Skip to content

Commit

Permalink
update
Browse files Browse the repository at this point in the history
  • Loading branch information
@peter-mw
peter-mw committed Apr 27, 2022
1 parent 721029f commit 1f6a4de
Show file tree
Hide file tree
Showing 7 changed files with 193 additions and 15 deletions.
17 changes: 13 additions & 4 deletions src/MicroweberPackages/App/Http/Controllers/ApiController.php
View file
Expand Up @@ -8,10 +8,10 @@
use MicroweberPackages\App\Http\Middleware\ApiAuth;
use MicroweberPackages\App\Http\Middleware\SameSiteRefererMiddleware;
use MicroweberPackages\App\Managers\Helpers\VerifyCsrfTokenHelper;
use MicroweberPackages\Helper\XSSClean;
use MicroweberPackages\View\View;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Response;
use voku\helper\AntiXSS;


class ApiController extends FrontendController
Expand Down Expand Up @@ -609,18 +609,25 @@ public function module()
// sanitize attributes
if($request_data){
$request_data_new = [];
$antixss = new AntiXSS();

$xssClean = new XSSClean();

foreach ($request_data as $k=>$v){
if(is_string($v)) {
$v = str_replace('<', '-', $v);
$v = str_replace('>', '-', $v);
}
$v = $antixss->xss_clean($v);
if(is_array($v)) {
$v = $xssClean->cleanArray($v);
} else {
$v = $xssClean->clean($v);
}

if(is_string($k)){
$k = str_replace('<', '-', $k);
$k = str_replace('>', '-', $k);
$k = $antixss->xss_clean($k);

$k = $xssClean->clean($k);
if($k){
$request_data_new[$k] = $v;
}
Expand All @@ -630,6 +637,8 @@ public function module()

}
$request_data = $request_data_new;
var_dump($request_data);
exit;
}

$page = false;
Expand Down
1 change: 0 additions & 1 deletion src/MicroweberPackages/App/Http/Controllers/FrontendController.php
View file
Expand Up @@ -23,7 +23,6 @@
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request as SymfonyRequest;
use Symfony\Component\HttpFoundation\Response;
use voku\helper\AntiXSS;


class FrontendController extends Controller
Expand Down
1 change: 0 additions & 1 deletion src/MicroweberPackages/Comment/Models/CommentsCrud.php
View file
Expand Up @@ -4,7 +4,6 @@

use MicroweberPackages\Database\Crud;
use MicroweberPackages\Helper\HTMLClean;
use voku\helper\AntiXSS;


class CommentsCrud extends Crud
Expand Down
8 changes: 5 additions & 3 deletions src/MicroweberPackages/Content/Models/ModelFilters/Traits/FilterByKeywordTrait.php
View file
Expand Up @@ -10,9 +10,9 @@

use Illuminate\Database\Eloquent\Builder;
use Illuminate\Support\Facades\Config;
use MicroweberPackages\Helper\XSSClean;
use MicroweberPackages\Multilanguage\Models\MultilanguageTranslations;
use MicroweberPackages\Multilanguage\MultilanguageHelpers;
use voku\helper\AntiXSS;

trait FilterByKeywordTrait
{
Expand All @@ -22,9 +22,11 @@ public function keyword($keyword)
$table = $model->getTable();
$searchInFields = $model->getSearchable();
$keywordToSearch = false;
$antixss = new AntiXSS();

$xssClean = new XSSClean();

if (is_string($keyword)) {
$keyword = $antixss->xss_clean($keyword);
$keyword = $xssClean->clean($keyword);
if ($keyword) {
$keywordToSearch = $keyword;
}
Expand Down
6 changes: 4 additions & 2 deletions src/MicroweberPackages/Helper/HTMLClean.php
View file
Expand Up @@ -33,8 +33,10 @@ public function cleanArray($array) {

public function clean($html) {

$antiXss = new \voku\helper\AntiXSS();
$html = $antiXss->xss_clean($html);


$xssClean = new XSSClean();
$html = $xssClean->clean($html);

$config = \HTMLPurifier_Config::createDefault();

Expand Down
155 changes: 155 additions & 0 deletions src/MicroweberPackages/Helper/XSSClean.php
View file
@@ -0,0 +1,155 @@
<?php

namespace MicroweberPackages\Helper;

use voku\helper\AntiXSS;

class XSSClean
{


public function cleanArray($array): array
{

if (is_array($array)) {

$cleanedArray = [];
foreach ($array as $key => $value) {
if (is_string($key)) {
$key = $this->clean($key);
}

if (is_array($value)) {
$cleanedArray[$key] = $this->cleanArray($value);
} else {
$cleanedArray[$key] = $this->clean($value);
}
}

return $cleanedArray;
}
}

public function clean($html): string
{
// from https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#ontransitionend
$cleanStrings = [
'ontransitionstart',
// 'onwebkitanimationend',
'onwebkitanimationiteration',
'onwebkitanimationstart',
'onwebkittransitionend',
'ontransitionrun',
'onloadedmetadata',
'ondurationchange',
'oncanplaythrough',
'oncuechange',
'onbounce',
'onbegin',
'onbeforeunload',
'onbeforescriptexecute',
'onbeforeprint',
'onanimationstart',
'onanimationiteration',
'onanimationend',
'onanimationcancel',
'onafterscriptexecute',
'onfocusin',
'onhashchange',
'onload',
'onunload',
'onloadend',
'onloadstart',
'onmessage',
'onpageshow',
'onloadedmetadata',
'onloadeddata',
'onplay',
'onplaying',
'onpopstate',
'onprogress',
'onrepeat',
'onresize',
'onscroll',
'onstart',
'ontimeupdate',
'ontoggle',
'ontransitionend',
'ontransitioncancel',
'ontransitionrun',
'ontransitionstart',
'onafterprint',
'onauxclick',
'onbeforecopy',
'onbeforecut',
'onblur',
'onchange',
'onclick',
'onclose',
'oncontextmenu',
'oncopy',
'oncut',
'ondblclick',
'ondrag',
'ondragend',
'ondragenter',
'ondragleave',
'ondragover',
'ondragstart',
'ondrop',
'onfocusout',
'onfullscreenchange',
'oninput',
'oninvalid',
'onkeydown',
'onkeypress',
'onkeyup',
'onmousedown',
'onmouseenter',
'onmouseleave',
'onmousemove',
'onmouseout',
'onmouseover',
'onmouseup',
'onmousewheel',
'onmozfullscreenchange',
'onpagehide',
'onpaste',
'onpause',
'onpointerdown',
'onpointerenter',
'onpointerleave',
'onpointermove',
'onpointerout',
'onpointerover',
'onpointerrawupdate',
'onpointerup',
'onreset',
'onsearch',
'onseeked',
'onseeking',
'onselect',
'onselectionchange',
'onselectstart',
'onshow',
'onsubmit',
'ontouchend',
'ontouchmove',
'ontouchstart',
'onvolumechange',
'onwheel',
'onunhandledrejection'
];

$antiXss = new AntiXSS();
$antiXss->addEvilHtmlTags($cleanStrings);
$antiXss->addEvilAttributes($cleanStrings);
$antiXss->addNeverAllowedOnEventsAfterwards($cleanStrings);

$html = $antiXss->xss_clean($html);


return $html;
}

}
20 changes: 16 additions & 4 deletions src/MicroweberPackages/Helper/tests/SecurityTest.php
View file
@@ -1,6 +1,9 @@
<?php

namespace MicroweberPackages\Helper\tests;

use MicroweberPackages\Helper\XSSClean;

class SecurityTest extends BaseTest
{
public function testComments()
Expand All @@ -10,17 +13,17 @@ public function testComments()
$string = '<a href="https://example.com">test</a>';
$content = $antiXss->onlyTags($string);

$this->assertEquals($string, $content);
$this->assertEquals($string, $content);
}


public function testXssExternalLinkImg()
{
$antiXss = new \MicroweberPackages\Helper\HTMLClean();

$string = '<img src="'.site_url().'test.jpg" />';
$string = '<img src="' . site_url() . 'test.jpg" />';
$content = $antiXss->clean($string);
$this->assertEquals('<img src="'.site_url().'test.jpg" alt="test.jpg" />', $content);
$this->assertEquals('<img src="' . site_url() . 'test.jpg" alt="test.jpg" />', $content);


$string = '<img src="https://google.bg/test.jpg" />';
Expand All @@ -34,7 +37,7 @@ public function testXssList()
{

$zip = new \ZipArchive();
$zip->open(__DIR__.'/misc/xss-test-files.zip');
$zip->open(__DIR__ . '/misc/xss-test-files.zip');
$xssList = $zip->getFromName('xss-payload-list.txt');
$zip->close();

Expand All @@ -55,4 +58,13 @@ public function testXssList()
}
}

public function testXSSCleanArrtibutesNewEvents()
{
$xssClean = new XSSClean();
$str = "class='x module module-'ontransitionrun=alert(1) '";
$clean = $xssClean->clean($str);
$this->assertEquals("class='x module module-'=alert&#40;1&#41; '", $clean);

}

}

0 comments on commit 1f6a4de

Please sign in to comment.