colin
/
bookstack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Hardened page content script escaping 

Increased range of tests to cover.

Fixes #1531
This commit is contained in:
Dan Brown 2019-07-10 20:17:22 +01:00
parent a602cdf401
commit c732970f6e
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
2 changed files with 50 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/Entities/Repos/EntityRepo.php
View File

@ -760,13 +760,13 @@ class EntityRepo
$xPath = new DOMXPath($doc); $xPath = new DOMXPath($doc);
// Remove standard script tags // Remove standard script tags
$scriptElems = $xPath->query('//body//*//script'); $scriptElems = $xPath->query('//script');
foreach ($scriptElems as $scriptElem) { foreach ($scriptElems as $scriptElem) {
$scriptElem->parentNode->removeChild($scriptElem); $scriptElem->parentNode->removeChild($scriptElem);
} }
// Remove 'on*' attributes // Remove 'on*' attributes
$onAttributes = $xPath->query('//body//*/@*[starts-with(name(), \'on\')]'); $onAttributes = $xPath->query('//@*[starts-with(name(), \'on\')]');
foreach ($onAttributes as $attr) { foreach ($onAttributes as $attr) {
/** @var \DOMAttr $attr*/ /** @var \DOMAttr $attr*/
$attrName = $attr->nodeName; $attrName = $attr->nodeName;

48
tests/Entity/PageContentTest.php
View File

@ -84,6 +84,31 @@ class PageContentTest extends TestCase
$pageView->assertSee('abc123abc123'); $pageView->assertSee('abc123abc123');
} }
public function test_more_complex_content_script_escaping_scenarios()
{
$checks = [
"<p>Some script</p><script>alert('cat')</script>",
"<div><div><div><div><p>Some script</p><script>alert('cat')</script></div></div></div></div>",
"<p>Some script<script>alert('cat')</script></p>",
"<p>Some script <div><script>alert('cat')</script></div></p>",
"<p>Some script <script><div>alert('cat')</script></div></p>",
"<p>Some script <script><div>alert('cat')</script><script><div>alert('cat')</script></p><script><div>alert('cat')</script>",
];
$this->asEditor();
$page = Page::first();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertElementNotContains('.page-content', '<script>');
$pageView->assertElementNotContains('.page-content', '</script>');
}
}
public function test_page_inline_on_attributes_removed_by_default() public function test_page_inline_on_attributes_removed_by_default()
{ {
$this->asEditor(); $this->asEditor();
@ -97,6 +122,29 @@ class PageContentTest extends TestCase
$pageView->assertSee('<p>Hello</p>'); $pageView->assertSee('<p>Hello</p>');
} }
public function test_more_complex_inline_on_attributes_escaping_scenarios()
{
$checks = [
'<p onclick="console.log(\'test\')">Hello</p>',
'<div>Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p>',
'<div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div>',
'<div><div><div><div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div></div></div></div>',
'<div onclick="console.log(\'test\')">Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p><div></div>',
];
$this->asEditor();
$page = Page::first();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertElementNotContains('.page-content', 'onclick');
}
}
public function test_page_content_scripts_show_when_configured() public function test_page_content_scripts_show_when_configured()
{ {
$this->asEditor(); $this->asEditor();