Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix(security): Security fix for WSTG-INPV-02. Add XSS protection on f…
…olders and mail title / content
  • Loading branch information
WoodySlum committed Nov 22, 2022
1 parent dcbfd83 commit 1e0f5f0
Showing 1 changed file with 49 additions and 33 deletions.
82 changes: 49 additions & 33 deletions SoObjects/SOGo/NSString+Utilities.m
Expand Up @@ -898,35 +898,49 @@ - (NSString *) decryptWithKey: (NSString *) theKey
*/
- (NSString *) stringWithoutHTMLInjection: (BOOL)stripHTMLCode
{
NSString *result, *text;
NSScanner *theScanner;
NSError *error;

text = nil;
error = nil;
result = [NSString stringWithString: self];

if (stripHTMLCode) {
// Author : https://www.codercrunch.com/question/1251681838/how-remove-html-tags-string-ios
theScanner = [NSScanner scannerWithString: result];
while ([theScanner isAtEnd] == NO) {
// find start of tag
[theScanner scanUpToString: @"<" intoString: NULL];
// find end of tag
[theScanner scanUpToString: @">" intoString: &text];
// replace the found tag with a space
//(you can filter multi-spaces out later if you wish)
result = [result stringByReplacingOccurrencesOfString:
[NSString stringWithFormat: @"%@>", text]
withString: @" "];
}
} else {
// Clean XSS
// Examples of injection : https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html#xss-locator-polygot

// NSRegularExpression is not implemented in old GNUStep versions (ubuntu trusty)
if (NSClassFromString(@"NSRegularExpression")) {
NSRegularExpression *regex = nil;
// NSRegularExpression is not implemented in old GNUStep versions (ubuntu trusty)
if (NSClassFromString(@"NSRegularExpression")) {
NSString *result, *text;
NSScanner *theScanner;
NSError *error;
NSUInteger numberOfMatches;
NSRegularExpression *regex;

text = nil;
error = nil;
result = [NSString stringWithString: self];
regex = nil;

if (stripHTMLCode) {
// Author : https://www.codercrunch.com/question/1251681838/how-remove-html-tags-string-ios
theScanner = [NSScanner scannerWithString: result];
while ([theScanner isAtEnd] == NO) {
// find start of tag
[theScanner scanUpToString: @"<" intoString: NULL];
// find end of tag
[theScanner scanUpToString: @">" intoString: &text];

// Check that text is not <xxx@xx.net
regex = [NSRegularExpression regularExpressionWithPattern:@"^<[a-zA-Z.\\-_]+@[a-zA-Z.\\-_]+.[a-zA-Z]+$"
options: NSRegularExpressionCaseInsensitive error:&error];
numberOfMatches = 0;

if (text && !error) {
numberOfMatches = [regex numberOfMatchesInString: text
options:0
range:NSMakeRange(0, [text length])];
if (0 == numberOfMatches) {
// replace the found tag with a space
//(you can filter multi-spaces out later if you wish)
result = [result stringByReplacingOccurrencesOfString:
[NSString stringWithFormat: @"%@>", text]
withString: @" "];
}
}
}
} else {
// Clean XSS
// Examples of injection : https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html#xss-locator-polygot

// Remove javascript:
regex = [NSRegularExpression regularExpressionWithPattern:@"j[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*a[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*v[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*a[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*s[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*c[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*r[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*i[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*p[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*t[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*:"
Expand Down Expand Up @@ -967,10 +981,12 @@ - (NSString *) stringWithoutHTMLInjection: (BOOL)stripHTMLCode
regex = [NSRegularExpression regularExpressionWithPattern:@"onmouseover="
options: NSRegularExpressionCaseInsensitive error:&error];
result = [regex stringByReplacingMatchesInString:result options:0 range:NSMakeRange(0, [result length]) withTemplate:@"onmouseo***="];
}
}

return result;
}

return result;
} else {
return self;
}
}

@end

0 comments on commit 1e0f5f0

Please sign in to comment.