Permalink
Browse files

Improved HTML filter.

  • Loading branch information...
mgruner committed Sep 4, 2018
1 parent d9db0c6 commit a808859a75c59ae3b7568f5cc4708c53462aa4c7
Showing with 129 additions and 1 deletion.
  1. +19 −1 Kernel/System/HTMLUtils.pm
  2. +110 −0 scripts/test/HTMLUtils/Safety.t
@@ -1163,10 +1163,28 @@ sub Safety {
}egsxim;
}

# Remove malicious CSS content
$Tag =~ s{
(\s)style=("|') (.*?) \2
}
{
my ($Space, $Delimiter, $Content) = ($1, $2, $3);

if (
($Param{NoIntSrcLoad} && $Content =~ m{url\(})
|| ($Param{NoExtSrcLoad} && $Content =~ m/(http|ftp|https):\//i)) {
$Replaced = 1;
'';
}
else {
"${Space}style=${Delimiter}${Content}${Delimiter}";
}
}egsxim;

# remove load tags
if ($Param{NoIntSrcLoad} || $Param{NoExtSrcLoad}) {
$Tag =~ s{
($TagStart (.+?) (?: \s | /) src=(.+?) (\s.+?|) $TagEnd)
($TagStart (.+?) (?: \s | /) (?:src|poster)=(.+?) (\s.+?|) $TagEnd)
}
{
my $URL = $3;
@@ -816,6 +816,116 @@ You should be able to continue reading these lessons, however.
Replace => 0,
},
},
{
Name => 'Safety - remote poster attribute, forbidden',
Input => '<video controls poster="http://some.domain/vorschaubild.png"/>',
Config => {
NoExtSrcLoad => 1,
},
Result => {
Output => '',
Replace => 1,
},
},
{
Name => 'Safety - remote poster attribute, allowed',
Input => '<video controls poster="http://some.domain/vorschaubild.png"/>',
Config => {
NoExtSrcLoad => 0,
},
Result => {
Output => '<video controls poster="http://some.domain/vorschaubild.png"/>',
Replace => 0,
},
},
{
Name => 'Safety - malicious CSS content - remote background image, forbidden',
Input => '<a href="localhost" style="background-image:url(http://localhost:8000/css-background)">localhost</a>',
Config => {
NoExtSrcLoad => 1,
},
Result => {
Output => '<a href="localhost">localhost</a>',
Replace => 1,
},
},
{
Name => 'Safety - malicious CSS content - remote background image, allowed',
Input => '<a href="localhost" style="background-image:url(http://localhost:8000/css-background)">localhost</a>',
Config => {
NoExtSrcLoad => 0,
},
Result => {
Output => '<a href="localhost" style="background-image:url(http://localhost:8000/css-background)">localhost</a>',
Replace => 0,
},
},
{
Name => 'Safety - malicious CSS content - local background image, forbidden',
Input => '<a href="localhost" style="background-image:url(/local/css-background)">localhost</a>',
Config => {
NoIntSrcLoad => 1,
},
Result => {
Output => '<a href="localhost">localhost</a>',
Replace => 1,
},
},
{
Name => 'Safety - malicious CSS content - local background image, allowed',
Input => '<a href="localhost" style="background-image:url(/local/css-background)">localhost</a>',
Config => {
NoIntSrcLoad => 0,
},
Result => {
Output => '<a href="localhost" style="background-image:url(/local/css-background)">localhost</a>',
Replace => 0,
},
},
{
Name => 'Safety - malicious CSS content - remote css content, forbidden',
Input => q|<p style="content:url('http://localhost:8000/css-content');"></p>|,
Config => {
NoExtSrcLoad => 1,
},
Result => {
Output => '<p></p>',
Replace => 1,
},
},
{
Name => 'Safety - malicious CSS content - remote css content, allowed',
Input => q|<p style="content:url('http://localhost:8000/css-content');"></p>|,
Config => {
NoExtSrcLoad => 0,
},
Result => {
Output => q|<p style="content:url('http://localhost:8000/css-content');"></p>|,
Replace => 0,
},
},
{
Name => 'Safety - malicious CSS content - local css content, forbidden',
Input => q|<p style="content:url('/local/css-content');"></p>|,
Config => {
NoIntSrcLoad => 1,
},
Result => {
Output => '<p></p>',
Replace => 1,
},
},
{
Name => 'Safety - malicious CSS content - local css content, allowed',
Input => q|<p style="content:url('/local/css-content');"></p>|,
Config => {
NoIntSrcLoad => 0,
},
Result => {
Output => q|<p style="content:url('/local/css-content');"></p>|,
Replace => 0,
},
},
);

for my $Test (@Tests) {

0 comments on commit a808859

Please sign in to comment.