From 09e80c7752b0d9080688e4597c7495dd109e0963 Mon Sep 17 00:00:00 2001
From: Martin Gruner <martin.gruner@otrs.com>
Date: Tue, 4 Sep 2018 11:09:30 +0200
Subject: [PATCH] Improved HTML filter.

---
 Kernel/System/HTMLUtils.pm      |  20 +++++-
 scripts/test/HTMLUtils/Safety.t | 110 ++++++++++++++++++++++++++++++++
 2 files changed, 129 insertions(+), 1 deletion(-)

diff --git a/Kernel/System/HTMLUtils.pm b/Kernel/System/HTMLUtils.pm
index 27437e7c1b3..381713f39e3 100644
--- a/Kernel/System/HTMLUtils.pm
+++ b/Kernel/System/HTMLUtils.pm
@@ -1163,10 +1163,28 @@ sub Safety {
                 }egsxim;
             }
 
+            # Remove malicious CSS content
+            $Tag =~ s{
+                (\s)style=("|') (.*?) \2
+            }
+            {
+                my ($Space, $Delimiter, $Content) = ($1, $2, $3);
+
+                if (
+                    ($Param{NoIntSrcLoad} && $Content =~ m{url\(})
+                    || ($Param{NoExtSrcLoad} && $Content =~ m/(http|ftp|https):\//i)) {
+                    $Replaced = 1;
+                    '';
+                }
+                else {
+                    "${Space}style=${Delimiter}${Content}${Delimiter}";
+                }
+            }egsxim;
+
             # remove load tags
             if ($Param{NoIntSrcLoad} || $Param{NoExtSrcLoad}) {
                 $Tag =~ s{
-                    ($TagStart (.+?) (?: \s | /) src=(.+?) (\s.+?|) $TagEnd)
+                    ($TagStart (.+?) (?: \s | /) (?:src|poster)=(.+?) (\s.+?|) $TagEnd)
                 }
                 {
                     my $URL = $3;
diff --git a/scripts/test/HTMLUtils/Safety.t b/scripts/test/HTMLUtils/Safety.t
index 62462ed9396..3f0098c9a34 100644
--- a/scripts/test/HTMLUtils/Safety.t
+++ b/scripts/test/HTMLUtils/Safety.t
@@ -816,6 +816,116 @@ You should be able to continue reading these lessons, however.
             Replace => 0,
         },
     },
+    {
+        Name   => 'Safety - remote poster attribute, forbidden',
+        Input  => '<video controls poster="http://some.domain/vorschaubild.png"/>',
+        Config => {
+            NoExtSrcLoad => 1,
+        },
+        Result => {
+            Output  => '',
+            Replace => 1,
+        },
+    },
+    {
+        Name   => 'Safety - remote poster attribute, allowed',
+        Input  => '<video controls poster="http://some.domain/vorschaubild.png"/>',
+        Config => {
+            NoExtSrcLoad => 0,
+        },
+        Result => {
+            Output  => '<video controls poster="http://some.domain/vorschaubild.png"/>',
+            Replace => 0,
+        },
+    },
+    {
+        Name  => 'Safety - malicious CSS content - remote background image, forbidden',
+        Input => '<a href="localhost" style="background-image:url(http://localhost:8000/css-background)">localhost</a>',
+        Config => {
+            NoExtSrcLoad => 1,
+        },
+        Result => {
+            Output  => '<a href="localhost">localhost</a>',
+            Replace => 1,
+        },
+    },
+    {
+        Name  => 'Safety - malicious CSS content - remote background image, allowed',
+        Input => '<a href="localhost" style="background-image:url(http://localhost:8000/css-background)">localhost</a>',
+        Config => {
+            NoExtSrcLoad => 0,
+        },
+        Result => {
+            Output  => '<a href="localhost" style="background-image:url(http://localhost:8000/css-background)">localhost</a>',
+            Replace => 0,
+        },
+    },
+    {
+        Name  => 'Safety - malicious CSS content - local background image, forbidden',
+        Input => '<a href="localhost" style="background-image:url(/local/css-background)">localhost</a>',
+        Config => {
+            NoIntSrcLoad => 1,
+        },
+        Result => {
+            Output  => '<a href="localhost">localhost</a>',
+            Replace => 1,
+        },
+    },
+    {
+        Name  => 'Safety - malicious CSS content - local background image, allowed',
+        Input => '<a href="localhost" style="background-image:url(/local/css-background)">localhost</a>',
+        Config => {
+            NoIntSrcLoad => 0,
+        },
+        Result => {
+            Output  => '<a href="localhost" style="background-image:url(/local/css-background)">localhost</a>',
+            Replace => 0,
+        },
+    },
+    {
+        Name   => 'Safety - malicious CSS content - remote css content, forbidden',
+        Input  => q|<p style="content:url('http://localhost:8000/css-content');"></p>|,
+        Config => {
+            NoExtSrcLoad => 1,
+        },
+        Result => {
+            Output  => '<p></p>',
+            Replace => 1,
+        },
+    },
+    {
+        Name   => 'Safety - malicious CSS content - remote css content, allowed',
+        Input  => q|<p style="content:url('http://localhost:8000/css-content');"></p>|,
+        Config => {
+            NoExtSrcLoad => 0,
+        },
+        Result => {
+            Output  => q|<p style="content:url('http://localhost:8000/css-content');"></p>|,
+            Replace => 0,
+        },
+    },
+    {
+        Name   => 'Safety - malicious CSS content - local css content, forbidden',
+        Input  => q|<p style="content:url('/local/css-content');"></p>|,
+        Config => {
+            NoIntSrcLoad => 1,
+        },
+        Result => {
+            Output  => '<p></p>',
+            Replace => 1,
+        },
+    },
+    {
+        Name   => 'Safety - malicious CSS content - local css content, allowed',
+        Input  => q|<p style="content:url('/local/css-content');"></p>|,
+        Config => {
+            NoIntSrcLoad => 0,
+        },
+        Result => {
+            Output  => q|<p style="content:url('/local/css-content');"></p>|,
+            Replace => 0,
+        },
+    },
 );
 
 for my $Test (@Tests) {