Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[CVE-2022-28803] Block XSS in links and iframes.
  • Loading branch information
GuySartorelli authored and emteknetnz committed Jun 28, 2022
1 parent 0bc3ed4 commit d2c58f3
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 0 deletions.
11 changes: 11 additions & 0 deletions src/Forms/HTMLEditor/HTMLEditorSanitiser.php
Expand Up @@ -345,6 +345,17 @@ public function sanitise(HTMLValue $html)
foreach ($elementRule->attributesForced as $attr => $forced) {
$el->setAttribute($attr, $forced);
}

// Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
$regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/';
// Strip out javascript execution in href or src attributes.
foreach (['src', 'href'] as $dangerAttribute) {
if ($el->hasAttribute($dangerAttribute)) {
if (preg_match($regex, $el->getAttribute($dangerAttribute))) {
$el->removeAttribute($dangerAttribute);
}
}
}
}

if ($el->tagName === 'a' && $linkRelValue !== null) {
Expand Down
24 changes: 24 additions & 0 deletions tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
Expand Up @@ -74,6 +74,30 @@ public function testSanitisation()
'<a href="/test" target="_blank">Test</a>',
'noopener rel attribute is unchanged when link_rel_value is null'
],
[
'a[href|target|rel]',
'<a href="javascript:alert(0);">Test</a>',
'<a>Test</a>',
'Javascript in the href attribute of a link is completely removed'
],
[
'a[href|target|rel]',
'<a href="' . implode("\n", str_split(' javascript:')) . '">Test</a>',
'<a>Test</a>',
'Javascript in the href attribute of a link is completely removed even for multiline markup'
],
[
'map[name],area[href|shape|coords]',
'<map name="test"><area shape="rect" coords="34,44,270,350" href="javascript:alert(0);"></map>',
'<map name="test"><area shape="rect" coords="34,44,270,350"></map>',
'Javascript in the href attribute of a map\'s clickable area is completely removed'
],
[
'iframe[src]',
'<iframe src="javascript:alert(0);"></iframe>',
'<iframe></iframe>',
'Javascript in the src attribute of an iframe is completely removed'
],
];

$config = HTMLEditorConfig::get('htmleditorsanitisertest');
Expand Down

0 comments on commit d2c58f3

Please sign in to comment.