mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-02-24 03:54:10 +01:00
Code Issues Releases Wiki Activity

[ticket/11768] Added support for creating unsafe BBCodes

Browse Source 
PHPBB3-11768
This commit is contained in:
JoshyPHP 2015-03-03 04:18:17 +01:00
parent dc9a28d346
commit 78b544920c
3 changed files with 45 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
phpBB/phpbb/textformatter/s9e/factory.php
View File

@ -15,6 +15,7 @@ namespace phpbb\textformatter\s9e;
use s9e\TextFormatter\Configurator;
use s9e\TextFormatter\Configurator\Items\AttributeFilters\Regexp as RegexpFilter;
use s9e\TextFormatter\Configurator\Items\UnsafeTemplate;
/**
* Creates s9e\TextFormatter objects
@ -236,7 +237,7 @@ class factory implements \phpbb\textformatter\cache
try
{
$configurator->BBCodes->addCustom($row['bbcode_match'], $tpl);
$configurator->BBCodes->addCustom($row['bbcode_match'], new UnsafeTemplate($tpl));
}
catch (\Exception $e)
{

18
tests/text_formatter/s9e/factory_test.php
View File

@ -78,9 +78,6 @@ class phpbb_textformatter_s9e_factory_test extends phpbb_database_test_case
// This custom BBCode should be set
$this->assertTrue(isset($configurator->BBCodes['CUSTOM']));
// This unsafe custom BBCode will trigger an exception and should be ignored
$this->assertFalse(isset($configurator->BBCodes['UNSAFE']));
$this->assertTrue(isset($configurator->Emoticons[':D']));
}
@ -176,4 +173,19 @@ class phpbb_textformatter_s9e_factory_test extends phpbb_database_test_case
$expected = $original;
$this->assertSame($expected, $renderer->render($parser->parse($original)));
}
/**
* @testdox Accepts unsafe custom BBCodes
*/
public function test_unsafe_bbcode()
{
$fixture = __DIR__ . '/fixtures/unsafe_bbcode.xml';
$container = $this->get_test_case_helpers()->set_s9e_services(null, $fixture);
$parser = $container->get('text_formatter.parser');
$renderer = $container->get('text_formatter.renderer');
$original = '[xss=javascript:alert(1)]text[/xss]';
$expected = '<a href="javascript:alert(1)">text</a>';
$this->assertSame($expected, $renderer->render($parser->parse($original)));
}
}

28
tests/text_formatter/s9e/fixtures/unsafe_bbcode.xml Normal file
View File

@ -0,0 +1,28 @@
<?xml version="1.0" encoding="UTF-8" ?>
<dataset>
<table name="phpbb_bbcodes">
<column>bbcode_id</column>
<column>bbcode_tag</column>
<column>bbcode_helpline</column>
<column>display_on_posting</column>
<column>bbcode_match</column>
<column>bbcode_tpl</column>
<column>first_pass_match</column>
<column>first_pass_replace</column>
<column>second_pass_match</column>
<column>second_pass_replace</column>
<row>
<value>13</value>
<value>xss=</value>
<value></value>
<value>1</value>
<value>[xss={TEXT1}]{TEXT2}[/xss]</value>
<value><![CDATA[<a href="{TEXT1}">{TEXT2}</a>]]></value>
<value><![CDATA[!\[xss\=(.*?)\](.*?)\[/xss\]!ies]]></value>
<value><![CDATA['[xss='.str_replace(array("\r\n", '\"', '\'', '(', ')'), array("\n", '"', '&#39;', '&#40;', '&#41;'), trim('${1}')).':$uid]'.str_replace(array("\r\n", '\"', '\'', '(', ')'), array("\n", '"', '&#39;', '&#40;', '&#41;'), trim('${2}')).'[/xss:$uid]']]></value>
<value><![CDATA[!\[xss\=(.*?):$uid\](.*?)\[/xss:$uid\]!s]]></value>
<value><![CDATA[<a href="${1}">${2}</a>]]></value>
</row>
</table>
</dataset>