Improved HTML filter.

OTRS · Sep 4, 2018 · 09e80c7 · 09e80c7
1 parent a4a1a01
commit 09e80c7
Show file tree

Hide file tree

Showing 2 changed files with 129 additions and 1 deletion.
diff --git a/Kernel/System/HTMLUtils.pm b/Kernel/System/HTMLUtils.pm
@@ -1163,10 +1163,28 @@ sub Safety {
                 }egsxim;
             }
 
+            # Remove malicious CSS content
+            $Tag =~ s{
+                (\s)style=("|') (.*?) \2
+            }
+            {
+                my ($Space, $Delimiter, $Content) = ($1, $2, $3);
+
+                if (
+                    ($Param{NoIntSrcLoad} && $Content =~ m{url\(})
+                    || ($Param{NoExtSrcLoad} && $Content =~ m/(http|ftp|https):\//i)) {
+                    $Replaced = 1;
+                    '';
+                }
+                else {
+                    "${Space}style=${Delimiter}${Content}${Delimiter}";
+                }
+            }egsxim;
+
             # remove load tags
             if ($Param{NoIntSrcLoad} || $Param{NoExtSrcLoad}) {
                 $Tag =~ s{
-                    ($TagStart (.+?) (?: \s | /) src=(.+?) (\s.+?|) $TagEnd)
+                    ($TagStart (.+?) (?: \s | /) (?:src|poster)=(.+?) (\s.+?|) $TagEnd)
                 }
                 {
                     my $URL = $3;

diff --git a/scripts/test/HTMLUtils/Safety.t b/scripts/test/HTMLUtils/Safety.t
@@ -816,6 +816,116 @@ You should be able to continue reading these lessons, however.
             Replace => 0,
         },
     },
+    {
+        Name   => 'Safety - remote poster attribute, forbidden',
+        Input  => '<video controls poster="http://some.domain/vorschaubild.png"/>',
+        Config => {
+            NoExtSrcLoad => 1,
+        },
+        Result => {
+            Output  => '',
+            Replace => 1,
+        },
+    },
+    {
+        Name   => 'Safety - remote poster attribute, allowed',
+        Input  => '<video controls poster="http://some.domain/vorschaubild.png"/>',
+        Config => {
+            NoExtSrcLoad => 0,
+        },
+        Result => {
+            Output  => '<video controls poster="http://some.domain/vorschaubild.png"/>',
+            Replace => 0,
+        },
+    },
+    {
+        Name  => 'Safety - malicious CSS content - remote background image, forbidden',
+        Input => '<a href="localhost" style="background-image:url(http://localhost:8000/css-background)">localhost</a>',
+        Config => {
+            NoExtSrcLoad => 1,
+        },
+        Result => {
+            Output  => '<a href="localhost">localhost</a>',
+            Replace => 1,
+        },
+    },
+    {
+        Name  => 'Safety - malicious CSS content - remote background image, allowed',
+        Input => '<a href="localhost" style="background-image:url(http://localhost:8000/css-background)">localhost</a>',
+        Config => {
+            NoExtSrcLoad => 0,
+        },
+        Result => {
+            Output  => '<a href="localhost" style="background-image:url(http://localhost:8000/css-background)">localhost</a>',
+            Replace => 0,
+        },
+    },
+    {
+        Name  => 'Safety - malicious CSS content - local background image, forbidden',
+        Input => '<a href="localhost" style="background-image:url(/local/css-background)">localhost</a>',
+        Config => {
+            NoIntSrcLoad => 1,
+        },
+        Result => {
+            Output  => '<a href="localhost">localhost</a>',
+            Replace => 1,
+        },
+    },
+    {
+        Name  => 'Safety - malicious CSS content - local background image, allowed',
+        Input => '<a href="localhost" style="background-image:url(/local/css-background)">localhost</a>',
+        Config => {
+            NoIntSrcLoad => 0,
+        },
+        Result => {
+            Output  => '<a href="localhost" style="background-image:url(/local/css-background)">localhost</a>',
+            Replace => 0,
+        },
+    },
+    {
+        Name   => 'Safety - malicious CSS content - remote css content, forbidden',
+        Input  => q|<p style="content:url('http://localhost:8000/css-content');"></p>|,
+        Config => {
+            NoExtSrcLoad => 1,
+        },
+        Result => {
+            Output  => '<p></p>',
+            Replace => 1,
+        },
+    },
+    {
+        Name   => 'Safety - malicious CSS content - remote css content, allowed',
+        Input  => q|<p style="content:url('http://localhost:8000/css-content');"></p>|,
+        Config => {
+            NoExtSrcLoad => 0,
+        },
+        Result => {
+            Output  => q|<p style="content:url('http://localhost:8000/css-content');"></p>|,
+            Replace => 0,
+        },
+    },
+    {
+        Name   => 'Safety - malicious CSS content - local css content, forbidden',
+        Input  => q|<p style="content:url('/local/css-content');"></p>|,
+        Config => {
+            NoIntSrcLoad => 1,
+        },
+        Result => {
+            Output  => '<p></p>',
+            Replace => 1,
+        },
+    },
+    {
+        Name   => 'Safety - malicious CSS content - local css content, allowed',
+        Input  => q|<p style="content:url('/local/css-content');"></p>|,
+        Config => {
+            NoIntSrcLoad => 0,
+        },
+        Result => {
+            Output  => q|<p style="content:url('/local/css-content');"></p>|,
+            Replace => 0,
+        },
+    },
 );
 
 for my $Test (@Tests) {