Quam Plures

Merge lp:~quam-plures-core/quam-plures/xss-in-balance-tags_alternate into lp:quam-plures

  1. xss-in-balance-tags_alternate
  2. Merge into trunk
Proposed by Tilman Blumenbach
Status: Merged
Merged at revision: 7600
Proposed branch: lp:~quam-plures-core/quam-plures/xss-in-balance-tags_alternate
Merge into: lp:quam-plures
Diff against target: 64 lines (+8/-16)
2 files modified
qp_inc/_core/_param.funcs.php (+2/-10)
qp_inc/xhtml_validator/_xhtml_validator.class.php (+6/-6)
To merge this branch: bzr merge lp:~quam-plures-core/quam-plures/xss-in-balance-tags_alternate
Reviewer Review Type Date Requested Status
Yabs (community) Approve
Review via email: mp+53662@code.launchpad.net

Description of the change

-------------------------------------------
This is an alternative to https://code.launchpad.net/~quam-plures-core/quam-plures/xss-in-balance-tags/+merge/53602
Proposed merge to make reviewing easier.
-------------------------------------------

This branch fixes bug 736035 by basically removing any processing instructions in user-supplied HTML. It also moves some HTML hacks to better suited locations.

To post a comment you must log in.
Revision history for this message
Tilman Blumenbach (tblue) wrote :

At the moment, this removes the dangerous tokens; it may be wise to escape them instead ("<?" becomes "&lt;?" and "<!" becomes "&lt;!" -- this would make it possible to simply use "<!--" instead of having to write "&lt;!--" in comments etc.).

Revision history for this message
EdB (edb) wrote :

I like this one better because it doesn't say "concatenate stuff due to PHP4.3.whatever" but I dunno shit from shinola wrt testing or even verificating everything looks good, so y'all figure it out and I'll just agree with whatever fix seems most popular :)

Revision history for this message
Tilman Blumenbach (tblue) wrote :

Forget my first comment here. It doesn't make sense as you sometimes want to include HTML comments on purpose. This branch still allows <? stuff if the rest of the HTML is valid (i. e. if there are no forbidden tags), but I don't think that's a problem. Can you do any harm by using processing instructions?

Revision history for this message
Yabs (yabs) wrote :

Certainly seems to work and is a better solution ;)

¥

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'qp_inc/_core/_param.funcs.php'
2--- qp_inc/_core/_param.funcs.php 2010-12-31 12:12:03 +0000
3+++ qp_inc/_core/_param.funcs.php 2011-03-16 17:27:57 +0000
4@@ -1681,6 +1681,8 @@
5
6 // Replace any & that is not a character or entity reference with &amp;
7 $content = preg_replace( '/&(?!#[0-9]+;|#x[0-9a-fA-F]+;|[a-zA-Z_:][a-zA-Z0-9._:-]*;)/', '&amp;', $content );
8+ // Fix for smileys like LOVE <3 (and other situations with '<' before a number).
9+ $content = preg_replace( '#<([0-9])#', '&lt;$1', $content );
10
11 // ANTISPAM check:
12 if( ! $bypass_antispam
13@@ -1812,12 +1814,6 @@
14 $tagqueue = '';
15 $newtext = '';
16
17- # b2 bug fix for comments - in case you REALLY meant to type '< !--'
18- $text = str_replace('< !--', '< !--', $text);
19-
20- # b2 bug fix for LOVE <3 (and other situations with '<' before a number)
21- $text = preg_replace('#<([0-9]{1})#', '&lt;$1', $text);
22-
23 while( preg_match('~<(\s*/?\w+)\s*(.*?)/?>~', $text, $regex) )
24 {
25 $newtext = $newtext . $tagqueue;
26@@ -1902,10 +1898,6 @@
27 $newtext = $newtext . '</' . $x . '>'; // Add remaining tags to close
28 }
29
30- # b2 fix for the bug with HTML comments
31- $newtext = str_replace( '< !--', '<'.'!--', $newtext ); // the concatenation is needed to work around some strange parse error in PHP 4.3.1
32- $newtext = str_replace( '< !--', '< !--', $newtext );
33-
34 return $newtext;
35 }
36
37
38=== modified file 'qp_inc/xhtml_validator/_xhtml_validator.class.php'
39--- qp_inc/xhtml_validator/_xhtml_validator.class.php 2010-12-31 12:12:03 +0000
40+++ qp_inc/xhtml_validator/_xhtml_validator.class.php 2011-03-16 17:27:57 +0000
41@@ -166,11 +166,11 @@
42 }
43 }
44
45- // Open comments or '<![CDATA[' are dangerous
46- $xhtml = str_replace('<!', '', $xhtml);
47-
48- // Convert isolated & chars
49- $xhtml = preg_replace( '#(\s)&(\s)#', '\\1&amp;\\2', $xhtml );
50+ // Remove special tokens:
51+ // "<!": Open comments or '<![CDATA[' are dangerous.
52+ // "<?": Processing instructions allow an attacker to inject arbitrary HTML.
53+ // (LP bug #736035).
54+ $xhtml = str_replace( array( '<!', '<?' ), '', $xhtml );
55
56 $xhtml_head = '<?xml version="1.0"';
57 if( ! empty($this->encoding) )
58@@ -327,4 +327,4 @@
59 }
60
61
62-?>
63\ No newline at end of file
64+?>

Subscribers

People subscribed via source and target branches