mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-08-04 13:47:31 +02:00
Code Issues Releases Wiki Activity

Fixes #3926, #4135 - support for attributes onchange, onclick etc. when script access is enabled.

Browse Source
This commit is contained in:
Cameron
2020-04-30 14:52:44 -07:00
parent c7fe56f525
commit e4de8502c5
2 changed files with 91 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
e107_handlers/e_parse_class.php
View File

@@ -3852,6 +3852,11 @@ class e_parser
);
protected $scriptTags = array('script','applet','form','input','button', 'embed', 'object', 'ins', 'select','textarea'); //allowed when $pref['post_script'] is enabled.
protected $scriptAttributes = array('onclick', 'onchange', 'onblur', 'onload', 'onfocus', 'onkeydown', 'onkeypress', 'onkeyup',
'ondblclick', 'onmousedown', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel',
'onwheel', 'oncopy', 'oncut', 'onpaste'
);
protected $blockTags = array('pre','div','h1','h2','h3','h4','h5','h6','blockquote'); // element includes its own line-break.
@@ -3932,7 +3937,11 @@ class e_parser
public function getAllowedTags()
{
return $this->allowedTags;
}
public function getAllowedAttributes()
{
return $this->allowedAttributes;
}
@@ -3941,6 +3950,11 @@ class e_parser
return $this->scriptAccess;
}
public function getRemoved()
{
return $this->removedList;
}
/**
* Set Allowed Attributes.
* @param $array
@@ -5356,6 +5370,24 @@ return;
}
private function grantScriptAccess()
{
$this->allowedTags = array_merge($this->allowedTags, $this->scriptTags);
foreach($this->allowedAttributes as $tag => $att)
{
foreach($this->scriptAttributes as $new)
{
$this->allowedAttributes[$tag][] = $new;
}
}
return null;
}
/**
* Process and clean HTML from user input.
* TODO Html5 tag support.
@@ -5399,6 +5431,7 @@ return;
$this->init();
}
if($this->scriptAccess === false)
{
$this->scriptAccess = e107::getConfig()->get('post_script', e_UC_MAINADMIN); // Pref to Allow <script> tags11;
@@ -5406,7 +5439,7 @@ return;
if(check_class($this->scriptAccess))
{
$this->allowedTags = array_merge($this->allowedTags, $this->scriptTags);
$this->grantScriptAccess();
}
@@ -5458,7 +5491,8 @@ return;
$name = $attr->nodeName;
$value = $attr->nodeValue;
$allow = varset($this->allowedAttributes[$tag], $this->allowedAttributes['default']);
$allow = isset($this->allowedAttributes[$tag]) ? $this->allowedAttributes[$tag] : $this->allowedAttributes['default'];
$removeAttributes = array();
if(!in_array($name, $allow))

63
e107_tests/tests/unit/e_parseTest.php
View File

@@ -302,7 +302,7 @@ while(&#036;row = &#036;sql-&gt;fetch())
),
8 => array(
'input' => '<table background="javascript:alert(1)"><tr><td><a href="something.php" onclick="alert(1)">Hi there</a></td></tr></table>',
'expected' => "<table><tr><td><a href=&quot;something.php&quot;>Hi there</a></td></tr></table>"
'expected' => '<table><tr><td><a href=&quot;something.php&quot; onclick=&quot;#---sanitized---#&quot;>Hi there</a></td></tr></table>'
),
9 => array(
'input' => '<!--<img src="--><img src=x onerror=alert(1)//">',
@@ -310,7 +310,7 @@ while(&#036;row = &#036;sql-&gt;fetch())
),
10 => array(
'input' => '<div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(1)>',
'expected' => '<div style=&quot;#---sanitized---#&quot;></div>'),
'expected' => '<div style=&quot;#---sanitized---#&quot; onload=&quot;#---sanitized---#&quot;></div>'),
11 => array(
'input' => '<a href="{e_PLUGIN}myplugin/index.php">Test</a>',
'expected' => '<a href=&quot;{e_PLUGIN}myplugin/index.php&quot;>Test</a>'
@@ -399,7 +399,7 @@ while(&#036;row = &#036;sql-&gt;fetch())
$parm = varset($var['parm']);
$result = $this->tp->toDB($var['input'], false, false, $mode, $parm);
$this->assertEquals($var['expected'], $result, 'Test #'.$k." failed.");
$this->assertEquals($var['expected'], $result, 'Test #'.$k." failed.". print_r($this->tp->getRemoved(),true));
}
@@ -608,22 +608,25 @@ while(&#036;row = &#036;sql-&gt;fetch())
{
}
*/
public function testSetScriptAccess()
{
$this->tp->setScriptAccess(e_UC_PUBLIC);
$result = $this->tp->getScriptAccess();
$this->assertEquals(e_UC_PUBLIC, $result);
}
/*
public function testGetAllowedTags()
{
}
*/
public function testGetScriptAccess()
{
$result = $this->tp->getScriptAccess();
$this->assertFalse($result);
}
/*
public function testSetAllowedAttributes()
{
@@ -1047,6 +1050,11 @@ while(&#036;row = &#036;sql-&gt;fetch())
*/
public function testCleanHtml()
{
global $_E107;
$_E107['phpunit'] = true; // disable CLI "all access" permissions to simulated a non-cli scenario.
$this->tp->setScriptAccess(e_UC_NOBODY);
$tests = array(
0 => array(
'html' => "<svg/onload=prompt(1)//",
@@ -1082,6 +1090,10 @@ while(&#036;row = &#036;sql-&gt;fetch())
'html' => "<pre class=\"whatever\">require_once(\"class2.php\");\r\nrequire_once(HEADERF);\r\necho \"test\";&lt;br&gt;\r\nrequire_once(FOOTERF);</pre>",
'expected' => "<pre class=\"whatever\">require_once(\"class2.php\");\nrequire_once(HEADERF);\necho \"test\";&lt;br&gt;\nrequire_once(FOOTERF);</pre>"
),
10 => array(
'html'=> '<a href="#" onchange="whatever">Test</a>',
'expected'=>'<a href="#">Test</a>'
),
);
@@ -1092,8 +1104,30 @@ while(&#036;row = &#036;sql-&gt;fetch())
$this->assertEquals($var['expected'], $result);
}
// -------------------------
$this->tp->setScriptAccess(e_UC_PUBLIC);
$scriptAccess = array(
0 => array(
'html' => '<a href="#" onchange="whatever">Test</a>',
'expected' => '<a href="#" onchange="whatever">Test</a>'
),
);
foreach($scriptAccess as $var)
{
$result = $this->tp->cleanHtml($var['html']);
$this->assertEquals($var['expected'], $result);
}
$this->tp->setScriptAccess(false);
unset($_E107['phpunit']);
}
/*
public function testSecureAttributeValue()
{
@@ -1105,4 +1139,15 @@ while(&#036;row = &#036;sql-&gt;fetch())
}
*/
/*
public function testGrantScriptAccess()
{
$before = $this->tp->getAllowedAttributes();
$this->tp->grantScriptAccess();
$after = $this->tp->getAllowedAttributes();
}*/
}