xss: Stored XSS/Domain Whitelist Bypass

This mitigates a vulnerability reported by haxatron on [huntr.dev](https://huntr.dev/) where one can bypass the Domain Whitelist and potentially store XSS via iFrame tags. This adds a new section to the iFrame REGEX that checks for `@` and denies the iFrame if exists.
osTicket · Oct 7, 2021 · 4b4da5b · 4b4da5b
1 parent e90d3be
commit 4b4da5b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/include/class.format.php b/include/class.format.php
@@ -341,7 +341,7 @@ function safe_html($html, $options=array()) {
             $config['elements'] = '*+iframe';
             $config['spec'] = 'iframe=-*,height,width,type,style,src(match="`^(https?:)?//(www\.)?('
                 .implode('|', $whitelist)
-                .')/?`i"),frameborder'.($options['spec'] ? '; '.$options['spec'] : '').',allowfullscreen';
+                .')/?([^@]*)$`i"),frameborder'.($options['spec'] ? '; '.$options['spec'] : '').',allowfullscreen';
         }
 
         return Format::html($html, $config);