Skip to content
Permalink
Browse files

Prevent stored XSS through wp_targeted_link_rel().

Brings r46894 to the 5.3 branch.

Props: vortfu, whyisjake, peterwilsoncc, xknown,  SergeyBiryukov, flaviozavan.


git-svn-id: https://develop.svn.wordpress.org/branches/5.3@46898 602fd350-edb4-49c9-b593-d223f7449a82
  • Loading branch information
whyisjake committed Dec 12, 2019
1 parent 1d1d5be commit 1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d
Showing with 56 additions and 49 deletions.
  1. +45 −34 src/wp-includes/formatting.php
  2. +11 −15 tests/phpunit/tests/formatting/WPTargetedLinkRel.php
@@ -3146,9 +3146,25 @@ function( $matches ) {
*/
function wp_targeted_link_rel( $text ) {
// Don't run (more expensive) regex if no links with targets.
if ( stripos( $text, 'target' ) !== false && stripos( $text, '<a ' ) !== false ) {
if ( ! is_serialized( $text ) ) {
$text = preg_replace_callback( '|<a\s([^>]*target\s*=[^>]*)>|i', 'wp_targeted_link_rel_callback', $text );
if ( stripos( $text, 'target' ) === false || stripos( $text, '<a ' ) === false || is_serialized( $text ) ) {
return $text;
}
$script_and_style_regex = '/<(script|style).*?<\/\\1>/si';
preg_match_all( $script_and_style_regex, $text, $matches );
$extra_parts = $matches[0];
$html_parts = preg_split( $script_and_style_regex, $text );
foreach ( $html_parts as &$part ) {
$part = preg_replace_callback( '|<a\s([^>]*target\s*=[^>]*)>|i', 'wp_targeted_link_rel_callback', $part );
}
$text = '';
for ( $i = 0; $i < count( $html_parts ); $i++ ) {
$text .= $html_parts[ $i ];
if ( isset( $extra_parts[ $i ] ) ) {
$text .= $extra_parts[ $i ];
}
}
@@ -3167,8 +3183,17 @@ function wp_targeted_link_rel( $text ) {
* @return string HTML A Element with rel noreferrer noopener in addition to any existing values
*/
function wp_targeted_link_rel_callback( $matches ) {
$link_html = $matches[1];
$rel_match = array();
$link_html = $matches[1];
$original_link_html = $link_html;
// Consider the html escaped if there are no unescaped quotes
$is_escaped = ! preg_match( '/(^|[^\\\\])[\'"]/', $link_html );
if ( $is_escaped ) {
// Replace only the quotes so that they are parsable by wp_kses_hair, leave the rest as is
$link_html = preg_replace( '/\\\\([\'"])/', '$1', $link_html );
}
$atts = wp_kses_hair( $link_html, wp_allowed_protocols() );
/**
* Filters the rel values that are added to links with `target` attribute.
@@ -3180,35 +3205,21 @@ function wp_targeted_link_rel_callback( $matches ) {
*/
$rel = apply_filters( 'wp_targeted_link_rel', 'noopener noreferrer', $link_html );
// Avoid additional regex if the filter removes rel values.
if ( ! $rel ) {
return "<a $link_html>";
}
// Value with delimiters, spaces around are optional.
$attr_regex = '|rel\s*=\s*?(\\\\{0,1}["\'])(.*?)\\1|i';
preg_match( $attr_regex, $link_html, $rel_match );
if ( empty( $rel_match[0] ) ) {
// No delimiters, try with a single value and spaces, because `rel = va"lue` is totally fine...
$attr_regex = '|rel\s*=(\s*)([^\s]*)|i';
preg_match( $attr_regex, $link_html, $rel_match );
}
if ( ! empty( $rel_match[0] ) ) {
$parts = preg_split( '|\s+|', strtolower( $rel_match[2] ) );
$parts = array_map( 'esc_attr', $parts );
$needed = explode( ' ', $rel );
$parts = array_unique( array_merge( $parts, $needed ) );
$delimiter = trim( $rel_match[1] ) ? $rel_match[1] : '"';
$rel = 'rel=' . $delimiter . trim( implode( ' ', $parts ) ) . $delimiter;
$link_html = str_replace( $rel_match[0], $rel, $link_html );
} elseif ( preg_match( '|target\s*=\s*?\\\\"|', $link_html ) ) {
$link_html .= " rel=\\\"$rel\\\"";
} elseif ( preg_match( '#(target|href)\s*=\s*?\'#', $link_html ) ) {
$link_html .= " rel='$rel'";
} else {
$link_html .= " rel=\"$rel\"";
// Return early if no rel values to be added or if no actual target attribute
if ( ! $rel || ! isset( $atts['target'] ) ) {
return "<a $original_link_html>";
}
if ( isset( $atts['rel'] ) ) {
$all_parts = preg_split( '/\s/', "{$atts['rel']['value']} $rel", -1, PREG_SPLIT_NO_EMPTY );
$rel = implode( ' ', array_unique( $all_parts ) );
}
$atts['rel']['whole'] = 'rel="' . esc_attr( $rel ) . '"';
$link_html = join( ' ', array_column( $atts, 'whole' ) );
if ( $is_escaped ) {
$link_html = preg_replace( '/[\'"]/', '\\\\$0', $link_html );
}
return "<a $link_html>";
@@ -38,7 +38,7 @@ public function test_no_duplicate_values_added() {

public function test_rel_with_single_quote_delimiter() {
$content = '<p>Links: <a href="/" rel=\'existing values\' target="_blank">Existing rel</a></p>';
$expected = '<p>Links: <a href="/" rel=\'existing values noopener noreferrer\' target="_blank">Existing rel</a></p>';
$expected = '<p>Links: <a href="/" rel="existing values noopener noreferrer" target="_blank">Existing rel</a></p>';
$this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
}

@@ -54,12 +54,6 @@ public function test_rel_value_spaced_and_no_delimiter() {
$this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
}

public function test_rel_value_spaced_and_no_delimiter_and_values_to_escape() {
$content = '<p>Links: <a href="/" rel = existing"value target="_blank">Existing rel</a></p>';
$expected = '<p>Links: <a href="/" rel="existing&quot;value noopener noreferrer" target="_blank">Existing rel</a></p>';
$this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
}

public function test_escaped_quotes() {
$content = '<p>Links: <a href=\"/\" rel=\"existing values\" target=\"_blank\">Existing rel</a></p>';
$expected = '<p>Links: <a href=\"/\" rel=\"existing values noopener noreferrer\" target=\"_blank\">Existing rel</a></p>';
@@ -114,17 +108,13 @@ public function test_wp_targeted_link_rel_should_preserve_json() {
}

/**
* Ensure correct quotes are used when relation attribute (rel) is missing.
* Ensure the content of style and script tags are not processed
*
* @ticket 47244
*/
public function test_wp_targeted_link_rel_should_use_correct_quotes() {
$content = '<p>Links: <a href=\'\/\' target=\'_blank\'>No rel<\/a><\/p>';
$expected = '<p>Links: <a href=\'\/\' target=\'_blank\' rel=\'noopener noreferrer\'>No rel<\/a><\/p>';
$this->assertEquals( $expected, wp_targeted_link_rel( $content ) );

$content = '<p>Links: <a href=\'\/\' target=_blank>No rel<\/a><\/p>';
$expected = '<p>Links: <a href=\'\/\' target=_blank rel=\'noopener noreferrer\'>No rel<\/a><\/p>';
public function test_wp_targeted_link_rel_skips_style_and_scripts() {
$content = '<style><a href="/" target=a></style><p>Links: <script>console.log("<a href=\'/\' target=a>hi</a>");</script><script>alert(1);</script>here <a href="/" target=_blank>aq</a></p><script>console.log("<a href=\'last\' target=\'_blank\'")</script>';
$expected = '<style><a href="/" target=a></style><p>Links: <script>console.log("<a href=\'/\' target=a>hi</a>");</script><script>alert(1);</script>here <a href="/" target="_blank" rel="noopener noreferrer">aq</a></p><script>console.log("<a href=\'last\' target=\'_blank\'")</script>';
$this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
}

@@ -139,4 +129,10 @@ public function test_ignore_entirely_serialized_content() {
$this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
}

public function test_wp_targeted_link_rel_tab_separated_values_are_split() {
$content = "<p>Links: <a href=\"/\" target=\"_blank\" rel=\"ugc\t\tnoopener\t\">No rel</a></p>";
$expected = '<p>Links: <a href="/" target="_blank" rel="ugc noopener noreferrer">No rel</a></p>';
$this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
}

}

0 comments on commit 1f7f3f1

Please sign in to comment.
You can’t perform that action at this time.