Skip to content
Permalink
Browse files

fix: [security] XSS via galaxy cluster element values for reference t…

…ypes could contain javascript links

- ref type elements are automatically converted to links. A user would have to click a javascript: link for it to trigger, it's still too risky to keep as is
- only urls starting with http:// and https:// are converted from here on

- As reported by Patrik Kontura from ESET
  • Loading branch information
iglocska committed Jan 19, 2021
1 parent 741243f commit 829c3199ba3afdecb52e0719509f3df4463be5b4
Showing with 10 additions and 3 deletions.
  1. +10 −3 app/View/GalaxyElements/ajax/index.ctp
@@ -7,7 +7,7 @@
'before' => '$(".progress").show()',
'complete' => '$(".progress").hide()',
));

echo $this->Paginator->prev('« ' . __('previous'), array('tag' => 'li', 'escape' => false), null, array('tag' => 'li', 'class' => 'prev disabled', 'escape' => false, 'disabledTag' => 'span'));
echo $this->Paginator->numbers(array('modulus' => 20, 'separator' => '', 'tag' => 'li', 'currentClass' => 'active', 'currentTag' => 'span'));
echo $this->Paginator->next(__('next') . ' »', array('tag' => 'li', 'escape' => false), null, array('tag' => 'li', 'class' => 'next disabled', 'escape' => false, 'disabledTag' => 'span'));
@@ -25,7 +25,14 @@
?>
<tr>
<td class="short"><?= h($item['GalaxyElement']['key']); ?></td>
<td class="short"><?php if ($item['GalaxyElement']['key'] === 'refs') {
<td class="short">
<?php if (
$item['GalaxyElement']['key'] === 'refs' &&
(
substr($item['GalaxyElement']['value'], 0, 8) === 'https://' ||
substr($item['GalaxyElement']['value'], 0, 7) === 'http://'
)
) {
echo '<a href="' . h($item['GalaxyElement']['value']) . '" rel="noreferrer noopener">' . h($item['GalaxyElement']['value']) . '</a>';
} else if ($item['GalaxyElement']['key'] === 'country') {
echo $this->Icon->countryFlag($item['GalaxyElement']['value']) . ' ' . h($item['GalaxyElement']['value']);
@@ -35,7 +42,7 @@
?></td>
</tr>
<?php
endforeach;
endforeach;
?>
</table>
<p>

0 comments on commit 829c319

Please sign in to comment.