Skip to content

Commit

Permalink
Fix XSS issue in teacher message
Browse files Browse the repository at this point in the history 
Add a purifying library.
  • Loading branch information
@changeweb
changeweb committed Aug 13, 2021
1 parent c81ba7e commit 8d06416
Show file tree
Hide file tree
Showing 4 changed files with 261 additions and 6 deletions.
7 changes: 4 additions & 3 deletions composer.json
View file
Expand Up @@ -8,16 +8,17 @@
"php": ">=7.2.5",
"doctrine/dbal": "^2.9",
"fideloper/proxy": "^4.2",
"guzzlehttp/guzzle": "^6.3",
"lab404/laravel-impersonate": "1.6.0",
"laravel/cashier": "^11.0",
"guzzlehttp/guzzle": "^6.3",
"laravel/framework": "^7.0",
"laravel/passport": "^9.1.0",
"laravel/tinker": "^2.0",
"maatwebsite/excel": "^3.1",
"laravel/ui": "2.0.3",
"maatwebsite/excel": "^3.1",
"mavinoo/laravel-batch": "2.1.9",
"renatomarinho/laravel-page-speed": "^1.8"
"renatomarinho/laravel-page-speed": "^1.8",
"stevebauman/purify": "^4.0"
},
"require-dev": {
"facade/ignition": "^2.0",
Expand Down
123 changes: 121 additions & 2 deletions composer.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

135 changes: 135 additions & 0 deletions config/purify.php
View file
@@ -0,0 +1,135 @@
<?php

return [

/*
|--------------------------------------------------------------------------
| Settings
|--------------------------------------------------------------------------
|
| The configuration settings array is passed directly to HTMLPurifier.
|
| Feel free to add / remove / customize these attributes as you wish.
|
| Documentation: http://htmlpurifier.org/live/configdoc/plain.html
|
*/

'settings' => [

/*
|--------------------------------------------------------------------------
| Core.Encoding
|--------------------------------------------------------------------------
|
| The encoding to convert input to.
|
| http://htmlpurifier.org/live/configdoc/plain.html#Core.Encoding
|
*/

'Core.Encoding' => 'utf-8',

/*
|--------------------------------------------------------------------------
| Core.SerializerPath
|--------------------------------------------------------------------------
|
| The HTML purifier serializer cache path.
|
| http://htmlpurifier.org/live/configdoc/plain.html#Cache.SerializerPath
|
*/

'Cache.SerializerPath' => storage_path('app/purify'),

/*
|--------------------------------------------------------------------------
| HTML.Doctype
|--------------------------------------------------------------------------
|
| Doctype to use during filtering.
|
| http://htmlpurifier.org/live/configdoc/plain.html#HTML.Doctype
|
*/

'HTML.Doctype' => 'XHTML 1.0 Strict',

/*
|--------------------------------------------------------------------------
| HTML.Allowed
|--------------------------------------------------------------------------
|
| The allowed HTML Elements with their allowed attributes.
|
| http://htmlpurifier.org/live/configdoc/plain.html#HTML.Allowed
|
*/

'HTML.Allowed' => 'h1,h2,h3,h4,h5,h6,b,strong,i,em,a[href|title],ul,ol,li,p[style],br,span,img[width|height|alt|src]',

/*
|--------------------------------------------------------------------------
| HTML.ForbiddenElements
|--------------------------------------------------------------------------
|
| The forbidden HTML elements. Elements that are listed in
| this string will be removed, however their content will remain.
|
| For example if 'p' is inside the string, the string: '<p>Test</p>',
|
| Will be cleaned to: 'Test'
|
| http://htmlpurifier.org/live/configdoc/plain.html#HTML.ForbiddenElements
|
*/

'HTML.ForbiddenElements' => '',

/*
|--------------------------------------------------------------------------
| CSS.AllowedProperties
|--------------------------------------------------------------------------
|
| The Allowed CSS properties.
|
| http://htmlpurifier.org/live/configdoc/plain.html#CSS.AllowedProperties
|
*/

'CSS.AllowedProperties' => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align',

/*
|--------------------------------------------------------------------------
| AutoFormat.AutoParagraph
|--------------------------------------------------------------------------
|
| The Allowed CSS properties.
|
| This directive turns on auto-paragraphing, where double
| newlines are converted in to paragraphs whenever possible.
|
| http://htmlpurifier.org/live/configdoc/plain.html#AutoFormat.AutoParagraph
|
*/

'AutoFormat.AutoParagraph' => false,

/*
|--------------------------------------------------------------------------
| AutoFormat.RemoveEmpty
|--------------------------------------------------------------------------
|
| When enabled, HTML Purifier will attempt to remove empty
| elements that contribute no semantic information to the document.
|
| http://htmlpurifier.org/live/configdoc/plain.html#AutoFormat.RemoveEmpty
|
*/

'AutoFormat.RemoveEmpty' => false,

],

];
2 changes: 1 addition & 1 deletion resources/views/message/all.blade.php
View file
Expand Up @@ -57,7 +57,7 @@
@else
<span class="label label-default">@lang('Seen')</span></strong>
@endif
<p class="notification-desc">{!!$message->message!!}</p>
<p class="notification-desc">{!!Purify::clean($message->message)!!}</p>
<div class="notification-meta">
<small class="timestamp">{{$message->created_at}}</small>
Expand Down

0 comments on commit 8d06416

Please sign in to comment.