diff --git a/src/MicroweberPackages/App/Http/Controllers/ApiController.php b/src/MicroweberPackages/App/Http/Controllers/ApiController.php
index 9e72121a9e6..de2fffb630b 100644
--- a/src/MicroweberPackages/App/Http/Controllers/ApiController.php
+++ b/src/MicroweberPackages/App/Http/Controllers/ApiController.php
@@ -8,10 +8,10 @@
use MicroweberPackages\App\Http\Middleware\ApiAuth;
use MicroweberPackages\App\Http\Middleware\SameSiteRefererMiddleware;
use MicroweberPackages\App\Managers\Helpers\VerifyCsrfTokenHelper;
+use MicroweberPackages\Helper\XSSClean;
use MicroweberPackages\View\View;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Response;
-use voku\helper\AntiXSS;
class ApiController extends FrontendController
@@ -609,18 +609,25 @@ public function module()
// sanitize attributes
if($request_data){
$request_data_new = [];
- $antixss = new AntiXSS();
+
+ $xssClean = new XSSClean();
+
foreach ($request_data as $k=>$v){
if(is_string($v)) {
$v = str_replace('<', '-', $v);
$v = str_replace('>', '-', $v);
}
- $v = $antixss->xss_clean($v);
+ if(is_array($v)) {
+ $v = $xssClean->cleanArray($v);
+ } else {
+ $v = $xssClean->clean($v);
+ }
if(is_string($k)){
$k = str_replace('<', '-', $k);
$k = str_replace('>', '-', $k);
- $k = $antixss->xss_clean($k);
+
+ $k = $xssClean->clean($k);
if($k){
$request_data_new[$k] = $v;
}
@@ -630,6 +637,8 @@ public function module()
}
$request_data = $request_data_new;
+ var_dump($request_data);
+ exit;
}
$page = false;
diff --git a/src/MicroweberPackages/App/Http/Controllers/FrontendController.php b/src/MicroweberPackages/App/Http/Controllers/FrontendController.php
index 154f89d676b..e1d2859bc83 100644
--- a/src/MicroweberPackages/App/Http/Controllers/FrontendController.php
+++ b/src/MicroweberPackages/App/Http/Controllers/FrontendController.php
@@ -23,7 +23,6 @@
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request as SymfonyRequest;
use Symfony\Component\HttpFoundation\Response;
-use voku\helper\AntiXSS;
class FrontendController extends Controller
diff --git a/src/MicroweberPackages/Comment/Models/CommentsCrud.php b/src/MicroweberPackages/Comment/Models/CommentsCrud.php
index 3ddd358b0ef..30d7a773472 100644
--- a/src/MicroweberPackages/Comment/Models/CommentsCrud.php
+++ b/src/MicroweberPackages/Comment/Models/CommentsCrud.php
@@ -4,7 +4,6 @@
use MicroweberPackages\Database\Crud;
use MicroweberPackages\Helper\HTMLClean;
-use voku\helper\AntiXSS;
class CommentsCrud extends Crud
diff --git a/src/MicroweberPackages/Content/Models/ModelFilters/Traits/FilterByKeywordTrait.php b/src/MicroweberPackages/Content/Models/ModelFilters/Traits/FilterByKeywordTrait.php
index e4f36ac2351..059d8f7060a 100644
--- a/src/MicroweberPackages/Content/Models/ModelFilters/Traits/FilterByKeywordTrait.php
+++ b/src/MicroweberPackages/Content/Models/ModelFilters/Traits/FilterByKeywordTrait.php
@@ -10,9 +10,9 @@
use Illuminate\Database\Eloquent\Builder;
use Illuminate\Support\Facades\Config;
+use MicroweberPackages\Helper\XSSClean;
use MicroweberPackages\Multilanguage\Models\MultilanguageTranslations;
use MicroweberPackages\Multilanguage\MultilanguageHelpers;
-use voku\helper\AntiXSS;
trait FilterByKeywordTrait
{
@@ -22,9 +22,11 @@ public function keyword($keyword)
$table = $model->getTable();
$searchInFields = $model->getSearchable();
$keywordToSearch = false;
- $antixss = new AntiXSS();
+
+ $xssClean = new XSSClean();
+
if (is_string($keyword)) {
- $keyword = $antixss->xss_clean($keyword);
+ $keyword = $xssClean->clean($keyword);
if ($keyword) {
$keywordToSearch = $keyword;
}
diff --git a/src/MicroweberPackages/Helper/HTMLClean.php b/src/MicroweberPackages/Helper/HTMLClean.php
index 57a10ea8914..fc74e7f42cb 100644
--- a/src/MicroweberPackages/Helper/HTMLClean.php
+++ b/src/MicroweberPackages/Helper/HTMLClean.php
@@ -33,8 +33,10 @@ public function cleanArray($array) {
public function clean($html) {
- $antiXss = new \voku\helper\AntiXSS();
- $html = $antiXss->xss_clean($html);
+
+
+ $xssClean = new XSSClean();
+ $html = $xssClean->clean($html);
$config = \HTMLPurifier_Config::createDefault();
diff --git a/src/MicroweberPackages/Helper/XSSClean.php b/src/MicroweberPackages/Helper/XSSClean.php
new file mode 100644
index 00000000000..e79a3d33f0c
--- /dev/null
+++ b/src/MicroweberPackages/Helper/XSSClean.php
@@ -0,0 +1,155 @@
+ $value) {
+ if (is_string($key)) {
+ $key = $this->clean($key);
+ }
+
+ if (is_array($value)) {
+ $cleanedArray[$key] = $this->cleanArray($value);
+ } else {
+ $cleanedArray[$key] = $this->clean($value);
+ }
+ }
+
+ return $cleanedArray;
+ }
+ }
+
+ public function clean($html): string
+ {
+ // from https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#ontransitionend
+ $cleanStrings = [
+ 'ontransitionstart',
+ // 'onwebkitanimationend',
+ 'onwebkitanimationiteration',
+ 'onwebkitanimationstart',
+ 'onwebkittransitionend',
+ 'ontransitionrun',
+ 'onloadedmetadata',
+ 'ondurationchange',
+ 'oncanplaythrough',
+ 'oncuechange',
+ 'onbounce',
+ 'onbegin',
+ 'onbeforeunload',
+ 'onbeforescriptexecute',
+ 'onbeforeprint',
+ 'onanimationstart',
+ 'onanimationiteration',
+ 'onanimationend',
+ 'onanimationcancel',
+ 'onafterscriptexecute',
+ 'onfocusin',
+ 'onhashchange',
+ 'onload',
+ 'onunload',
+ 'onloadend',
+ 'onloadstart',
+ 'onmessage',
+ 'onpageshow',
+ 'onloadedmetadata',
+ 'onloadeddata',
+ 'onplay',
+ 'onplaying',
+ 'onpopstate',
+ 'onprogress',
+ 'onrepeat',
+ 'onresize',
+ 'onscroll',
+ 'onstart',
+ 'ontimeupdate',
+ 'ontoggle',
+ 'ontransitionend',
+ 'ontransitioncancel',
+ 'ontransitionrun',
+ 'ontransitionstart',
+ 'onafterprint',
+ 'onauxclick',
+ 'onbeforecopy',
+ 'onbeforecut',
+ 'onblur',
+ 'onchange',
+ 'onclick',
+ 'onclose',
+ 'oncontextmenu',
+ 'oncopy',
+ 'oncut',
+ 'ondblclick',
+ 'ondrag',
+ 'ondragend',
+ 'ondragenter',
+ 'ondragleave',
+ 'ondragover',
+ 'ondragstart',
+ 'ondrop',
+ 'onfocusout',
+ 'onfullscreenchange',
+ 'oninput',
+ 'oninvalid',
+ 'onkeydown',
+ 'onkeypress',
+ 'onkeyup',
+ 'onmousedown',
+ 'onmouseenter',
+ 'onmouseleave',
+ 'onmousemove',
+ 'onmouseout',
+ 'onmouseover',
+ 'onmouseup',
+ 'onmousewheel',
+ 'onmozfullscreenchange',
+ 'onpagehide',
+ 'onpaste',
+ 'onpause',
+ 'onpointerdown',
+ 'onpointerenter',
+ 'onpointerleave',
+ 'onpointermove',
+ 'onpointerout',
+ 'onpointerover',
+ 'onpointerrawupdate',
+ 'onpointerup',
+ 'onreset',
+ 'onsearch',
+ 'onseeked',
+ 'onseeking',
+ 'onselect',
+ 'onselectionchange',
+ 'onselectstart',
+ 'onshow',
+ 'onsubmit',
+ 'ontouchend',
+ 'ontouchmove',
+ 'ontouchstart',
+ 'onvolumechange',
+ 'onwheel',
+ 'onunhandledrejection'
+ ];
+
+ $antiXss = new AntiXSS();
+ $antiXss->addEvilHtmlTags($cleanStrings);
+ $antiXss->addEvilAttributes($cleanStrings);
+ $antiXss->addNeverAllowedOnEventsAfterwards($cleanStrings);
+
+ $html = $antiXss->xss_clean($html);
+
+
+ return $html;
+ }
+
+}
diff --git a/src/MicroweberPackages/Helper/tests/SecurityTest.php b/src/MicroweberPackages/Helper/tests/SecurityTest.php
index c87b453fc50..f5baa7c71ca 100644
--- a/src/MicroweberPackages/Helper/tests/SecurityTest.php
+++ b/src/MicroweberPackages/Helper/tests/SecurityTest.php
@@ -1,6 +1,9 @@
test';
$content = $antiXss->onlyTags($string);
- $this->assertEquals($string, $content);
+ $this->assertEquals($string, $content);
}
@@ -18,9 +21,9 @@ public function testXssExternalLinkImg()
{
$antiXss = new \MicroweberPackages\Helper\HTMLClean();
- $string = '.'test.jpg)
';
+ $string = ' . 'test.jpg)
';
$content = $antiXss->clean($string);
- $this->assertEquals('', $content);
+ $this->assertEquals('', $content);
$string = '
';
@@ -34,7 +37,7 @@ public function testXssList()
{
$zip = new \ZipArchive();
- $zip->open(__DIR__.'/misc/xss-test-files.zip');
+ $zip->open(__DIR__ . '/misc/xss-test-files.zip');
$xssList = $zip->getFromName('xss-payload-list.txt');
$zip->close();
@@ -55,4 +58,13 @@ public function testXssList()
}
}
+ public function testXSSCleanArrtibutesNewEvents()
+ {
+ $xssClean = new XSSClean();
+ $str = "class='x module module-'ontransitionrun=alert(1) '";
+ $clean = $xssClean->clean($str);
+ $this->assertEquals("class='x module module-'=alert(1) '", $clean);
+
+ }
+
}