Skip to content

Commit 7481ccf

Browse files
committed
fix(hmtl): prevent html injection of tag form
1 parent 65374e4 commit 7481ccf

File tree

2 files changed

+13
-0
lines changed

2 files changed

+13
-0
lines changed

Diff for: SoObjects/SOGo/NSString+Utilities.m

+12
Original file line numberDiff line numberDiff line change
@@ -979,6 +979,18 @@ - (NSString *) stringWithoutHTMLInjection: (BOOL)stripHTMLCode
979979
newResult = [regex stringByReplacingMatchesInString:result options:0 range:NSMakeRange(0, [result length]) withTemplate:@"<ifr***"];
980980
result = [NSString stringWithString: newResult];
981981

982+
// Remove <form
983+
regex = [NSRegularExpression regularExpressionWithPattern:@"<[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*f[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*o[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*r[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*m"
984+
options: NSRegularExpressionCaseInsensitive error:&error];
985+
newResult = [regex stringByReplacingMatchesInString:result options:0 range:NSMakeRange(0, [result length]) withTemplate:@"<for*"];
986+
result = [NSString stringWithString: newResult];
987+
988+
// Remove </form
989+
regex = [NSRegularExpression regularExpressionWithPattern:@"<[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*/[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*f[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*o[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*r[\\s\\u200B&#x09;&#x0A;&#x0D;\\\\0]*m"
990+
options: NSRegularExpressionCaseInsensitive error:&error];
991+
newResult = [regex stringByReplacingMatchesInString:result options:0 range:NSMakeRange(0, [result length]) withTemplate:@"</for*"];
992+
result = [NSString stringWithString: newResult];
993+
982994
// Remove onload
983995
regex = [NSRegularExpression regularExpressionWithPattern:@"onload="
984996
options: NSRegularExpressionCaseInsensitive error:&error];

Diff for: Tests/Unit/TestNSString+Utilities.m

+1
Original file line numberDiff line numberDiff line change
@@ -105,6 +105,7 @@ - (void) test_stringWithoutHTMLInjection
105105
testEquals([[NSString stringWithString:@"<img vbscript:test"] stringWithoutHTMLInjection: NO], @"<img test");
106106
testEquals([[NSString stringWithString:@"<img javascript:test"] stringWithoutHTMLInjection: NO], @"<img test");
107107
testEquals([[NSString stringWithString:@"<img livescript:test"] stringWithoutHTMLInjection: NO], @"<img test");
108+
testEquals([[NSString stringWithString:@"foobar <form action=\"\">bar</form>"] stringWithoutHTMLInjection: NO], @"foobar <for* action=\"\">bar</for*>");
108109
testEquals([[NSString stringWithString:@"foobar <iframe src=\"\">bar</iframe>"] stringWithoutHTMLInjection: NO], @"foobar <ifr*** src=\"\">bar</iframe>");
109110
testEquals([[NSString stringWithString:@"foobar <img onload=foo bar"] stringWithoutHTMLInjection: NO], @"foobar <img onl***=foo bar");
110111
testEquals([[NSString stringWithString:@"foobar <img onmouseover=foo bar"] stringWithoutHTMLInjection: NO], @"foobar <img onmouseo***=foo bar");

0 commit comments

Comments
 (0)