From 145c0b55e180fca185826a42498a9fc35c05562b Mon Sep 17 00:00:00 2001 From: mrflos Date: Fri, 5 Aug 2022 15:05:35 +0300 Subject: [PATCH] refact(attach) : add antiXss lib and refactor service to handle SVG, HTML and XML for xss --- composer.json | 1 + composer.lock | 662 ++++++++++++++++------ includes/services/HtmlPurifierService.php | 41 +- tools/attach/config.yaml | 2 +- tools/attach/libs/attach.lib.php | 26 +- tools/attach/libs/qq.lib.php | 10 +- 6 files changed, 558 insertions(+), 184 deletions(-) diff --git a/composer.json b/composer.json index a3f98edb8..d83dcac32 100644 --- a/composer.json +++ b/composer.json @@ -51,6 +51,7 @@ "symfony/yaml": "^5.1", "tamtamchik/simple-flash": "^2.0", "twig/twig": "^3.0", + "voku/anti-xss": "^4.1", "yeswiki/theme-margot": "^1.0" }, "conflict": { diff --git a/composer.lock b/composer.lock index 73596a9df..871375d38 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "aef8d37c0c2b4b0988c0fe76b46ed2e0", + "content-hash": "e3ff20846b50ade46d04ebdf64412f1f", "packages": [ { "name": "caxy/php-htmldiff", @@ -220,16 +220,16 @@ }, { "name": "doctrine/annotations", - "version": "1.13.2", + "version": "1.13.3", "source": { "type": "git", "url": "https://github.com/doctrine/annotations.git", - "reference": "5b668aef16090008790395c02c893b1ba13f7e08" + "reference": "648b0343343565c4a056bfc8392201385e8d89f0" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/doctrine/annotations/zipball/5b668aef16090008790395c02c893b1ba13f7e08", - "reference": "5b668aef16090008790395c02c893b1ba13f7e08", + "url": "https://api.github.com/repos/doctrine/annotations/zipball/648b0343343565c4a056bfc8392201385e8d89f0", + "reference": "648b0343343565c4a056bfc8392201385e8d89f0", "shasum": "" }, "require": { @@ -241,9 +241,10 @@ "require-dev": { "doctrine/cache": "^1.11 || ^2.0", "doctrine/coding-standard": "^6.0 || ^8.1", - "phpstan/phpstan": "^0.12.20", + "phpstan/phpstan": "^1.4.10 || ^1.8.0", "phpunit/phpunit": "^7.5 || ^8.0 || ^9.1.5", - "symfony/cache": "^4.4 || ^5.2" + "symfony/cache": "^4.4 || ^5.2", + "vimeo/psalm": "^4.10" }, "type": "library", "autoload": { @@ -286,9 +287,9 @@ ], "support": { "issues": "https://github.com/doctrine/annotations/issues", - "source": "https://github.com/doctrine/annotations/tree/1.13.2" + "source": "https://github.com/doctrine/annotations/tree/1.13.3" }, - "time": "2021-08-05T19:00:23+00:00" + "time": "2022-07-02T10:48:51+00:00" }, { "name": "doctrine/cache", @@ -563,21 +564,21 @@ }, { "name": "jbroadway/urlify", - "version": "1.2.3-stable", + "version": "1.2.4-stable", "source": { "type": "git", "url": "https://github.com/jbroadway/urlify.git", - "reference": "b7c142a247bd5fac2bb62ca2491bd151c4d1dee4" + "reference": "d0fafbaa1dc14e8039cdf5c72a932a8d1de1750e" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/jbroadway/urlify/zipball/b7c142a247bd5fac2bb62ca2491bd151c4d1dee4", - "reference": "b7c142a247bd5fac2bb62ca2491bd151c4d1dee4", + "url": "https://api.github.com/repos/jbroadway/urlify/zipball/d0fafbaa1dc14e8039cdf5c72a932a8d1de1750e", + "reference": "d0fafbaa1dc14e8039cdf5c72a932a8d1de1750e", "shasum": "" }, "require": { "php": ">=7.2", - "voku/portable-ascii": "^1.4", + "voku/portable-ascii": "^2.0", "voku/stop-words": "^2.0" }, "require-dev": { @@ -628,22 +629,22 @@ ], "support": { "issues": "https://github.com/jbroadway/urlify/issues", - "source": "https://github.com/jbroadway/urlify/tree/1.2.3-stable" + "source": "https://github.com/jbroadway/urlify/tree/1.2.4-stable" }, - "time": "2021-12-29T21:23:40+00:00" + "time": "2022-06-15T16:46:46+00:00" }, { "name": "nesbot/carbon", - "version": "2.58.0", + "version": "2.60.0", "source": { "type": "git", "url": "https://github.com/briannesbitt/Carbon.git", - "reference": "97a34af22bde8d0ac20ab34b29d7bfe360902055" + "reference": "00a259ae02b003c563158b54fb6743252b638ea6" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/briannesbitt/Carbon/zipball/97a34af22bde8d0ac20ab34b29d7bfe360902055", - "reference": "97a34af22bde8d0ac20ab34b29d7bfe360902055", + "url": "https://api.github.com/repos/briannesbitt/Carbon/zipball/00a259ae02b003c563158b54fb6743252b638ea6", + "reference": "00a259ae02b003c563158b54fb6743252b638ea6", "shasum": "" }, "require": { @@ -658,11 +659,12 @@ "doctrine/orm": "^2.7", "friendsofphp/php-cs-fixer": "^3.0", "kylekatarnls/multi-tester": "^2.0", + "ondrejmirtes/better-reflection": "*", "phpmd/phpmd": "^2.9", "phpstan/extension-installer": "^1.0", - "phpstan/phpstan": "^0.12.54 || ^1.0", - "phpunit/php-file-iterator": "^2.0.5", - "phpunit/phpunit": "^7.5.20 || ^8.5.23", + "phpstan/phpstan": "^0.12.99 || ^1.7.14", + "phpunit/php-file-iterator": "^2.0.5 || ^3.0.6", + "phpunit/phpunit": "^7.5.20 || ^8.5.26 || ^9.5.20", "squizlabs/php_codesniffer": "^3.4" }, "bin": [ @@ -719,15 +721,19 @@ }, "funding": [ { - "url": "https://opencollective.com/Carbon", - "type": "open_collective" + "url": "https://github.com/sponsors/kylekatarnls", + "type": "github" }, { - "url": "https://tidelift.com/funding/github/packagist/nesbot/carbon", + "url": "https://opencollective.com/Carbon#sponsor", + "type": "opencollective" + }, + { + "url": "https://tidelift.com/subscription/pkg/packagist-nesbot-carbon?utm_source=packagist-nesbot-carbon&utm_medium=referral&utm_campaign=readme", "type": "tidelift" } ], - "time": "2022-04-25T19:31:17+00:00" + "time": "2022-07-27T15:57:48+00:00" }, { "name": "oomphinc/composer-installers-extender", @@ -788,16 +794,16 @@ }, { "name": "phpmailer/phpmailer", - "version": "v6.6.2", + "version": "v6.6.3", "source": { "type": "git", "url": "https://github.com/PHPMailer/PHPMailer.git", - "reference": "b52ed06864fdda81b82ec8bf564cf15d45ed4f95" + "reference": "9400f305a898f194caff5521f64e5dfa926626f3" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/b52ed06864fdda81b82ec8bf564cf15d45ed4f95", - "reference": "b52ed06864fdda81b82ec8bf564cf15d45ed4f95", + "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/9400f305a898f194caff5521f64e5dfa926626f3", + "reference": "9400f305a898f194caff5521f64e5dfa926626f3", "shasum": "" }, "require": { @@ -854,7 +860,7 @@ "description": "PHPMailer is a full-featured email creation and transfer class for PHP", "support": { "issues": "https://github.com/PHPMailer/PHPMailer/issues", - "source": "https://github.com/PHPMailer/PHPMailer/tree/v6.6.2" + "source": "https://github.com/PHPMailer/PHPMailer/tree/v6.6.3" }, "funding": [ { @@ -862,7 +868,7 @@ "type": "github" } ], - "time": "2022-06-14T09:27:21+00:00" + "time": "2022-06-20T09:21:02+00:00" }, { "name": "psr/cache", @@ -1121,16 +1127,16 @@ }, { "name": "symfony/config", - "version": "v5.4.9", + "version": "v5.4.11", "source": { "type": "git", "url": "https://github.com/symfony/config.git", - "reference": "8f551fe22672ac7ab2c95fe46d899f960ed4d979" + "reference": "ec79e03125c1d2477e43dde8528535d90cc78379" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/config/zipball/8f551fe22672ac7ab2c95fe46d899f960ed4d979", - "reference": "8f551fe22672ac7ab2c95fe46d899f960ed4d979", + "url": "https://api.github.com/repos/symfony/config/zipball/ec79e03125c1d2477e43dde8528535d90cc78379", + "reference": "ec79e03125c1d2477e43dde8528535d90cc78379", "shasum": "" }, "require": { @@ -1180,7 +1186,7 @@ "description": "Helps you find, load, combine, autofill and validate configuration values of any kind", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/config/tree/v5.4.9" + "source": "https://github.com/symfony/config/tree/v5.4.11" }, "funding": [ { @@ -1196,20 +1202,20 @@ "type": "tidelift" } ], - "time": "2022-05-17T10:39:36+00:00" + "time": "2022-07-20T13:00:38+00:00" }, { "name": "symfony/console", - "version": "v5.4.9", + "version": "v5.4.11", "source": { "type": "git", "url": "https://github.com/symfony/console.git", - "reference": "829d5d1bf60b2efeb0887b7436873becc71a45eb" + "reference": "535846c7ee6bc4dd027ca0d93220601456734b10" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/console/zipball/829d5d1bf60b2efeb0887b7436873becc71a45eb", - "reference": "829d5d1bf60b2efeb0887b7436873becc71a45eb", + "url": "https://api.github.com/repos/symfony/console/zipball/535846c7ee6bc4dd027ca0d93220601456734b10", + "reference": "535846c7ee6bc4dd027ca0d93220601456734b10", "shasum": "" }, "require": { @@ -1279,7 +1285,7 @@ "terminal" ], "support": { - "source": "https://github.com/symfony/console/tree/v5.4.9" + "source": "https://github.com/symfony/console/tree/v5.4.11" }, "funding": [ { @@ -1295,20 +1301,20 @@ "type": "tidelift" } ], - "time": "2022-05-18T06:17:34+00:00" + "time": "2022-07-22T10:42:43+00:00" }, { "name": "symfony/dependency-injection", - "version": "v5.4.9", + "version": "v5.4.11", "source": { "type": "git", "url": "https://github.com/symfony/dependency-injection.git", - "reference": "beecae161577305926ec078c4ed973f2b98880b3" + "reference": "a8b9251016e9476db73e25fa836904bc0bf74c62" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/dependency-injection/zipball/beecae161577305926ec078c4ed973f2b98880b3", - "reference": "beecae161577305926ec078c4ed973f2b98880b3", + "url": "https://api.github.com/repos/symfony/dependency-injection/zipball/a8b9251016e9476db73e25fa836904bc0bf74c62", + "reference": "a8b9251016e9476db73e25fa836904bc0bf74c62", "shasum": "" }, "require": { @@ -1368,7 +1374,7 @@ "description": "Allows you to standardize and centralize the way objects are constructed in your application", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/dependency-injection/tree/v5.4.9" + "source": "https://github.com/symfony/dependency-injection/tree/v5.4.11" }, "funding": [ { @@ -1384,11 +1390,11 @@ "type": "tidelift" } ], - "time": "2022-05-27T06:40:03+00:00" + "time": "2022-07-20T13:00:38+00:00" }, { "name": "symfony/deprecation-contracts", - "version": "v2.5.1", + "version": "v2.5.2", "source": { "type": "git", "url": "https://github.com/symfony/deprecation-contracts.git", @@ -1435,7 +1441,7 @@ "description": "A generic function and convention to trigger deprecation notices", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/deprecation-contracts/tree/v2.5.1" + "source": "https://github.com/symfony/deprecation-contracts/tree/v2.5.2" }, "funding": [ { @@ -1455,16 +1461,16 @@ }, { "name": "symfony/error-handler", - "version": "v5.4.9", + "version": "v5.4.11", "source": { "type": "git", "url": "https://github.com/symfony/error-handler.git", - "reference": "c116cda1f51c678782768dce89a45f13c949455d" + "reference": "f75d17cb4769eb38cd5fccbda95cd80a054d35c8" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/error-handler/zipball/c116cda1f51c678782768dce89a45f13c949455d", - "reference": "c116cda1f51c678782768dce89a45f13c949455d", + "url": "https://api.github.com/repos/symfony/error-handler/zipball/f75d17cb4769eb38cd5fccbda95cd80a054d35c8", + "reference": "f75d17cb4769eb38cd5fccbda95cd80a054d35c8", "shasum": "" }, "require": { @@ -1506,7 +1512,7 @@ "description": "Provides tools to manage errors and ease debugging PHP code", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/error-handler/tree/v5.4.9" + "source": "https://github.com/symfony/error-handler/tree/v5.4.11" }, "funding": [ { @@ -1522,7 +1528,7 @@ "type": "tidelift" } ], - "time": "2022-05-21T13:57:48+00:00" + "time": "2022-07-29T07:37:50+00:00" }, { "name": "symfony/event-dispatcher", @@ -1611,7 +1617,7 @@ }, { "name": "symfony/event-dispatcher-contracts", - "version": "v2.5.1", + "version": "v2.5.2", "source": { "type": "git", "url": "https://github.com/symfony/event-dispatcher-contracts.git", @@ -1670,7 +1676,7 @@ "standards" ], "support": { - "source": "https://github.com/symfony/event-dispatcher-contracts/tree/v2.5.1" + "source": "https://github.com/symfony/event-dispatcher-contracts/tree/v2.5.2" }, "funding": [ { @@ -1690,16 +1696,16 @@ }, { "name": "symfony/filesystem", - "version": "v5.4.9", + "version": "v5.4.11", "source": { "type": "git", "url": "https://github.com/symfony/filesystem.git", - "reference": "36a017fa4cce1eff1b8e8129ff53513abcef05ba" + "reference": "6699fb0228d1bc35b12aed6dd5e7455457609ddd" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/filesystem/zipball/36a017fa4cce1eff1b8e8129ff53513abcef05ba", - "reference": "36a017fa4cce1eff1b8e8129ff53513abcef05ba", + "url": "https://api.github.com/repos/symfony/filesystem/zipball/6699fb0228d1bc35b12aed6dd5e7455457609ddd", + "reference": "6699fb0228d1bc35b12aed6dd5e7455457609ddd", "shasum": "" }, "require": { @@ -1734,7 +1740,7 @@ "description": "Provides basic utilities for the filesystem", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/filesystem/tree/v5.4.9" + "source": "https://github.com/symfony/filesystem/tree/v5.4.11" }, "funding": [ { @@ -1750,20 +1756,20 @@ "type": "tidelift" } ], - "time": "2022-05-20T13:55:35+00:00" + "time": "2022-07-20T13:00:38+00:00" }, { "name": "symfony/http-foundation", - "version": "v5.4.9", + "version": "v5.4.11", "source": { "type": "git", "url": "https://github.com/symfony/http-foundation.git", - "reference": "6b0d0e4aca38d57605dcd11e2416994b38774522" + "reference": "0a5868e0999e9d47859ba3d918548ff6943e6389" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/http-foundation/zipball/6b0d0e4aca38d57605dcd11e2416994b38774522", - "reference": "6b0d0e4aca38d57605dcd11e2416994b38774522", + "url": "https://api.github.com/repos/symfony/http-foundation/zipball/0a5868e0999e9d47859ba3d918548ff6943e6389", + "reference": "0a5868e0999e9d47859ba3d918548ff6943e6389", "shasum": "" }, "require": { @@ -1807,7 +1813,7 @@ "description": "Defines an object-oriented layer for the HTTP specification", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/http-foundation/tree/v5.4.9" + "source": "https://github.com/symfony/http-foundation/tree/v5.4.11" }, "funding": [ { @@ -1823,20 +1829,20 @@ "type": "tidelift" } ], - "time": "2022-05-17T15:07:29+00:00" + "time": "2022-07-20T13:00:38+00:00" }, { "name": "symfony/http-kernel", - "version": "v5.4.9", + "version": "v5.4.11", "source": { "type": "git", "url": "https://github.com/symfony/http-kernel.git", - "reference": "34b121ad3dc761f35fe1346d2f15618f8cbf77f8" + "reference": "4fd590a2ef3f62560dbbf6cea511995dd77321ee" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/http-kernel/zipball/34b121ad3dc761f35fe1346d2f15618f8cbf77f8", - "reference": "34b121ad3dc761f35fe1346d2f15618f8cbf77f8", + "url": "https://api.github.com/repos/symfony/http-kernel/zipball/4fd590a2ef3f62560dbbf6cea511995dd77321ee", + "reference": "4fd590a2ef3f62560dbbf6cea511995dd77321ee", "shasum": "" }, "require": { @@ -1919,7 +1925,7 @@ "description": "Provides a structured process for converting a Request into a Response", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/http-kernel/tree/v5.4.9" + "source": "https://github.com/symfony/http-kernel/tree/v5.4.11" }, "funding": [ { @@ -1935,20 +1941,20 @@ "type": "tidelift" } ], - "time": "2022-05-27T07:09:08+00:00" + "time": "2022-07-29T12:30:22+00:00" }, { "name": "symfony/password-hasher", - "version": "v5.4.8", + "version": "v5.4.11", "source": { "type": "git", "url": "https://github.com/symfony/password-hasher.git", - "reference": "bc9c982b25c0292aa4e009b3e9cc9835e4d1e94f" + "reference": "b0169ed8f09a4ae39eb119218ea1685079a9b179" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/password-hasher/zipball/bc9c982b25c0292aa4e009b3e9cc9835e4d1e94f", - "reference": "bc9c982b25c0292aa4e009b3e9cc9835e4d1e94f", + "url": "https://api.github.com/repos/symfony/password-hasher/zipball/b0169ed8f09a4ae39eb119218ea1685079a9b179", + "reference": "b0169ed8f09a4ae39eb119218ea1685079a9b179", "shasum": "" }, "require": { @@ -1992,7 +1998,7 @@ "password" ], "support": { - "source": "https://github.com/symfony/password-hasher/tree/v5.4.8" + "source": "https://github.com/symfony/password-hasher/tree/v5.4.11" }, "funding": [ { @@ -2008,7 +2014,7 @@ "type": "tidelift" } ], - "time": "2022-04-15T13:57:25+00:00" + "time": "2022-07-20T13:00:38+00:00" }, { "name": "symfony/polyfill-ctype", @@ -2092,6 +2098,89 @@ ], "time": "2022-05-24T11:49:31+00:00" }, + { + "name": "symfony/polyfill-iconv", + "version": "v1.26.0", + "source": { + "type": "git", + "url": "https://github.com/symfony/polyfill-iconv.git", + "reference": "143f1881e655bebca1312722af8068de235ae5dc" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/symfony/polyfill-iconv/zipball/143f1881e655bebca1312722af8068de235ae5dc", + "reference": "143f1881e655bebca1312722af8068de235ae5dc", + "shasum": "" + }, + "require": { + "php": ">=7.1" + }, + "provide": { + "ext-iconv": "*" + }, + "suggest": { + "ext-iconv": "For best performance" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-main": "1.26-dev" + }, + "thanks": { + "name": "symfony/polyfill", + "url": "https://github.com/symfony/polyfill" + } + }, + "autoload": { + "files": [ + "bootstrap.php" + ], + "psr-4": { + "Symfony\\Polyfill\\Iconv\\": "" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Nicolas Grekas", + "email": "p@tchwork.com" + }, + { + "name": "Symfony Community", + "homepage": "https://symfony.com/contributors" + } + ], + "description": "Symfony polyfill for the Iconv extension", + "homepage": "https://symfony.com", + "keywords": [ + "compatibility", + "iconv", + "polyfill", + "portable", + "shim" + ], + "support": { + "source": "https://github.com/symfony/polyfill-iconv/tree/v1.26.0" + }, + "funding": [ + { + "url": "https://symfony.com/sponsor", + "type": "custom" + }, + { + "url": "https://github.com/fabpot", + "type": "github" + }, + { + "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", + "type": "tidelift" + } + ], + "time": "2022-05-24T11:49:31+00:00" + }, { "name": "symfony/polyfill-intl-grapheme", "version": "v1.26.0", @@ -2340,6 +2429,82 @@ ], "time": "2022-05-24T11:49:31+00:00" }, + { + "name": "symfony/polyfill-php72", + "version": "v1.26.0", + "source": { + "type": "git", + "url": "https://github.com/symfony/polyfill-php72.git", + "reference": "bf44a9fd41feaac72b074de600314a93e2ae78e2" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/symfony/polyfill-php72/zipball/bf44a9fd41feaac72b074de600314a93e2ae78e2", + "reference": "bf44a9fd41feaac72b074de600314a93e2ae78e2", + "shasum": "" + }, + "require": { + "php": ">=7.1" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-main": "1.26-dev" + }, + "thanks": { + "name": "symfony/polyfill", + "url": "https://github.com/symfony/polyfill" + } + }, + "autoload": { + "files": [ + "bootstrap.php" + ], + "psr-4": { + "Symfony\\Polyfill\\Php72\\": "" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Nicolas Grekas", + "email": "p@tchwork.com" + }, + { + "name": "Symfony Community", + "homepage": "https://symfony.com/contributors" + } + ], + "description": "Symfony polyfill backporting some PHP 7.2+ features to lower PHP versions", + "homepage": "https://symfony.com", + "keywords": [ + "compatibility", + "polyfill", + "portable", + "shim" + ], + "support": { + "source": "https://github.com/symfony/polyfill-php72/tree/v1.26.0" + }, + "funding": [ + { + "url": "https://symfony.com/sponsor", + "type": "custom" + }, + { + "url": "https://github.com/fabpot", + "type": "github" + }, + { + "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", + "type": "tidelift" + } + ], + "time": "2022-05-24T11:49:31+00:00" + }, { "name": "symfony/polyfill-php73", "version": "v1.26.0", @@ -2583,16 +2748,16 @@ }, { "name": "symfony/routing", - "version": "v5.4.8", + "version": "v5.4.11", "source": { "type": "git", "url": "https://github.com/symfony/routing.git", - "reference": "e07817bb6244ea33ef5ad31abc4a9288bef3f2f7" + "reference": "3e01ccd9b2a3a4167ba2b3c53612762300300226" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/routing/zipball/e07817bb6244ea33ef5ad31abc4a9288bef3f2f7", - "reference": "e07817bb6244ea33ef5ad31abc4a9288bef3f2f7", + "url": "https://api.github.com/repos/symfony/routing/zipball/3e01ccd9b2a3a4167ba2b3c53612762300300226", + "reference": "3e01ccd9b2a3a4167ba2b3c53612762300300226", "shasum": "" }, "require": { @@ -2653,7 +2818,7 @@ "url" ], "support": { - "source": "https://github.com/symfony/routing/tree/v5.4.8" + "source": "https://github.com/symfony/routing/tree/v5.4.11" }, "funding": [ { @@ -2669,20 +2834,20 @@ "type": "tidelift" } ], - "time": "2022-04-18T21:45:37+00:00" + "time": "2022-07-20T13:00:38+00:00" }, { "name": "symfony/security-core", - "version": "v5.4.8", + "version": "v5.4.11", "source": { "type": "git", "url": "https://github.com/symfony/security-core.git", - "reference": "4540ecb8ae82cc46d9580672888597f481ff0440" + "reference": "25d14fa47f9efa084d3c23d0ae3b2624d2ad9e92" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/security-core/zipball/4540ecb8ae82cc46d9580672888597f481ff0440", - "reference": "4540ecb8ae82cc46d9580672888597f481ff0440", + "url": "https://api.github.com/repos/symfony/security-core/zipball/25d14fa47f9efa084d3c23d0ae3b2624d2ad9e92", + "reference": "25d14fa47f9efa084d3c23d0ae3b2624d2ad9e92", "shasum": "" }, "require": { @@ -2746,7 +2911,7 @@ "description": "Symfony Security Component - Core Library", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/security-core/tree/v5.4.8" + "source": "https://github.com/symfony/security-core/tree/v5.4.11" }, "funding": [ { @@ -2762,20 +2927,20 @@ "type": "tidelift" } ], - "time": "2022-04-15T08:07:45+00:00" + "time": "2022-07-20T13:00:38+00:00" }, { "name": "symfony/security-csrf", - "version": "v5.4.9", + "version": "v5.4.11", "source": { "type": "git", "url": "https://github.com/symfony/security-csrf.git", - "reference": "ac64013bba1c7a6555b3dc4e701f058cf9f7eb64" + "reference": "b97ab244b6dda80abb84a4a236d682871695db4a" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/security-csrf/zipball/ac64013bba1c7a6555b3dc4e701f058cf9f7eb64", - "reference": "ac64013bba1c7a6555b3dc4e701f058cf9f7eb64", + "url": "https://api.github.com/repos/symfony/security-csrf/zipball/b97ab244b6dda80abb84a4a236d682871695db4a", + "reference": "b97ab244b6dda80abb84a4a236d682871695db4a", "shasum": "" }, "require": { @@ -2818,7 +2983,7 @@ "description": "Symfony Security Component - CSRF Library", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/security-csrf/tree/v5.4.9" + "source": "https://github.com/symfony/security-csrf/tree/v5.4.11" }, "funding": [ { @@ -2834,20 +2999,20 @@ "type": "tidelift" } ], - "time": "2022-05-11T16:54:42+00:00" + "time": "2022-07-20T13:00:38+00:00" }, { "name": "symfony/service-contracts", - "version": "v2.5.1", + "version": "v2.5.2", "source": { "type": "git", "url": "https://github.com/symfony/service-contracts.git", - "reference": "24d9dc654b83e91aa59f9d167b131bc3b5bea24c" + "reference": "4b426aac47d6427cc1a1d0f7e2ac724627f5966c" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/service-contracts/zipball/24d9dc654b83e91aa59f9d167b131bc3b5bea24c", - "reference": "24d9dc654b83e91aa59f9d167b131bc3b5bea24c", + "url": "https://api.github.com/repos/symfony/service-contracts/zipball/4b426aac47d6427cc1a1d0f7e2ac724627f5966c", + "reference": "4b426aac47d6427cc1a1d0f7e2ac724627f5966c", "shasum": "" }, "require": { @@ -2901,7 +3066,7 @@ "standards" ], "support": { - "source": "https://github.com/symfony/service-contracts/tree/v2.5.1" + "source": "https://github.com/symfony/service-contracts/tree/v2.5.2" }, "funding": [ { @@ -2917,20 +3082,20 @@ "type": "tidelift" } ], - "time": "2022-03-13T20:07:29+00:00" + "time": "2022-05-30T19:17:29+00:00" }, { "name": "symfony/string", - "version": "v5.4.9", + "version": "v5.4.11", "source": { "type": "git", "url": "https://github.com/symfony/string.git", - "reference": "985e6a9703ef5ce32ba617c9c7d97873bb7b2a99" + "reference": "5eb661e49ad389e4ae2b6e4df8d783a8a6548322" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/string/zipball/985e6a9703ef5ce32ba617c9c7d97873bb7b2a99", - "reference": "985e6a9703ef5ce32ba617c9c7d97873bb7b2a99", + "url": "https://api.github.com/repos/symfony/string/zipball/5eb661e49ad389e4ae2b6e4df8d783a8a6548322", + "reference": "5eb661e49ad389e4ae2b6e4df8d783a8a6548322", "shasum": "" }, "require": { @@ -2987,7 +3152,7 @@ "utf8" ], "support": { - "source": "https://github.com/symfony/string/tree/v5.4.9" + "source": "https://github.com/symfony/string/tree/v5.4.11" }, "funding": [ { @@ -3003,20 +3168,20 @@ "type": "tidelift" } ], - "time": "2022-04-19T10:40:37+00:00" + "time": "2022-07-24T16:15:25+00:00" }, { "name": "symfony/translation", - "version": "v5.4.9", + "version": "v5.4.11", "source": { "type": "git", "url": "https://github.com/symfony/translation.git", - "reference": "1639abc1177d26bcd4320e535e664cef067ab0ca" + "reference": "7a1a8f6bbff269f434a83343a0a5d36a4f8cfa21" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/translation/zipball/1639abc1177d26bcd4320e535e664cef067ab0ca", - "reference": "1639abc1177d26bcd4320e535e664cef067ab0ca", + "url": "https://api.github.com/repos/symfony/translation/zipball/7a1a8f6bbff269f434a83343a0a5d36a4f8cfa21", + "reference": "7a1a8f6bbff269f434a83343a0a5d36a4f8cfa21", "shasum": "" }, "require": { @@ -3084,7 +3249,7 @@ "description": "Provides tools to internationalize your application", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/translation/tree/v5.4.9" + "source": "https://github.com/symfony/translation/tree/v5.4.11" }, "funding": [ { @@ -3100,20 +3265,20 @@ "type": "tidelift" } ], - "time": "2022-05-06T12:33:37+00:00" + "time": "2022-07-20T13:00:38+00:00" }, { "name": "symfony/translation-contracts", - "version": "v2.5.1", + "version": "v2.5.2", "source": { "type": "git", "url": "https://github.com/symfony/translation-contracts.git", - "reference": "1211df0afa701e45a04253110e959d4af4ef0f07" + "reference": "136b19dd05cdf0709db6537d058bcab6dd6e2dbe" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/translation-contracts/zipball/1211df0afa701e45a04253110e959d4af4ef0f07", - "reference": "1211df0afa701e45a04253110e959d4af4ef0f07", + "url": "https://api.github.com/repos/symfony/translation-contracts/zipball/136b19dd05cdf0709db6537d058bcab6dd6e2dbe", + "reference": "136b19dd05cdf0709db6537d058bcab6dd6e2dbe", "shasum": "" }, "require": { @@ -3162,7 +3327,7 @@ "standards" ], "support": { - "source": "https://github.com/symfony/translation-contracts/tree/v2.5.1" + "source": "https://github.com/symfony/translation-contracts/tree/v2.5.2" }, "funding": [ { @@ -3178,20 +3343,20 @@ "type": "tidelift" } ], - "time": "2022-01-02T09:53:40+00:00" + "time": "2022-06-27T16:58:25+00:00" }, { "name": "symfony/var-dumper", - "version": "v5.4.9", + "version": "v5.4.11", "source": { "type": "git", "url": "https://github.com/symfony/var-dumper.git", - "reference": "af52239a330fafd192c773795520dc2dd62b5657" + "reference": "b8f306d7b8ef34fb3db3305be97ba8e088fb4861" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/var-dumper/zipball/af52239a330fafd192c773795520dc2dd62b5657", - "reference": "af52239a330fafd192c773795520dc2dd62b5657", + "url": "https://api.github.com/repos/symfony/var-dumper/zipball/b8f306d7b8ef34fb3db3305be97ba8e088fb4861", + "reference": "b8f306d7b8ef34fb3db3305be97ba8e088fb4861", "shasum": "" }, "require": { @@ -3251,7 +3416,7 @@ "dump" ], "support": { - "source": "https://github.com/symfony/var-dumper/tree/v5.4.9" + "source": "https://github.com/symfony/var-dumper/tree/v5.4.11" }, "funding": [ { @@ -3267,20 +3432,20 @@ "type": "tidelift" } ], - "time": "2022-05-21T10:24:18+00:00" + "time": "2022-07-20T13:00:38+00:00" }, { "name": "symfony/yaml", - "version": "v5.4.3", + "version": "v5.4.11", "source": { "type": "git", "url": "https://github.com/symfony/yaml.git", - "reference": "e80f87d2c9495966768310fc531b487ce64237a2" + "reference": "05d4ea560f3402c6c116afd99fdc66e60eda227e" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/yaml/zipball/e80f87d2c9495966768310fc531b487ce64237a2", - "reference": "e80f87d2c9495966768310fc531b487ce64237a2", + "url": "https://api.github.com/repos/symfony/yaml/zipball/05d4ea560f3402c6c116afd99fdc66e60eda227e", + "reference": "05d4ea560f3402c6c116afd99fdc66e60eda227e", "shasum": "" }, "require": { @@ -3326,7 +3491,7 @@ "description": "Loads and dumps YAML files", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/yaml/tree/v5.4.3" + "source": "https://github.com/symfony/yaml/tree/v5.4.11" }, "funding": [ { @@ -3342,7 +3507,7 @@ "type": "tidelift" } ], - "time": "2022-01-26T16:32:32+00:00" + "time": "2022-06-27T16:58:25+00:00" }, { "name": "tamtamchik/simple-flash", @@ -3483,18 +3648,101 @@ ], "time": "2022-05-17T05:48:52+00:00" }, + { + "name": "voku/anti-xss", + "version": "4.1.39", + "source": { + "type": "git", + "url": "https://github.com/voku/anti-xss.git", + "reference": "64a59ba4744e6722866ff3440d93561da9e85cd0" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/voku/anti-xss/zipball/64a59ba4744e6722866ff3440d93561da9e85cd0", + "reference": "64a59ba4744e6722866ff3440d93561da9e85cd0", + "shasum": "" + }, + "require": { + "php": ">=7.0.0", + "voku/portable-utf8": "~6.0.2" + }, + "require-dev": { + "phpunit/phpunit": "~6.0 || ~7.0 || ~9.0" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "4.1.x-dev" + } + }, + "autoload": { + "psr-4": { + "voku\\helper\\": "src/voku/helper/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "EllisLab Dev Team", + "homepage": "http://ellislab.com/" + }, + { + "name": "Lars Moelleken", + "email": "lars@moelleken.org", + "homepage": "https://www.moelleken.org/" + } + ], + "description": "anti xss-library", + "homepage": "https://github.com/voku/anti-xss", + "keywords": [ + "anti-xss", + "clean", + "security", + "xss" + ], + "support": { + "issues": "https://github.com/voku/anti-xss/issues", + "source": "https://github.com/voku/anti-xss/tree/4.1.39" + }, + "funding": [ + { + "url": "https://www.paypal.me/moelleken", + "type": "custom" + }, + { + "url": "https://github.com/voku", + "type": "github" + }, + { + "url": "https://opencollective.com/anti-xss", + "type": "open_collective" + }, + { + "url": "https://www.patreon.com/voku", + "type": "patreon" + }, + { + "url": "https://tidelift.com/funding/github/packagist/voku/anti-xss", + "type": "tidelift" + } + ], + "time": "2022-03-08T17:03:58+00:00" + }, { "name": "voku/portable-ascii", - "version": "1.6.1", + "version": "2.0.1", "source": { "type": "git", "url": "https://github.com/voku/portable-ascii.git", - "reference": "87337c91b9dfacee02452244ee14ab3c43bc485a" + "reference": "b56450eed252f6801410d810c8e1727224ae0743" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/voku/portable-ascii/zipball/87337c91b9dfacee02452244ee14ab3c43bc485a", - "reference": "87337c91b9dfacee02452244ee14ab3c43bc485a", + "url": "https://api.github.com/repos/voku/portable-ascii/zipball/b56450eed252f6801410d810c8e1727224ae0743", + "reference": "b56450eed252f6801410d810c8e1727224ae0743", "shasum": "" }, "require": { @@ -3531,7 +3779,7 @@ ], "support": { "issues": "https://github.com/voku/portable-ascii/issues", - "source": "https://github.com/voku/portable-ascii/tree/1.6.1" + "source": "https://github.com/voku/portable-ascii/tree/2.0.1" }, "funding": [ { @@ -3555,7 +3803,106 @@ "type": "tidelift" } ], - "time": "2022-01-24T18:55:24+00:00" + "time": "2022-03-08T17:03:00+00:00" + }, + { + "name": "voku/portable-utf8", + "version": "6.0.4", + "source": { + "type": "git", + "url": "https://github.com/voku/portable-utf8.git", + "reference": "f6c78e492520115bb2d947c3a0d90a2c6b7a60a8" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/voku/portable-utf8/zipball/f6c78e492520115bb2d947c3a0d90a2c6b7a60a8", + "reference": "f6c78e492520115bb2d947c3a0d90a2c6b7a60a8", + "shasum": "" + }, + "require": { + "php": ">=7.0.0", + "symfony/polyfill-iconv": "~1.0", + "symfony/polyfill-intl-grapheme": "~1.0", + "symfony/polyfill-intl-normalizer": "~1.0", + "symfony/polyfill-mbstring": "~1.0", + "symfony/polyfill-php72": "~1.0", + "voku/portable-ascii": "~2.0.0" + }, + "require-dev": { + "phpunit/phpunit": "~6.0 || ~7.0 || ~9.0" + }, + "suggest": { + "ext-ctype": "Use Ctype for e.g. hexadecimal digit detection", + "ext-fileinfo": "Use Fileinfo for better binary file detection", + "ext-iconv": "Use iconv for best performance", + "ext-intl": "Use Intl for best performance", + "ext-json": "Use JSON for string detection", + "ext-mbstring": "Use Mbstring for best performance" + }, + "type": "library", + "autoload": { + "files": [ + "bootstrap.php" + ], + "psr-4": { + "voku\\": "src/voku/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "(Apache-2.0 or GPL-2.0)" + ], + "authors": [ + { + "name": "Nicolas Grekas", + "email": "p@tchwork.com" + }, + { + "name": "Hamid Sarfraz", + "homepage": "http://pageconfig.com/" + }, + { + "name": "Lars Moelleken", + "homepage": "http://www.moelleken.org/" + } + ], + "description": "Portable UTF-8 library - performance optimized (unicode) string functions for php.", + "homepage": "https://github.com/voku/portable-utf8", + "keywords": [ + "UTF", + "clean", + "php", + "unicode", + "utf-8", + "utf8" + ], + "support": { + "issues": "https://github.com/voku/portable-utf8/issues", + "source": "https://github.com/voku/portable-utf8/tree/6.0.4" + }, + "funding": [ + { + "url": "https://www.paypal.me/moelleken", + "type": "custom" + }, + { + "url": "https://github.com/voku", + "type": "github" + }, + { + "url": "https://opencollective.com/portable-utf8", + "type": "open_collective" + }, + { + "url": "https://www.patreon.com/voku", + "type": "patreon" + }, + { + "url": "https://tidelift.com/funding/github/packagist/voku/portable-utf8", + "type": "tidelift" + } + ], + "time": "2022-03-08T17:04:59+00:00" }, { "name": "voku/stop-words", @@ -3606,16 +3953,16 @@ }, { "name": "yeswiki/theme-margot", - "version": "v1.0.3", + "version": "v1.0.4", "source": { "type": "git", "url": "https://github.com/YesWiki/yeswiki-theme-margot.git", - "reference": "80667b93e1f7436170a7dca1b6e970b7fcca1912" + "reference": "c781726ef4f56c95430463af89c9f56c6a9a3233" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/YesWiki/yeswiki-theme-margot/zipball/80667b93e1f7436170a7dca1b6e970b7fcca1912", - "reference": "80667b93e1f7436170a7dca1b6e970b7fcca1912", + "url": "https://api.github.com/repos/YesWiki/yeswiki-theme-margot/zipball/c781726ef4f56c95430463af89c9f56c6a9a3233", + "reference": "c781726ef4f56c95430463af89c9f56c6a9a3233", "shasum": "" }, "require": { @@ -3631,9 +3978,9 @@ ], "support": { "issues": "https://github.com/YesWiki/yeswiki-theme-margot/issues", - "source": "https://github.com/YesWiki/yeswiki-theme-margot/tree/v1.0.3" + "source": "https://github.com/YesWiki/yeswiki-theme-margot/tree/v1.0.4" }, - "time": "2022-03-24T11:22:56+00:00" + "time": "2022-07-09T08:47:25+00:00" } ], "packages-dev": [ @@ -4480,16 +4827,16 @@ }, { "name": "phpunit/phpunit", - "version": "9.5.20", + "version": "9.5.21", "source": { "type": "git", "url": "https://github.com/sebastianbergmann/phpunit.git", - "reference": "12bc8879fb65aef2138b26fc633cb1e3620cffba" + "reference": "0e32b76be457de00e83213528f6bb37e2a38fcb1" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/12bc8879fb65aef2138b26fc633cb1e3620cffba", - "reference": "12bc8879fb65aef2138b26fc633cb1e3620cffba", + "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/0e32b76be457de00e83213528f6bb37e2a38fcb1", + "reference": "0e32b76be457de00e83213528f6bb37e2a38fcb1", "shasum": "" }, "require": { @@ -4523,7 +4870,6 @@ "sebastian/version": "^3.0.2" }, "require-dev": { - "ext-pdo": "*", "phpspec/prophecy-phpunit": "^2.0.1" }, "suggest": { @@ -4567,7 +4913,7 @@ ], "support": { "issues": "https://github.com/sebastianbergmann/phpunit/issues", - "source": "https://github.com/sebastianbergmann/phpunit/tree/9.5.20" + "source": "https://github.com/sebastianbergmann/phpunit/tree/9.5.21" }, "funding": [ { @@ -4579,7 +4925,7 @@ "type": "github" } ], - "time": "2022-04-01T12:37:26+00:00" + "time": "2022-06-19T12:14:25+00:00" }, { "name": "sebastian/cli-parser", diff --git a/includes/services/HtmlPurifierService.php b/includes/services/HtmlPurifierService.php index c70de2d27..7281c47d0 100644 --- a/includes/services/HtmlPurifierService.php +++ b/includes/services/HtmlPurifierService.php @@ -4,6 +4,9 @@ use HTMLPurifier; use HTMLPurifier_Config; +use enshrined\svgSanitize\Sanitizer; +use voku\helper\AntiXSS; +use YesWiki\Core\Service\LinkTracker; use Symfony\Component\DependencyInjection\ParameterBag\ParameterBagInterface; use YesWiki\Security\Controller\SecurityController; use YesWiki\Wiki; @@ -13,12 +16,14 @@ class HtmlPurifierService protected $params; protected $wiki; private $purifier; + private $antixss; public function __construct(Wiki $wiki, ParameterBagInterface $params) { $this->params = $params; $this->wiki = $wiki; $this->purifier = null; + $this->antixss = null; } /** @@ -32,20 +37,40 @@ public function cleanHTML(string $dirty_html): string return $dirty_html; } if (is_null($this->purifier)) { - $this->load(); + $config = HTMLPurifier_Config::createDefault(); + + //add extra attributes for links in new tab + $config->set( 'HTML.Allowed', 'a[href|target]'); + $config->set('Attr.AllowedFrameTargets', array('_blank')); + + $this->purifier = new HTMLPurifier($config); } return $this->purifier->purify($dirty_html); } - private function load() + /** + * load a anti XSS if necessary + * search for XSS scripts and clean content + */ + public function cleanXSS(string $dirtyContent): string { - $config = HTMLPurifier_Config::createDefault(); - - //add extra attributes for links in new tab - $config->set( 'HTML.Allowed', 'a[href|target]'); - $config->set('Attr.AllowedFrameTargets', array('_blank')); + if (!$this->params->get('htmlPurifierActivated')) { + return $dirtyContent; + } + if (is_null($this->antixss)) { + $this->antiXss = new AntiXSS(); + } + return $this->antiXss->xss_clean($dirtyContent); + } - $this->purifier = new HTMLPurifier($config); + /** + * @param string $content of svg + * @return string $content + */ + public function sanitizeSVG(string $content): string + { + $sanitizer = new Sanitizer(); + return $sanitizer->sanitize($content); } } diff --git a/tools/attach/config.yaml b/tools/attach/config.yaml index 21a204fd0..16dc96121 100644 --- a/tools/attach/config.yaml +++ b/tools/attach/config.yaml @@ -96,7 +96,7 @@ parameters: xls: 'Excel' xlsx: 'Excel' xlsm: 'Excel' - # xml: 'XML' # TODO find a way to sanitize xml before saving + xml: 'XML' yaml: 'YAML' zip: 'Zip' # Open Document diff --git a/tools/attach/libs/attach.lib.php b/tools/attach/libs/attach.lib.php index 546b71f85..4469b71a8 100644 --- a/tools/attach/libs/attach.lib.php +++ b/tools/attach/libs/attach.lib.php @@ -34,9 +34,9 @@ # voir actions/attach.php ppour la documentation # copyrigth Eric Feldstein 2003-2004 -use enshrined\svgSanitize\Sanitizer; use Symfony\Component\DependencyInjection\ParameterBag\ParameterBagInterface; use YesWiki\Core\Service\LinkTracker; +use YesWiki\Core\Service\HtmlPurifierService; if (!defined("WIKINI_VERSION")) { die("accès direct interdit"); @@ -765,8 +765,8 @@ public function performUpload() $srcFile = $_FILES['upFile']['tmp_name']; if (move_uploaded_file($srcFile, $destFile)) { chmod($destFile, 0644); - if ($ext === "svg") { - $this->sanitizeSVGfile($destFile); + if ($ext === 'svg' || $ext === 'xml') { + $this->sanitizefile($destFile, $ext); } header("Location: " . $this->wiki->href("", $this->wiki->GetPageTag(), "")); } else { @@ -1159,23 +1159,19 @@ public function redimensionner_image($image_src, $image_dest, $largeur, $hauteur } } - /** - * @param string $content of svg - * @return string $content - */ - public function sanitizeSVG(string $content): string - { - $sanitizer = new Sanitizer(); - return $sanitizer->sanitize($content); - } - /** * @param string $filePath svg */ - public function sanitizeSVGfile(string $filePath) + public function sanitizeFile(string $filePath, string $ext) { + $purifier = $this->wiki->services->get(HtmlPurifierService::class); $content = file_get_contents($filePath); - file_put_contents($filePath, $this->sanitizeSVG($content)); + if ($ext === 'svg') { + file_put_contents($filePath, $purifier->sanitizeSVG($content)); + } elseif ($ext === 'xml') { + file_put_contents($filePath, $purifier->cleanXSS($content)); + } + } } } diff --git a/tools/attach/libs/qq.lib.php b/tools/attach/libs/qq.lib.php index 0f3e73a92..ed6181945 100644 --- a/tools/attach/libs/qq.lib.php +++ b/tools/attach/libs/qq.lib.php @@ -1,6 +1,7 @@ file->save($fullfilename)) { chmod($fullfilename, 0664); // fix file permissions to be sure to be able to write on exotic servers configurations - if ($ext === "svg") { - $attach->sanitizeSVGfile($fullfilename); + //TODO : refactor this with attach + $purifier = $GLOBALS['wiki']->services->get(HtmlPurifierService::class); + $content = file_get_contents($fullfilename); + if ($ext === 'svg') { + file_put_contents($fullfilename, $purifier->sanitizeSVG($content)); + } elseif ($ext === 'xml') { + file_put_contents($fullfilename, $purifier->cleanXSS($content)); } return array_map('utf8_encode', array('success'=>true, 'filename'=>$fullfilename, 'simplefilename'=>$filename . '.' . $ext, 'extension'=>$ext)); } else {