mirror of
https://github.com/e107inc/e107.git
synced 2025-08-03 13:17:24 +02:00
Prevent HTML code injection in e107::url()
Fixes: #4054 This is a better fix for #4054. HTML code injection can no longer occur in URLs generated by e107::url() thanks to htmlspecialchars(). The previous implementation only addressed: & => & Now, quotation marks and alligator brackets are also escaped, so: <a href=""></html>"></a> is now rendered as: <a href=""></html>"></a>
This commit is contained in:
Nick Liu
@@ -3577,10 +3577,10 @@ class e107
|
|||||||
// Append the query.
|
// Append the query.
|
||||||
if (is_array($options['query']) && !empty($options['query']))
|
if (is_array($options['query']) && !empty($options['query']))
|
||||||
{
|
{
|
||||||
$sefUrl .= (strpos($sefUrl, '?') !== FALSE ? '&' : '?') . self::httpBuildQuery($options['query']);
|
$sefUrl .= (strpos($sefUrl, '?') !== FALSE ? '&' : '?') . self::httpBuildQuery($options['query']);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $sefUrl . $options['fragment'];
|
return htmlspecialchars($sefUrl . $options['fragment'], ENT_QUOTES, 'UTF-8');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -3652,7 +3652,7 @@ class e107
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return implode('&', $params);
|
return implode('&', $params);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -791,8 +791,6 @@ class e107Test extends \Codeception\Test\Unit
|
|||||||
$result = $obj::url('news','index', array(), array('mode'=>'full'));
|
$result = $obj::url('news','index', array(), array('mode'=>'full'));
|
||||||
|
|
||||||
$this->assertEquals("https://localhost/e107/news", $result);
|
$this->assertEquals("https://localhost/e107/news", $result);
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -809,12 +807,42 @@ class e107Test extends \Codeception\Test\Unit
|
|||||||
),
|
),
|
||||||
));
|
));
|
||||||
$this->assertEquals(
|
$this->assertEquals(
|
||||||
e_PLUGIN_ABS. 'forum/forum_viewtopic.php?f=post&id=123',
|
e_PLUGIN_ABS . 'forum/forum_viewtopic.php?f=post&id=123',
|
||||||
$url, "Generated href does not match expectation"
|
$url, "Generated href does not match expectation"
|
||||||
);
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testUrlOptionQueryUrlEncoded()
|
||||||
|
{
|
||||||
|
$e107 = $this->e107;
|
||||||
|
$e107::getPlugin()->install('forum');
|
||||||
|
$url = $e107::url('forum', 'post', [], array(
|
||||||
|
'query' => array(
|
||||||
|
"didn't" => '<tag attr="such wow"></tag>',
|
||||||
|
'did' => 'much doge',
|
||||||
|
),
|
||||||
|
));
|
||||||
|
$this->assertEquals(
|
||||||
|
e_HTTP .
|
||||||
|
'forum/post/?didn%27t=%3Ctag%20attr%3D%22such%20wow%22%3E%3C/tag%3E&did=much%20doge',
|
||||||
|
$url, "Generated href query string did not have expected URL encoding"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testUrlEscapesHtmlSpecialChars()
|
||||||
|
{
|
||||||
|
$e107 = $this->e107;
|
||||||
|
$e107::getPlugin()->install('forum');
|
||||||
|
$url = $e107::url('forum', 'forum', [
|
||||||
|
'forum_sef' => '<>',
|
||||||
|
], array(
|
||||||
|
'fragment' => 'Arts & Crafts <tag attr="can\'t inject here"></tag>'
|
||||||
|
));
|
||||||
|
$this->assertEquals(
|
||||||
|
e_HTTP .
|
||||||
|
'forum/<>/#Arts & Crafts <tag attr="can't inject here"></tag>',
|
||||||
|
$url, "Generated href did not prevent HTML tag injection as expected"
|
||||||
|
);
|
||||||
}
|
}
|
||||||
/*
|
/*
|
||||||
public function testRedirect()
|
public function testRedirect()
|
||||||
|
|||||||
Reference in New Issue
Block a user