From d2c58f3bbc03846c460acddd38203387cd06416c Mon Sep 17 00:00:00 2001
From: Guy Sartorelli <guy.sartorelli@silverstripe.com>
Date: Tue, 19 Apr 2022 15:11:30 +1200
Subject: [PATCH] [CVE-2022-28803] Block XSS in links and iframes.

---
 src/Forms/HTMLEditor/HTMLEditorSanitiser.php  | 11 +++++++++
 .../HTMLEditor/HTMLEditorSanitiserTest.php    | 24 +++++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/src/Forms/HTMLEditor/HTMLEditorSanitiser.php b/src/Forms/HTMLEditor/HTMLEditorSanitiser.php
index 9cc194de190..1caff953e7f 100644
--- a/src/Forms/HTMLEditor/HTMLEditorSanitiser.php
+++ b/src/Forms/HTMLEditor/HTMLEditorSanitiser.php
@@ -345,6 +345,17 @@ public function sanitise(HTMLValue $html)
                 foreach ($elementRule->attributesForced as $attr => $forced) {
                     $el->setAttribute($attr, $forced);
                 }
+
+                // Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
+                $regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/';
+                // Strip out javascript execution in href or src attributes.
+                foreach (['src', 'href'] as $dangerAttribute) {
+                    if ($el->hasAttribute($dangerAttribute)) {
+                        if (preg_match($regex, $el->getAttribute($dangerAttribute))) {
+                            $el->removeAttribute($dangerAttribute);
+                        }
+                    }
+                }
             }
 
             if ($el->tagName === 'a' && $linkRelValue !== null) {
diff --git a/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php b/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
index 97da89c976d..6c1ba3b0d9b 100644
--- a/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
+++ b/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
@@ -74,6 +74,30 @@ public function testSanitisation()
                 '<a href="/test" target="_blank">Test</a>',
                 'noopener rel attribute is unchanged when link_rel_value is null'
             ],
+            [
+                'a[href|target|rel]',
+                '<a href="javascript:alert(0);">Test</a>',
+                '<a>Test</a>',
+                'Javascript in the href attribute of a link is completely removed'
+            ],
+            [
+                'a[href|target|rel]',
+                '<a href="' . implode("\n", str_split(' javascript:')) . '">Test</a>',
+                '<a>Test</a>',
+                'Javascript in the href attribute of a link is completely removed even for multiline markup'
+            ],
+            [
+                'map[name],area[href|shape|coords]',
+                '<map name="test"><area shape="rect" coords="34,44,270,350" href="javascript:alert(0);"></map>',
+                '<map name="test"><area shape="rect" coords="34,44,270,350"></map>',
+                'Javascript in the href attribute of a map\'s clickable area is completely removed'
+            ],
+            [
+                'iframe[src]',
+                '<iframe src="javascript:alert(0);"></iframe>',
+                '<iframe></iframe>',
+                'Javascript in the src attribute of an iframe is completely removed'
+            ],
         ];
 
         $config = HTMLEditorConfig::get('htmleditorsanitisertest');