Skip to content
Permalink
Browse files

prevent false XSS detection; fixes #1137

  • Loading branch information...
following5 committed Sep 28, 2017
1 parent 3cfa048 commit 96f7c3681be3bdec6beb74e9af02e9e8b65b5329
@@ -126,6 +126,7 @@ function getWaypoints($cacheId)
if ($cache_record !== false) {
if ($cache_record['user_id'] == $usr['userid'] || $login->listingAdmin()) {
$tplname = 'editcache';
tpl_acceptsAndPurifiesHtmlInput();
require $stylepath . '/editcache.inc.php';
@@ -82,6 +82,7 @@
if ($desc_record['user_id'] == $usr['userid'] || $login->listingAdmin()) {
$tplname = 'editdesc';
tpl_acceptsAndPurifiesHtmlInput();
tpl_set_var('desc_err', '');
$show_all_langs = false;
@@ -432,4 +432,6 @@
// select template mode and send it out
$tpl->assign('editlog', true);
$tpl->acceptsAndPurifiesHtmlInput();
$tpl->display();
@@ -325,6 +325,14 @@ function tpl_clear_page_functions()
unset($GLOBALS['page_functions']);
}
/**
* see OcSmarty::acceptsAndPurifiesHtmlInput
*/
function tpl_acceptsAndPurifiesHtmlInput()
{
header('X-XSS-Protection: 0');
}
/**
* read the templates and echo it to the user
*
@@ -597,4 +597,17 @@ public function checkTarget($sTarget, $sDefault = null)
return $sTarget;
}
public function acceptsAndPurifiesHtmlInput()
{
// Prevent false XSS detection of harmless HTML code
// see https://redmine.opencaching.de/issues/1137
// see https://stackoverflow.com/questions/43249998/chrome-err-blocked-by-xss-auditor-details
// XSS protection can be safely disabled if user-supplied content cannot inject JavaScript,
// see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
// This is ensured by HTMLpurifier in OC code.
header('X-XSS-Protection: 0');
}
}
@@ -396,4 +396,6 @@
$tpl->assign('scrollposy', isset($_REQUEST['scrollposy']) ? $_REQUEST['scrollposy'] + 0 : 0);
$tpl->assign('validate', $validate);
$tpl->assign('editlog', false);
$tpl->acceptsAndPurifiesHtmlInput();
$tpl->display();
@@ -113,6 +113,7 @@ function changetext()
assignFromDB($login->userid, true);
$tpl->assign('scrollposx', isset($_REQUEST['scrollposx']) ? $_REQUEST['scrollposx'] + 0 : 0);
$tpl->assign('scrollposy', isset($_REQUEST['scrollposy']) ? $_REQUEST['scrollposy'] + 0 : 0);
$tpl->acceptsAndPurifiesHtmlInput();
$tpl->display();
}
}
@@ -32,6 +32,7 @@
//set here the template to process
$tplname = 'newcache';
require_once $stylepath . '/' . $tplname . '.inc.php';
tpl_acceptsAndPurifiesHtmlInput();
//set template replacements
tpl_set_var('reset', $reset); // obsolete
@@ -38,6 +38,7 @@
if ($cache_record['user_id'] == $usr['userid']) {
$tplname = 'newdesc';
tpl_acceptsAndPurifiesHtmlInput();
require $stylepath . '/newdesc.inc.php';

0 comments on commit 96f7c36

Please sign in to comment.
You can’t perform that action at this time.