Url with XSS could be added to CKEditor input #1178

Admidio · Jan 20, 2022 · 5141fdd · 5141fdd
1 parent 35be0d6
commit 5141fdd
Show file tree

Hide file tree

Showing 17 changed files with 39 additions and 1,675 deletions.
diff --git a/README.md b/README.md
@@ -143,7 +143,7 @@ and sharing great software.
 - [Cookie Consent](https://cookieconsent.insites.com/): The most popular solution to the EU cookie law
 - [Datatables](https://www.datatables.net/): Table plugin for jQuery
 - [Font Awesome](https://fontawesome.com/): Vector icons and social logos
-- [htmLawed](https://github.com/vanilla/htmlawed/): PHP code to purify & filter HTML
+- [HTML Purifier](http://htmlpurifier.org/): PHP code to purify & filter HTML
 - [James Heinrich](http://www.silisoftware.com/): backupDB
 - [jQuery](https://jquery.com/): JavaScript-Library
 - [jQuery-File-Upload](https://blueimp.github.io/jQuery-File-Upload/): jQuery file upload plugin

diff --git a/adm_program/libs/server/composer/autoload_classmap.php b/adm_program/libs/server/composer/autoload_classmap.php
@@ -34,7 +34,6 @@
     'HtmlPageInstallation' => $baseDir . '/adm_program/system/classes/HtmlPageInstallation.php',
     'HtmlTable' => $baseDir . '/adm_program/system/classes/HtmlTable.php',
     'HtmlTableBasic' => $baseDir . '/adm_program/system/classes/HtmlTableBasic.php',
-    'Htmlawed' => $vendorDir . '/vanilla/htmlawed/src/Htmlawed.php',
     'Image' => $baseDir . '/adm_program/system/classes/Image.php',
     'Language' => $baseDir . '/adm_program/system/classes/Language.php',
     'LanguageData' => $baseDir . '/adm_program/system/classes/LanguageData.php',

diff --git a/adm_program/libs/server/composer/autoload_static.php b/adm_program/libs/server/composer/autoload_static.php
@@ -175,7 +175,6 @@ class ComposerStaticInitc301026038c71b1da7db13211002b5b3
         'HtmlPageInstallation' => __DIR__ . '/../../../..' . '/adm_program/system/classes/HtmlPageInstallation.php',
         'HtmlTable' => __DIR__ . '/../../../..' . '/adm_program/system/classes/HtmlTable.php',
         'HtmlTableBasic' => __DIR__ . '/../../../..' . '/adm_program/system/classes/HtmlTableBasic.php',
-        'Htmlawed' => __DIR__ . '/..' . '/vanilla/htmlawed/src/Htmlawed.php',
         'Image' => __DIR__ . '/../../../..' . '/adm_program/system/classes/Image.php',
         'Language' => __DIR__ . '/../../../..' . '/adm_program/system/classes/Language.php',
         'LanguageData' => __DIR__ . '/../../../..' . '/adm_program/system/classes/LanguageData.php',

diff --git a/adm_program/libs/server/composer/installed.json b/adm_program/libs/server/composer/installed.json
@@ -1281,17 +1281,17 @@
         },
         {
             "name": "smarty/smarty",
-            "version": "v3.1.43",
-            "version_normalized": "3.1.43.0",
+            "version": "v3.1.44",
+            "version_normalized": "3.1.44.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/smarty-php/smarty.git",
-                "reference": "273f7e00fec034f6d61112552e9caf08d19565b7"
+                "reference": "99085d8dc65eeb5e55ae3cba74d3dc6b3bb0205e"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/smarty-php/smarty/zipball/273f7e00fec034f6d61112552e9caf08d19565b7",
-                "reference": "273f7e00fec034f6d61112552e9caf08d19565b7",
+                "url": "https://api.github.com/repos/smarty-php/smarty/zipball/99085d8dc65eeb5e55ae3cba74d3dc6b3bb0205e",
+                "reference": "99085d8dc65eeb5e55ae3cba74d3dc6b3bb0205e",
                 "shasum": ""
             },
             "require": {
@@ -1301,7 +1301,7 @@
                 "phpunit/phpunit": "^7.5 || ^6.5 || ^5.7 || ^4.8",
                 "smarty/smarty-lexer": "^3.1"
             },
-            "time": "2022-01-10T09:52:40+00:00",
+            "time": "2022-01-17T23:12:04+00:00",
             "type": "library",
             "extra": {
                 "branch-alias": {
@@ -1341,7 +1341,7 @@
                 "forum": "http://www.smarty.net/forums/",
                 "irc": "irc://irc.freenode.org/smarty",
                 "issues": "https://github.com/smarty-php/smarty/issues",
-                "source": "https://github.com/smarty-php/smarty/tree/v3.1.43"
+                "source": "https://github.com/smarty-php/smarty/tree/v3.1.44"
             },
             "install-path": "../smarty/smarty"
         },
@@ -1676,52 +1676,6 @@
                 }
             ],
             "install-path": "../tecnickcom/tcpdf"
-        },
-        {
-            "name": "vanilla/htmlawed",
-            "version": "v2.2.5",
-            "version_normalized": "2.2.5.0",
-            "source": {
-                "type": "git",
-                "url": "https://github.com/vanilla/htmlawed.git",
-                "reference": "b1fc7b3990796112387c08a132f85b7333022ec2"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://api.github.com/repos/vanilla/htmlawed/zipball/b1fc7b3990796112387c08a132f85b7333022ec2",
-                "reference": "b1fc7b3990796112387c08a132f85b7333022ec2",
-                "shasum": ""
-            },
-            "require": {
-                "php": ">=5.4.0"
-            },
-            "require-dev": {
-                "tburry/pquery": "~1.0.1"
-            },
-            "time": "2019-10-16T15:36:02+00:00",
-            "type": "library",
-            "installation-source": "dist",
-            "autoload": {
-                "classmap": [
-                    "src/Htmlawed.php"
-                ]
-            },
-            "notification-url": "https://packagist.org/downloads/",
-            "license": [
-                "LGPL-3.0"
-            ],
-            "authors": [
-                {
-                    "name": "Todd Burry",
-                    "email": "todd@vanillaforums.com"
-                }
-            ],
-            "description": "A composer wrapper for the htmLawed library to purify & filter HTML. Tested with PHPUnit and PhantomJS!",
-            "support": {
-                "issues": "https://github.com/vanilla/htmlawed/issues",
-                "source": "https://github.com/vanilla/htmlawed/tree/master"
-            },
-            "install-path": "../vanilla/htmlawed"
         }
     ],
     "dev": true,

diff --git a/adm_program/libs/server/composer/installed.php b/adm_program/libs/server/composer/installed.php
@@ -1,7 +1,7 @@
 <?php return array(
     'root' => array(
-        'pretty_version' => '4.1.0',
-        'version' => '4.1.0.0',
+        'pretty_version' => '4.1.3',
+        'version' => '4.1.3.0',
         'type' => 'project',
         'install_path' => __DIR__ . '/../../../../',
         'aliases' => array(),
@@ -11,8 +11,8 @@
     ),
     'versions' => array(
         'admidio/admidio' => array(
-            'pretty_version' => '4.1.0',
-            'version' => '4.1.0.0',
+            'pretty_version' => '4.1.3',
+            'version' => '4.1.3.0',
             'type' => 'project',
             'install_path' => __DIR__ . '/../../../../',
             'aliases' => array(),
@@ -203,12 +203,12 @@
             ),
         ),
         'smarty/smarty' => array(
-            'pretty_version' => 'v3.1.43',
-            'version' => '3.1.43.0',
+            'pretty_version' => 'v3.1.44',
+            'version' => '3.1.44.0',
             'type' => 'library',
             'install_path' => __DIR__ . '/../smarty/smarty',
             'aliases' => array(),
-            'reference' => '273f7e00fec034f6d61112552e9caf08d19565b7',
+            'reference' => '99085d8dc65eeb5e55ae3cba74d3dc6b3bb0205e',
             'dev_requirement' => false,
         ),
         'symfony/polyfill-ctype' => array(
@@ -247,14 +247,5 @@
             'reference' => '42cd0f9786af7e5db4fcedaa66f717b0d0032320',
             'dev_requirement' => false,
         ),
-        'vanilla/htmlawed' => array(
-            'pretty_version' => 'v2.2.5',
-            'version' => '2.2.5.0',
-            'type' => 'library',
-            'install_path' => __DIR__ . '/../vanilla/htmlawed',
-            'aliases' => array(),
-            'reference' => 'b1fc7b3990796112387c08a132f85b7333022ec2',
-            'dev_requirement' => false,
-        ),
     ),
 );
diff --git a/adm_program/libs/server/smarty/smarty/CHANGELOG.md b/adm_program/libs/server/smarty/smarty/CHANGELOG.md
@@ -6,6 +6,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [3.1.44] - 2022-01-18
+
+### Fixed
+- Fixed illegal characters bug in math function security check [#702](https://github.com/smarty-php/smarty/issues/702)
+
 ## [3.1.43] - 2022-01-10
 
 ### Security

diff --git a/adm_program/libs/server/smarty/smarty/libs/Smarty.class.php b/adm_program/libs/server/smarty/smarty/libs/Smarty.class.php
@@ -111,7 +111,7 @@ class Smarty extends Smarty_Internal_TemplateBase
     /**
      * smarty version
      */
-    const SMARTY_VERSION = '3.1.43';
+    const SMARTY_VERSION = '3.1.44';
     /**
      * define variable scopes
      */

diff --git a/adm_program/libs/server/smarty/smarty/libs/plugins/function.math.php b/adm_program/libs/server/smarty/smarty/libs/plugins/function.math.php
@@ -70,7 +70,7 @@ function smarty_function_math($params, $template)
     $number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number
     $functionsOrVars = '((?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*))';
     $operators = '[+\/*\^%-]'; // Allowed math operators
-    $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)+\)|\((?1)+\)))(?:'.$operators.'(?2))?)+$/';
+    $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)+\)|\((?1)+\)))(?:'.$operators.'(?1))?)+$/';
 
     if (!preg_match($regexp, $equation)) {
         trigger_error("math: illegal characters", E_USER_WARNING);

diff --git a/adm_program/libs/server/vanilla/htmlawed/CHANGELOG.md b/adm_program/libs/server/vanilla/htmlawed/CHANGELOG.md