-
Notifications
You must be signed in to change notification settings - Fork 651
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SECURITY] Prevent XSS in modal component
Resolves: #84190 Releases: master, 8.7, 7.6 Security-Commit: e991d9ac10b78f360bff386d9a822f0caa7c781d Security-Bulletin: TYPO3-CORE-SA-2018-007 Change-Id: I41f0d6bdb5e06b6f08b19feaf59ea47e3a197549 Reviewed-on: https://review.typo3.org/59093 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
- Loading branch information
Showing
3 changed files
with
97 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
70 changes: 70 additions & 0 deletions
70
typo3/sysext/core/Resources/Private/TypeScript/SecurityUtility.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
/* | ||
* This file is part of the TYPO3 CMS project. | ||
* | ||
* It is free software; you can redistribute it and/or modify it under | ||
* the terms of the GNU General Public License, either version 2 | ||
* of the License, or any later version. | ||
* | ||
* For the full copyright and license information, please read the | ||
* LICENSE.txt file that was distributed with this source code. | ||
* | ||
* The TYPO3 project - inspiring people to share! | ||
*/ | ||
|
||
/** | ||
* Module: TYPO3/CMS/Core/SecurityUtility | ||
* contains method to escape input to prevent XSS and other security related things | ||
* @exports TYPO3/CMS/Core/SecurityUtility | ||
*/ | ||
class SecurityUtility { | ||
private readonly documentRef: Document; | ||
|
||
/** | ||
* @param {Document} documentRef | ||
*/ | ||
constructor(documentRef: Document = document) { | ||
this.documentRef = documentRef; | ||
} | ||
|
||
/** | ||
* Encodes HTML to use according entities. Behavior is similar to PHP's | ||
* htmlspecialchars. Input might contain XSS, output has it encoded. | ||
* | ||
* @param {string} value Input value to be encoded | ||
* @param {boolean} doubleEncode (default `true`) | ||
* @return {string} | ||
*/ | ||
public encodeHtml(value: string, doubleEncode: boolean = true): string { | ||
let anvil: HTMLSpanElement = this.createAnvil(); | ||
if (!doubleEncode) { | ||
// decode HTML entities step-by-step | ||
// but NEVER(!) as a whole, since that would allow XSS | ||
value = value.replace(/&[#A-Za-z0-9]+;/g, (html: string) => { | ||
anvil.innerHTML = html; | ||
return anvil.innerText; | ||
}); | ||
} | ||
// apply arbitrary data a text node | ||
// thus browser is capable of properly encoding | ||
anvil.innerText = value; | ||
return anvil.innerHTML; | ||
} | ||
|
||
/** | ||
* @param {string} value | ||
*/ | ||
public debug(value: string): void { | ||
if (value !== this.encodeHtml(value)) { | ||
console.warn('XSS?!', value); | ||
} | ||
} | ||
|
||
/** | ||
* @return {HTMLSpanElement} | ||
*/ | ||
private createAnvil(): HTMLSpanElement { | ||
return this.documentRef.createElement('span'); | ||
} | ||
} | ||
|
||
export = SecurityUtility; |
13 changes: 13 additions & 0 deletions
13
typo3/sysext/core/Resources/Public/JavaScript/SecurityUtility.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
/* | ||
* This file is part of the TYPO3 CMS project. | ||
* | ||
* It is free software; you can redistribute it and/or modify it under | ||
* the terms of the GNU General Public License, either version 2 | ||
* of the License, or any later version. | ||
* | ||
* For the full copyright and license information, please read the | ||
* LICENSE.txt file that was distributed with this source code. | ||
* | ||
* The TYPO3 project - inspiring people to share! | ||
*/ | ||
define(["require","exports"],function(e,n){"use strict";return function(){function e(e){void 0===e&&(e=document),this.documentRef=e}return e.prototype.encodeHtml=function(e,n){void 0===n&&(n=!0);var t=this.createAnvil();return n||(e=e.replace(/&[#A-Za-z0-9]+;/g,function(e){return t.innerHTML=e,t.innerText})),t.innerText=e,t.innerHTML},e.prototype.createAnvil=function(){return this.documentRef.createElement("span")},e.prototype.debug=function(e){e!==this.encodeHtml(e)&&console.warn("XSS?!",e)},e}()}); |