Skip to content

Commit

Permalink
New feature #16649: enable video in spite of active xss filtering (#1591
Browse files Browse the repository at this point in the history 
)
  • Loading branch information
@gabrieljenik
gabrieljenik committed Nov 13, 2020
1 parent 98b3190 commit 95491ea
Show file tree
Hide file tree
Showing 3 changed files with 97 additions and 59 deletions.
95 changes: 95 additions & 0 deletions application/core/LSYii_HtmlPurifier.php
View file
@@ -0,0 +1,95 @@
<?php if (!defined('BASEPATH')) {
exit('No direct script access allowed');
}
/*
* LimeSurvey
* Copyright (C) 2007-2011 The LimeSurvey Project Team / Carsten Schmitz
* All rights reserved.
* License: GNU/GPL License v2 or later, see LICENSE.php
* LimeSurvey is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*
*/

class LSYii_HtmlPurifier extends CHtmlPurifier
{

/**
* Get the config object for the HTML Purifier instance.
* @return mixed the HTML Purifier instance config
*/
public function getConfig()
{
$purifier = $this->getPurifier();
if($purifier!==null) return $purifier->config;
}

/**
* Get an instance of LSYii_HtmlPurifier configured for XSS filtering
*/
public static function getXssPurifier() {
$instance = new self();
$instance->options = array(
'AutoFormat.RemoveEmpty'=>false,
'Core.NormalizeNewlines'=>false,
'CSS.AllowTricky'=>true, // Allow display:none; (and other)
'HTML.SafeObject'=>true, // To allow including youtube
'Output.FlashCompat'=>true,
'Attr.EnableID'=>true, // Allow to set id
'Attr.AllowedFrameTargets'=>array('_blank', '_self'),
'URI.AllowedSchemes'=>array(
'http' => true,
'https' => true,
'mailto' => true,
'ftp' => true,
'nntp' => true,
'news' => true,
)
);
// To allow script BUT purify : HTML.Trusted=true (plugin idea for admin or without XSS filtering ?)

// Enable video
$config = $instance->getConfig();

if (!empty($config)) {
$config->set('HTML.DefinitionID', 'html5-definitions');
$def = $config->maybeGetRawHTMLDefinition();
$max = $config->get('HTML.MaxImgLength');
if ($def) {
$def->addElement(
'video', // name
'Inline', // content set
'Flow', // allowed children
'Common', // attribute collection
array( // attributes
'src' => 'URI',
'id' => 'Text',
'poster' => 'Text',
'width' => 'Pixels#' . $max,
'height' => 'Pixels#' . $max,
'controls' => 'Bool#controls',
'autobuffer' => 'Bool#autobuffer',
'autoplay' => 'Bool#autoplay',
'loop' => 'Bool#loop',
'muted' => 'Bool#muted'
)
);
$def->addElement(
'source', // name
'Inline', // content set
'Empty', // allowed children
null, // attribute collection
array( // attributes
'src*' => 'URI',
'type' => 'Enum#video/mp4,video/webm',
)
);
}
}

return $instance;
}
}
59 changes: 1 addition & 58 deletions application/core/LSYii_Validators.php
View file
Expand Up @@ -109,64 +109,7 @@ public function fixCKeditor($value)
*/
public function xssFilter($value)
{
$filter = new CHtmlPurifier();
$filter->options = array(
'AutoFormat.RemoveEmpty'=>false,
'Core.NormalizeNewlines'=>false,
'CSS.AllowTricky'=>true, // Allow display:none; (and other)
'HTML.SafeObject'=>true, // To allow including youtube
'Output.FlashCompat'=>true,
'Attr.EnableID'=>true, // Allow to set id
'Attr.AllowedFrameTargets'=>array('_blank', '_self'),
'URI.AllowedSchemes'=>array(
'http' => true,
'https' => true,
'mailto' => true,
'ftp' => true,
'nntp' => true,
'news' => true,
)
);
// To allow script BUT purify : HTML.Trusted=true (plugin idea for admin or without XSS filtering ?)

// to enable video or something else we must use the config object of HTML-Purifier
$config = $filter->getPurifier()->config;

// enable video
$config->set('HTML.DefinitionID', 'html5-definitions');

$def = $config->maybeGetRawHTMLDefinition();
$max = $config->get('HTML.MaxImgLength');
if ($def) {
$def->addElement(
'video', // name
'Inline', // content set
'Flow', // allowed children
'Common', // attribute collection
array( // attributes
'src' => 'URI',
'id' => 'Text',
'poster' => 'Text',
'width' => 'Pixels#' . $max,
'height' => 'Pixels#' . $max,
'controls' => 'Bool#controls',
'autobuffer' => 'Bool#autobuffer',
'autoplay' => 'Bool#autoplay',
'loop' => 'Bool#loop',
'muted' => 'Bool#muted'
)
);
$def->addElement(
'source', // name
'Inline', // content set
'Empty', // allowed children
null, // attribute collection
array( // attributes
'src*' => 'URI',
'type' => 'Enum#video/mp4,video/webm',
)
);
}
$filter = LSYii_HtmlPurifier::getXssPurifier();

/** Start to get complete filtered value with url decode {QCODE} (bug #09300). This allow only question number in url, seems OK with XSS protection **/
$sFiltered = preg_replace('#%7B([a-zA-Z0-9\.]*)%7D#', '{$1}', $filter->purify($value));
Expand Down
2 changes: 1 addition & 1 deletion framework/web/widgets/CHtmlPurifier.php
View file
Expand Up @@ -110,7 +110,7 @@ public function getOptions()
* Get the HTML Purifier instance or create a new one if it doesn't exist.
* @return HTMLPurifier
*/
public function getPurifier()
protected function getPurifier()
{
if($this->_purifier!==null)
return $this->_purifier;
Expand Down

0 comments on commit 95491ea

Please sign in to comment.