs to be specified. * value is sufficient and no property name needs to be specified.
*/ */
public static function setAttributes(array &$element, array $map) { public static function setAttributes(array &$element, array $map) {
foreach ($map as $property => $attribute) { foreach ($map as $property => $attribute) {
......
...@@ -67,7 +67,6 @@ arrowstop ...@@ -67,7 +67,6 @@ arrowstop
arrowthick arrowthick
arrowthickstop arrowthickstop
arrr arrr
ascript
asdf asdf
asdrsad asdrsad
assertable assertable
...@@ -77,8 +76,6 @@ atomentry ...@@ -77,8 +76,6 @@ atomentry
atomfeed atomfeed
atomrendererfeed atomrendererfeed
atsign atsign
attributename
attrlist
attrval attrval
attrvals attrvals
auditable auditable
...@@ -128,7 +125,6 @@ backtraces ...@@ -128,7 +125,6 @@ backtraces
bakeware bakeware
bangpow bangpow
barbar barbar
barbaz
barchart barchart
barfoo barfoo
barmm barmm
...@@ -157,7 +153,6 @@ berne ...@@ -157,7 +153,6 @@ berne
bgblue bgblue
bgcolor bgcolor
bgred bgred
bgsound
bigpipe bigpipe
bikeshed bikeshed
bikesheds bikesheds
...@@ -197,7 +192,6 @@ browserkit ...@@ -197,7 +192,6 @@ browserkit
browsertest browsertest
browsertestbase browsertestbase
brûlée brûlée
bscript
bubbleable bubbleable
buildable buildable
buildinfo buildinfo
...@@ -268,7 +262,6 @@ cillum ...@@ -268,7 +262,6 @@ cillum
circlesmall circlesmall
cjds cjds
ckeditor ckeditor
ckers
claro's claro's
classloader classloader
classmap classmap
...@@ -499,7 +492,6 @@ dublincoreentry ...@@ -499,7 +492,6 @@ dublincoreentry
dublincorefeed dublincorefeed
dublincorerendererentry dublincorerendererentry
dublincorerendererfeed dublincorerendererfeed
dynsrc
défaut défaut
détruire détruire
eacute eacute
...@@ -550,7 +542,6 @@ errrf ...@@ -550,7 +542,6 @@ errrf
eslintignore eslintignore
eslinting eslinting
espagnol espagnol
ession
estraven estraven
etag etag
etags etags
...@@ -635,7 +626,6 @@ foobaz ...@@ -635,7 +626,6 @@ foobaz
foofoo foofoo
foomm foomm
foos foos
fooÿñ
formatless formatless
formattable formattable
formatter's formatter's
...@@ -708,7 +698,6 @@ hardcode ...@@ -708,7 +698,6 @@ hardcode
hardcodes hardcodes
hardcoding hardcoding
harkonnen harkonnen
harnhammar
hasdata hasdata
hasher hasher
hashmarks hashmarks
...@@ -851,7 +840,6 @@ kolkata ...@@ -851,7 +840,6 @@ kolkata
kontex kontex
kpresenter kpresenter
kristiaan kristiaan
kses
kspread kspread
kthxbai kthxbai
kword kword
...@@ -891,7 +879,6 @@ linkification ...@@ -891,7 +879,6 @@ linkification
linksby linksby
lisu lisu
litererally litererally
livescript
llamaids llamaids
llamasarelame llamasarelame
llame llame
...@@ -955,7 +942,6 @@ membersonly ...@@ -955,7 +942,6 @@ membersonly
menulist menulist
merhaba merhaba
messagekey messagekey
metacharacters
metainformation metainformation
metapackage metapackage
metapackages metapackages
...@@ -1005,7 +991,6 @@ mostrar ...@@ -1005,7 +991,6 @@ mostrar
moutons moutons
moyenne moyenne
mple mple
msgbox
msgctxt msgctxt
msgid msgid
msgstr msgstr
...@@ -1079,7 +1064,6 @@ nbchoices ...@@ -1079,7 +1064,6 @@ nbchoices
nblocks nblocks
ncck ncck
ncontent ncontent
ncript
ndash ndash
ndelay ndelay
ndocs ndocs
...@@ -1095,14 +1079,11 @@ newname ...@@ -1095,14 +1079,11 @@ newname
newnode newnode
newstr newstr
newterm newterm
nfocus
nids nids
nightlies nightlies
nightwatch nightwatch
nightwatchjs nightwatchjs
nmedi
nmenu nmenu
nmouseover
nmsgid nmsgid
nmsgstr nmsgstr
nntp nntp
...@@ -1140,9 +1121,7 @@ nosniff ...@@ -1140,9 +1121,7 @@ nosniff
nostart nostart
nosuchcolumn nosuchcolumn
nosuchindex nosuchindex
nosuchscheme
nosuchtable nosuchtable
nosuchtag
notag notag
notawordenglish notawordenglish
notawordgerman notawordgerman
...@@ -1151,7 +1130,6 @@ nothere ...@@ -1151,7 +1130,6 @@ nothere
notnull notnull
notsimpletest notsimpletest
nourriture nourriture
noxss
nplurals nplurals
npoll npoll
nprofile nprofile
...@@ -1178,7 +1156,6 @@ onecol ...@@ -1178,7 +1156,6 @@ onecol
oneplusfourgrid oneplusfourgrid
onetwo onetwo
onewidgetfield onewidgetfield
onmediaerror
onoff onoff
opendocument opendocument
openid openid
...@@ -1325,14 +1302,12 @@ presave ...@@ -1325,14 +1302,12 @@ presave
presentationml presentationml
presetid presetid
presetname presetname
pression
pretransaction pretransaction
preuninstall preuninstall
processlist processlist
projecta projecta
projectb projectb
proname proname
propertyname
prophesize prophesize
prophesized prophesized
prophesizing prophesizing
...@@ -1444,7 +1419,6 @@ revisioning ...@@ -1444,7 +1419,6 @@ revisioning
revlog revlog
revpub revpub
ribisi ribisi
ript
ritchie ritchie
robloach robloach
robo robo
...@@ -1484,12 +1458,10 @@ schipulcon ...@@ -1484,12 +1458,10 @@ schipulcon
scorewords scorewords
screenreader screenreader
screenreaders screenreaders
scri
scriptable scriptable
scriptlet scriptlet
scrollable scrollable
scrollbars scrollbars
scrscriptipt
sdeeeee sdeeeee
searchdirs searchdirs
searchfield searchfield
...@@ -1674,7 +1646,6 @@ takeshita ...@@ -1674,7 +1646,6 @@ takeshita
tappable tappable
targetdir targetdir
tarz tarz
tascript
taskless taskless
tatou tatou
tbodies tbodies
...@@ -1751,7 +1722,6 @@ theseer ...@@ -1751,7 +1722,6 @@ theseer
theseparator theseparator
thingie thingie
thirdcolumn thirdcolumn
thisval
threadentry threadentry
threadingrendererentry threadingrendererentry
threecol threecol
...@@ -1852,7 +1822,6 @@ ungroupable ...@@ -1852,7 +1822,6 @@ ungroupable
ungrouped ungrouped
unhashed unhashed
unhide unhide
unicoded
unidecode unidecode
unidecoder unidecoder
unindented unindented
...@@ -1947,7 +1916,6 @@ vals ...@@ -1947,7 +1916,6 @@ vals
vampirize vampirize
vancode vancode
varchar varchar
vbscript
veeeery veeeery
vendored vendored
veniam veniam
......
...@@ -6,6 +6,10 @@ ...@@ -6,6 +6,10 @@
use Drupal\Tests\UnitTestCase; use Drupal\Tests\UnitTestCase;
use Drupal\filter\Plugin\FilterInterface; use Drupal\filter\Plugin\FilterInterface;
// cspell:ignore ascript attributename bgsound bscript ckers cript datafld
// cspell:ignore dataformatas datasrc dynsrc ession livescript msgbox nmouseover
// cspell:ignore noxss pression ript scri scriptlet unicoded vbscript
/** /**
* @coversDefaultClass \Drupal\editor\EditorXssFilter\Standard * @coversDefaultClass \Drupal\editor\EditorXssFilter\Standard
* @group editor * @group editor
...@@ -464,6 +468,7 @@ public function providerTestFilterXss() { ...@@ -464,6 +468,7 @@ public function providerTestFilterXss() {
// You can EMBED SVG which can contain your XSS vector. // You can EMBED SVG which can contain your XSS vector.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#You_can_EMBED_SVG_which_can_contain_your_XSS_vector // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#You_can_EMBED_SVG_which_can_contain_your_XSS_vector
// cspell:disable-next-line
$data[] = ['<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>', '']; $data[] = ['<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>', ''];
// XML data island with CDATA obfuscation. // XML data island with CDATA obfuscation.
......
...@@ -33,9 +33,9 @@ public function testToString($text, $expected, $message) { ...@@ -33,9 +33,9 @@ public function testToString($text, $expected, $message) {
*/ */
public function providerToString() { public function providerToString() {
// Checks that invalid multi-byte sequences are escaped. // Checks that invalid multi-byte sequences are escaped.
$tests[] = ["Foo\xC0barbaz", 'Foo�barbaz', 'Escapes invalid sequence "Foo\xC0barbaz"']; $tests[] = ["Foo\xC0bar", 'Foo�bar', 'Escapes invalid sequence "Foo\xC0bar"'];
$tests[] = ["\xc2\"", '�&quot;', 'Escapes invalid sequence "\xc2\""']; $tests[] = ["\xc2\"", '�&quot;', 'Escapes invalid sequence "\xc2\""'];
$tests[] = ["Fooÿñ", "Fooÿñ", 'Does not escape valid sequence "Fooÿñ"']; $tests[] = ["Foo ÿñ", "Foo ÿñ", 'Does not escape valid sequence "Foo ÿñ"'];
// Checks that special characters are escaped. // Checks that special characters are escaped.
$script_tag = $this->prophesize(MarkupInterface::class); $script_tag = $this->prophesize(MarkupInterface::class);
......
...@@ -7,6 +7,10 @@ ...@@ -7,6 +7,10 @@
use Drupal\Component\Utility\Xss; use Drupal\Component\Utility\Xss;
use PHPUnit\Framework\TestCase; use PHPUnit\Framework\TestCase;
// cspell:ignore ascript barbaz ckers cript CVEs dynsrc fooÿñ metacharacters
// cspell:ignore msgbox ncript nfocus nmedi nosuchscheme nosuchtag onmediaerror
// cspell:ignore scrscriptipt tascript vbscript
/** /**
* XSS Filtering tests. * XSS Filtering tests.
* *
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment