Deny usage of form elements in rich-text

glpi-project · Nov 3, 2022 · 8505fbf · 8505fbf
1 parent edb8159
commit 8505fbf
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 5 deletions.
diff --git a/src/Toolbox.php b/src/Toolbox.php
@@ -311,9 +311,33 @@ public static function unclean_cross_side_scripting_deep($value)
      */
     public static function getHtmLawedSafeConfig(): array
     {
+        $forbidden_elements = [
+            'script',
+
+            // header elements used to link external resources
+            'link',
+            'meta',
+
+            // elements used to embed potential malicious external application
+            'applet',
+            'canvas',
+            'embed',
+            'object',
+
+            // form elements
+            'form',
+            'button',
+            'input',
+            'select',
+            'datalist',
+            'option',
+            'optgroup',
+            'textarea',
+        ];
+
         $config = [
-            'elements'           => '* -applet -canvas -embed -form -object -script -link -meta',
-            'deny_attribute'     => 'on*, srcdoc',
+            'elements'           => '* ' . implode('', array_map(fn($element) => '-' . $element, $forbidden_elements)),
+            'deny_attribute'     => 'on*, srcdoc, formaction',
             'comment'            => 1, // 1: remove HTML comments (and do not display their contents)
             'cdata'              => 1, // 1: remove CDATA sections (and do not display their contents)
             'direct_list_nest'   => 1, // 1: Allow usage of ul/ol tags nested in other ul/ol tags

diff --git a/tests/units/Glpi/RichText/RichText.php b/tests/units/Glpi/RichText/RichText.php
@@ -161,7 +161,13 @@ protected function getSafeHtmlProvider(): iterable
   <div>
     <label>e-mail:</label><input type="email" /><br />
     <label>password:</label><input type="password" />
+    <input type="hidden" name="test3" value="malicious-input" />
     <button type="submit">OK</button>
+    <select name="test1">
+        <option value="1">Opt 1</option>
+        <option value="2">Opt 2</option>
+    </select>
+    <textarea name="test2">Some textarea content</textarea>
   </div>
 </form>
 
@@ -240,9 +246,15 @@ public function () {
 <h1>Form element should be removed</h1>
 
   <div>
-    <label>e-mail:</label><input type="email" /><br />
-    <label>password:</label><input type="password" />
-    <button type="submit">OK</button>
+    <label>e-mail:</label><br />
+    <label>password:</label>
+    
+    OK
+    
+        Opt 1
+        Opt 2
+    
+    Some textarea content
   </div>