prevent false XSS detection; fixes #1137

OpencachingDeutschland · Sep 28, 2017 · 96f7c36 · 96f7c36
1 parent 3cfa048
commit 96f7c36
Show file tree

Hide file tree

Showing 9 changed files with 30 additions and 0 deletions.
diff --git a/htdocs/editcache.php b/htdocs/editcache.php
@@ -126,6 +126,7 @@ function getWaypoints($cacheId)
         if ($cache_record !== false) {
             if ($cache_record['user_id'] == $usr['userid'] || $login->listingAdmin()) {
                 $tplname = 'editcache';
+                tpl_acceptsAndPurifiesHtmlInput();
 
                 require $stylepath . '/editcache.inc.php';
 

diff --git a/htdocs/editdesc.php b/htdocs/editdesc.php
@@ -82,6 +82,7 @@
 
             if ($desc_record['user_id'] == $usr['userid'] || $login->listingAdmin()) {
                 $tplname = 'editdesc';
+                tpl_acceptsAndPurifiesHtmlInput();
 
                 tpl_set_var('desc_err', '');
                 $show_all_langs = false;

diff --git a/htdocs/editlog.php b/htdocs/editlog.php
@@ -432,4 +432,6 @@
 
 // select template mode and send it out
 $tpl->assign('editlog', true);
+
+$tpl->acceptsAndPurifiesHtmlInput();
 $tpl->display();
diff --git a/htdocs/lib/common.inc.php b/htdocs/lib/common.inc.php
@@ -325,6 +325,14 @@ function tpl_clear_page_functions()
     unset($GLOBALS['page_functions']);
 }
 
+/**
+ * see OcSmarty::acceptsAndPurifiesHtmlInput
+ */
+function tpl_acceptsAndPurifiesHtmlInput()
+{
+    header('X-XSS-Protection: 0');
+}
+
 /**
  * read the templates and echo it to the user
  *

diff --git a/htdocs/lib2/OcSmarty.class.php b/htdocs/lib2/OcSmarty.class.php
@@ -597,4 +597,17 @@ public function checkTarget($sTarget, $sDefault = null)
 
         return $sTarget;
     }
+
+     public function acceptsAndPurifiesHtmlInput()
+     {
+        // Prevent false XSS detection of harmless HTML code
+        // see https://redmine.opencaching.de/issues/1137
+        // see https://stackoverflow.com/questions/43249998/chrome-err-blocked-by-xss-auditor-details
+
+        // XSS protection can be safely disabled if user-supplied content cannot inject JavaScript,
+        // see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+        // This is ensured by HTMLpurifier in OC code.
+
+        header('X-XSS-Protection: 0');
+     }
 }
diff --git a/htdocs/log.php b/htdocs/log.php
@@ -396,4 +396,6 @@
 $tpl->assign('scrollposy', isset($_REQUEST['scrollposy']) ? $_REQUEST['scrollposy'] + 0 : 0);
 $tpl->assign('validate', $validate);
 $tpl->assign('editlog', false);
+
+$tpl->acceptsAndPurifiesHtmlInput();
 $tpl->display();
diff --git a/htdocs/mydetails.php b/htdocs/mydetails.php
@@ -113,6 +113,7 @@ function changetext()
         assignFromDB($login->userid, true);
         $tpl->assign('scrollposx', isset($_REQUEST['scrollposx']) ? $_REQUEST['scrollposx'] + 0 : 0);
         $tpl->assign('scrollposy', isset($_REQUEST['scrollposy']) ? $_REQUEST['scrollposy'] + 0 : 0);
+        $tpl->acceptsAndPurifiesHtmlInput();
         $tpl->display();
     }
 }

diff --git a/htdocs/newcache.php b/htdocs/newcache.php
@@ -32,6 +32,7 @@
         //set here the template to process
         $tplname = 'newcache';
         require_once $stylepath . '/' . $tplname . '.inc.php';
+        tpl_acceptsAndPurifiesHtmlInput();
 
         //set template replacements
         tpl_set_var('reset', $reset); // obsolete

diff --git a/htdocs/newdesc.php b/htdocs/newdesc.php
@@ -38,6 +38,7 @@
 
             if ($cache_record['user_id'] == $usr['userid']) {
                 $tplname = 'newdesc';
+                tpl_acceptsAndPurifiesHtmlInput();
 
                 require $stylepath . '/newdesc.inc.php';