Merge pull request from GHSA-hr3h-x6gq-rqcp

* Add allowedAttributes setting for the HTML filter Conflicts: core-bundle/src/Resources/contao/dca/tl_settings.php core-bundle/src/Resources/contao/library/Contao/Input.php core-bundle/src/Resources/contao/library/Contao/InsertTags.php Conflicts: core-bundle/src/Resources/contao/dca/tl_settings.php core-bundle/src/Resources/contao/library/Contao/InsertTags.php * Encode insert tags before replacing them Conflicts: core-bundle/src/Resources/contao/library/Contao/InsertTags.php core-bundle/src/Resources/contao/library/Contao/StringUtil.php Conflicts: core-bundle/src/Resources/contao/library/Contao/InsertTags.php core-bundle/tests/Contao/InsertTagsTest.php * URL encode insert tags in URL attributes * Improve default set of allowed attributes * Add attr flag to prevent nested insert tags * Fix tests * Fix null byte stripping * Fix insert tag hacks * Add more attributes to the default set * Add support for * attributes * Encode double and single quotes Conflicts: core-bundle/src/Resources/contao/elements/ContentMarkdown.php * Encode rgxp url fields Conflicts: core-bundle/src/Resources/contao/library/Contao/Widget.php * Encode non-HTML insert tags Conflicts: core-bundle/src/Resources/contao/library/Contao/InsertTags.php Conflicts: core-bundle/src/Resources/contao/library/Contao/InsertTags.php * Strip unclosed insert tags Conflicts: core-bundle/src/Resources/contao/library/Contao/InsertTags.php Conflicts: core-bundle/tests/Contao/InsertTagsTest.php * Fix test * Encode special characters outside of tags * Add comment * Allow FTP URLs * Deprecate not passing allowed attributes to stripTags() Conflicts: core-bundle/src/Resources/contao/library/Contao/Input.php * Don’t allow accesskey by default * Allow data URLs * Improve naming and comments * Encode insert tags in comments * Rename insert tag flag url to urlattr Conflicts: core-bundle/src/Resources/contao/library/Contao/InsertTags.php * CS Conflicts: core-bundle/src/Resources/contao/library/Contao/Input.php * Fix a unit test description Co-authored-by: Martin Auswöger <martin@auswoeger.com> * Fix double encoding issue with the hash symbol * Check for missing attribute via func_num_args() * Coding style for Contao 4.9 and PHP 7.2 Conflicts: core-bundle/tests/Contao/InsertTagsTest.php * Improve attributes wizard size Conflicts: core-bundle/src/Resources/contao/themes/flexible/main.min.css * Fix intert tag listeners Conflicts: calendar-bundle/src/EventListener/InsertTagsListener.php faq-bundle/src/EventListener/InsertTagsListener.php news-bundle/src/EventListener/InsertTagsListener.php * Escape pictures and images * Fix rebase error * Coding style for Contao 4.11 * Improve figure escaping * Fix another bogus comment variant Conflicts: core-bundle/tests/Contao/InsertTagsTest.php * Encode literal insert tags * Fix ? bogus comment variant Conflicts: core-bundle/tests/Contao/InsertTagsTest.php Co-authored-by: Leo Feyer <github@contao.org>
contao · Aug 11, 2021 · 8e9edfb · 8e9edfb
1 parent 2751287
commit 8e9edfb
Show file tree

Hide file tree

Showing 19 changed files with 1,080 additions and 80 deletions.
diff --git a/calendar-bundle/src/EventListener/InsertTagsListener.php b/calendar-bundle/src/EventListener/InsertTagsListener.php
@@ -93,22 +93,22 @@ private function replaceEventInsertTag(string $insertTag, string $idOrAlias, arr
                 return sprintf(
                     '<a href="%s" title="%s">%s</a>',
                     $events->generateEventUrl($model, \in_array('absolute', $flags, true)) ?: './',
-                    StringUtil::specialchars($model->title),
+                    StringUtil::specialcharsAttribute($model->title),
                     $model->title
                 );
 
             case 'event_open':
                 return sprintf(
                     '<a href="%s" title="%s">',
                     $events->generateEventUrl($model, \in_array('absolute', $flags, true)) ?: './',
-                    StringUtil::specialchars($model->title)
+                    StringUtil::specialcharsAttribute($model->title)
                 );
 
             case 'event_url':
                 return $events->generateEventUrl($model, \in_array('absolute', $flags, true)) ?: './';
 
             case 'event_title':
-                return StringUtil::specialchars($model->title);
+                return StringUtil::specialcharsAttribute($model->title);
 
             case 'event_teaser':
                 return StringUtil::toHtml5($model->teaser);

diff --git a/core-bundle/src/Resources/contao/classes/FrontendTemplate.php b/core-bundle/src/Resources/contao/classes/FrontendTemplate.php
@@ -157,7 +157,7 @@ protected function compile()
 			'/<script[^>]*>.*?<\/script[^>]*>|\[[{}]]/is',
 			static function ($matches)
 			{
-				return $matches[0][0] === '<' ? $matches[0] : $matches[0][1] . $matches[0][1];
+				return $matches[0][0] === '<' ? $matches[0] : '&#' . \ord($matches[0][1]) . ';&#' . \ord($matches[0][1]) . ';';
 			},
 			$this->strBuffer
 		);

diff --git a/core-bundle/src/Resources/contao/config/default.php b/core-bundle/src/Resources/contao/config/default.php
@@ -24,25 +24,43 @@
 // Input and security
 $GLOBALS['TL_CONFIG']['allowedTags']
 	= '<a><abbr><acronym><address><area><article><aside><audio>'
-	. '<b><bdi><bdo><big><blockquote><br><base><button>'
-	. '<canvas><caption><cite><code><col><colgroup>'
-	. '<data><datalist><dataset><dd><del><dfn><div><dl><dt>'
+	. '<b><bdi><bdo><big><blockquote><br><button>'
+	. '<caption><cite><code><col><colgroup>'
+	. '<data><datalist><dd><del><dfn><div><dl><dt>'
 	. '<em>'
 	. '<fieldset><figcaption><figure><footer><form>'
 	. '<h1><h2><h3><h4><h5><h6><header><hgroup><hr>'
 	. '<i><img><input><ins>'
-	. '<kbd><keygen>'
-	. '<label><legend><li><link>'
+	. '<kbd>'
+	. '<label><legend><li>'
 	. '<map><mark><menu>'
 	. '<nav>'
-	. '<object><ol><optgroup><option><output>'
-	. '<p><param><picture><pre>'
+	. '<ol><optgroup><option><output>'
+	. '<p><picture><pre>'
 	. '<q>'
 	. '<s><samp><section><select><small><source><span><strong><style><sub><sup>'
 	. '<table><tbody><td><textarea><tfoot><th><thead><time><tr><tt>'
 	. '<u><ul>'
 	. '<var><video>'
 	. '<wbr>';
+$GLOBALS['TL_CONFIG']['allowedAttributes'] = serialize(array(
+	array('key' => '*', 'value' => 'data-*,id,class,style,title,dir,lang,aria-*,hidden,translate,itemid,itemprop,itemref,itemscope,itemtype'),
+	array('key' => 'a', 'value' => 'href,hreflang,rel,target,download,referrerpolicy'),
+	array('key' => 'img', 'value' => 'src,crossorigin,srcset,sizes,width,height,alt,loading,decoding,ismap,usemap,referrerpolicy'),
+	array('key' => 'map', 'value' => 'name'),
+	array('key' => 'area', 'value' => 'coords,shape,alt,href,hreflang,rel,target,download'),
+	array('key' => 'video', 'value' => 'src,crossorigin,width,height,autoplay,controls,controlslist,loop,muted,poster,preload,playsinline'),
+	array('key' => 'audio', 'value' => 'src,crossorigin,autoplay,controls,loop,muted,preload'),
+	array('key' => 'source', 'value' => 'src,srcset,media,sizes,type'),
+	array('key' => 'ol', 'value' => 'reversed,start,type'),
+	array('key' => 'table', 'value' => 'border,cellspacing,cellpadding,width,height'),
+	array('key' => 'col', 'value' => 'span'),
+	array('key' => 'colgroup', 'value' => 'span'),
+	array('key' => 'td', 'value' => 'rowspan,colspan,width,height'),
+	array('key' => 'th', 'value' => 'rowspan,colspan,width,height'),
+	array('key' => 'style', 'value' => 'media'),
+	array('key' => 'time', 'value' => 'datetime'),
+));
 $GLOBALS['TL_CONFIG']['disableRefererCheck']   = false;
 $GLOBALS['TL_CONFIG']['requestTokenWhitelist'] = array();
 

diff --git a/core-bundle/src/Resources/contao/dca/tl_settings.php b/core-bundle/src/Resources/contao/dca/tl_settings.php
@@ -8,6 +8,7 @@
  * @license LGPL-3.0-or-later
  */
 
+use Contao\StringUtil;
 use Contao\System;
 
 $GLOBALS['TL_DCA']['tl_settings'] = array
@@ -22,7 +23,7 @@
 	// Palettes
 	'palettes' => array
 	(
-		'default'                     => '{global_legend},adminEmail;{date_legend},dateFormat,timeFormat,datimFormat,timeZone;{backend_legend:hide},doNotCollapse,resultsPerPage,maxResultsPerPage;{security_legend:hide},disableRefererCheck,allowedTags;{files_legend:hide},allowedDownload,gdMaxImgWidth,gdMaxImgHeight;{uploads_legend:hide},uploadTypes,maxFileSize,imageWidth,imageHeight;{cron_legend:hide},disableCron;{chmod_legend},defaultUser,defaultGroup,defaultChmod'
+		'default'                     => '{global_legend},adminEmail;{date_legend},dateFormat,timeFormat,datimFormat,timeZone;{backend_legend:hide},doNotCollapse,resultsPerPage,maxResultsPerPage;{security_legend:hide},disableRefererCheck,allowedTags,allowedAttributes;{files_legend:hide},allowedDownload,gdMaxImgWidth,gdMaxImgHeight;{uploads_legend:hide},uploadTypes,maxFileSize,imageWidth,imageHeight;{cron_legend:hide},disableCron;{chmod_legend},defaultUser,defaultGroup,defaultChmod'
 	),
 
 	// Fields
@@ -87,6 +88,35 @@
 			'inputType'               => 'text',
 			'eval'                    => array('useRawRequestData'=>true, 'tl_class'=>'long')
 		),
+		'allowedAttributes' => array
+		(
+			'label'                   => &$GLOBALS['TL_LANG']['tl_settings']['allowedAttributes'],
+			'inputType'               => 'keyValueWizard',
+			'eval'                    => array('tl_class'=>'clr'),
+			'load_callback' => array
+			(
+				static function ($varValue)
+				{
+					$showWarning = false;
+
+					foreach (StringUtil::deserialize($varValue, true) as $row)
+					{
+						if (in_array('*', StringUtil::trimsplit(',', $row['value']), true))
+						{
+							$showWarning = true;
+							break;
+						}
+					}
+
+					if ($showWarning)
+					{
+						$GLOBALS['TL_DCA']['tl_settings']['fields']['allowedAttributes']['label'][1] = '<span style="color: #c33;">' . $GLOBALS['TL_LANG']['tl_settings']['allowedAttributesWarning'] . '</span>';
+					}
+
+					return $varValue;
+				},
+			),
+		),
 		'allowedDownload' => array
 		(
 			'inputType'               => 'text',

diff --git a/core-bundle/src/Resources/contao/elements/ContentMarkdown.php b/core-bundle/src/Resources/contao/elements/ContentMarkdown.php
@@ -55,7 +55,7 @@ public function generate()
 	protected function compile()
 	{
 		$this->code = MarkdownExtra::defaultTransform($this->code);
-		$this->Template->content = strip_tags($this->code, Config::get('allowedTags'));
+		$this->Template->content = Input::stripTags($this->code, Config::get('allowedTags'), Config::get('allowedAttributes'));
 	}
 }
 

diff --git a/core-bundle/src/Resources/contao/helper/functions.php b/core-bundle/src/Resources/contao/helper/functions.php
@@ -85,8 +85,7 @@ function specialchars($strString, $blnStripInsertTags=false)
 		$strString = strip_insert_tags($strString);
 	}
 
-	// Use ENT_COMPAT here (see #4889)
-	return htmlspecialchars($strString, ENT_COMPAT, $GLOBALS['TL_CONFIG']['characterSet'], false);
+	return htmlspecialchars($strString, ENT_QUOTES, $GLOBALS['TL_CONFIG']['characterSet'], false);
 }
 
 /**

diff --git a/core-bundle/src/Resources/contao/languages/en/tl_settings.xlf b/core-bundle/src/Resources/contao/languages/en/tl_settings.xlf
@@ -62,6 +62,15 @@
       <trans-unit id="tl_settings.allowedTags.1">
         <source>Here you can enter a list of allowed HTML tags that will not be stripped.</source>
       </trans-unit>
+      <trans-unit id="tl_settings.allowedAttributes.0">
+        <source>Allowed HTML attributes</source>
+      </trans-unit>
+      <trans-unit id="tl_settings.allowedAttributes.1">
+        <source>List of allowed HTML attributes that will not be stripped. The tag or attribute name &lt;code&gt;*&lt;/code&gt; stands for all tags or attributes. Wildcards can be used for attributes with dashes like &lt;code&gt;data-*&lt;/code&gt;.</source>
+      </trans-unit>
+      <trans-unit id="tl_settings.allowedAttributesWarning">
+        <source>Allowing &lt;code&gt;*&lt;/code&gt; attributes can be exploited for XSS attacks. Only do this if all backend users are trusted!</source>
+      </trans-unit>
       <trans-unit id="tl_settings.disableRefererCheck.0">
         <source>Disable request tokens</source>
       </trans-unit>