From 5eba8aa0df1befd34eb15a57dacfdc66cffd14ac Mon Sep 17 00:00:00 2001 From: Christian Schneider Date: Sun, 6 Feb 2022 20:12:00 +0100 Subject: Filter out javascript: scheme in U() to avoid more XSS attacks --- it_html.class | 6 ++++++ test/U_tests.json | 6 ++++++ test/it_html.t | 2 ++ 3 files changed, 14 insertions(+) diff --git a/it_html.class b/it_html.class index d65b101..5175f2d 100644 --- a/it_html.class +++ b/it_html.class @@ -516,6 +516,12 @@ static function U(...$args) ($u['host'] ? $u['host'] : "") . ($u['port'] ? ":" . intval($u['port']) : ""); + if (it::match('javascript', $u['scheme'])) + { + it::error(['title' => "Invalid URL scheme javascript", 'body' => ['args' => $args, 'u' => $u]]); # FIXME CS 2022-03-01 Remove warning on javascript urls + $u['scheme'] = ''; + } + $schemepart = $hostpart ? ($u['scheme'] ? $u['scheme'] . ":" : "") . "//$hostpart" : ($u['scheme'] == "mailto" ? $u['scheme'] . ":" : ""); # remove strings that will be interpreted as scheme from path diff --git a/test/U_tests.json b/test/U_tests.json index 83a6771..6bfb957 100644 --- a/test/U_tests.json +++ b/test/U_tests.json @@ -221,6 +221,12 @@ "name": "U() remove multiple schemes from path" }, + { + "args": ["jAvascript://a/%E2%80%A9alert(JSON.stringify(document.cookie))"], + "exp": "//a/%E2%80%A9alert(JSON.stringify(document.cookie))", + "name": "U() remove multiple schemes from path" + }, + { "args": ["//Oeffnungszeiten:8.30-17.00/"], "exp": "//Oeffnungszeiten:8.30-17.00/", diff --git a/test/it_html.t b/test/it_html.t index aa734c0..a387781 100755 --- a/test/it_html.t +++ b/test/it_html.t @@ -253,8 +253,10 @@ is( 'empty tags removal' ); +$GLOBALS['ULTRANOERRORS'] = true; # FIXME CS 2022-03-01 Remove this after U() does include it::error for javascript urls any more foreach (json_decode(it::file_get_contents(dirname($argv[0]) . '/U_tests.json'), true) as $test) is(U(...$test['args']), $test['exp'], $test['name']); +$GLOBALS['ULTRANOERRORS'] = false; is(it_html::entity_decode("ä"), "รค"); is(it_html::entity_decode("J"), "J"); -- cgit v1.2.3