mirror/php-htmlpurifier
1
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-08-02 20:27:40 +02:00
Code Issues Releases Wiki Activity

[2.1.4] [MFH] Add protection against imagecrash attack with CSS height/width from r1684

Browse Source 
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/branches/php4@1719 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang
2008-05-15 05:21:37 +00:00
parent 5fa575f8ac
commit e7fa8cbdd5
4 changed files with 38 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
NEWS
View File

@@ -28,6 +28,7 @@ ERRATA
- HTMLPurifier_HTMLDefinition->addAttribute can now be called multiple times - HTMLPurifier_HTMLDefinition->addAttribute can now be called multiple times
on the same element without emitting errors. on the same element without emitting errors.
- Iconv uses set_error_handler instead of shut-up operator - Iconv uses set_error_handler instead of shut-up operator
- Add protection against imagecrash attack with CSS height/width
2.1.3, released 2007-11-05 2.1.3, released 2007-11-05
! tests/multitest.php allows you to test multiple versions by running ! tests/multitest.php allows you to test multiple versions by running

26
library/HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php Normal file
View File

@@ -0,0 +1,26 @@
<?php
/**
* Decorator which enables CSS properties to be disabled for specific elements.
*/
class HTMLPurifier_AttrDef_CSS_DenyElementDecorator extends HTMLPurifier_AttrDef
{
var $def, $element;
/**
* @param $def Definition to wrap
* @param $element Element to deny
*/
function HTMLPurifier_AttrDef_CSS_DenyElementDecorator(&$def, $element) {
$this->def =& $def;
$this->element = $element;
}
/**
* Checks if CurrentToken is set and equal to $this->element
*/
function validate($string, $config, $context) {
$token = $context->get('CurrentToken', true);
if ($token && $token->name == $this->element) return false;
return $this->def->validate($string, $config, $context);
}
}

4
library/HTMLPurifier/CSSDefinition.php
View File

@@ -7,6 +7,7 @@ require_once 'HTMLPurifier/AttrDef/CSS/BackgroundPosition.php';
require_once 'HTMLPurifier/AttrDef/CSS/Border.php'; require_once 'HTMLPurifier/AttrDef/CSS/Border.php';
require_once 'HTMLPurifier/AttrDef/CSS/Color.php'; require_once 'HTMLPurifier/AttrDef/CSS/Color.php';
require_once 'HTMLPurifier/AttrDef/CSS/Composite.php'; require_once 'HTMLPurifier/AttrDef/CSS/Composite.php';
require_once 'HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php';
require_once 'HTMLPurifier/AttrDef/CSS/Font.php'; require_once 'HTMLPurifier/AttrDef/CSS/Font.php';
require_once 'HTMLPurifier/AttrDef/CSS/FontFamily.php'; require_once 'HTMLPurifier/AttrDef/CSS/FontFamily.php';
require_once 'HTMLPurifier/AttrDef/CSS/Length.php'; require_once 'HTMLPurifier/AttrDef/CSS/Length.php';
@@ -177,11 +178,12 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
$this->info['width'] = $this->info['width'] =
$this->info['height'] = $this->info['height'] =
new HTMLPurifier_AttrDef_CSS_DenyElementDecorator(
new HTMLPurifier_AttrDef_CSS_Composite(array( new HTMLPurifier_AttrDef_CSS_Composite(array(
new HTMLPurifier_AttrDef_CSS_Length(true), new HTMLPurifier_AttrDef_CSS_Length(true),
new HTMLPurifier_AttrDef_CSS_Percentage(true), new HTMLPurifier_AttrDef_CSS_Percentage(true),
new HTMLPurifier_AttrDef_Enum(array('auto')) new HTMLPurifier_AttrDef_Enum(array('auto'))
)); )), 'img');
$this->info['text-decoration'] = new HTMLPurifier_AttrDef_CSS_TextDecoration(); $this->info['text-decoration'] = new HTMLPurifier_AttrDef_CSS_TextDecoration();

7
tests/HTMLPurifier/Strategy/ValidateAttributesTest.php
View File

@@ -180,6 +180,13 @@ class HTMLPurifier_Strategy_ValidateAttributesTest extends
); );
} }
function testRemoveCSSWidthAndHeightOnImg() {
$this->assertResult(
'<img src="" alt="" style="width:10px;height:10px;border:1px solid #000;" />',
'<img src="" alt="" style="border:1px solid #000;" />'
);
}
} }