Skip to content
Permalink
Browse files

xss fixes

  • Loading branch information...
yurikuzn committed Jul 30, 2019
1 parent 24628a8 commit ffd3f762ce4a8de3b8962f33513e073c55d943b5
@@ -1,2 +1,2 @@

<span class="fas fa-paperclip small"></span> <a href="{{url}}">{{{value}}}</a>
<span class="fas fa-paperclip small"></span> <a href="{{url}}">{{value}}</a>
@@ -321,6 +321,77 @@ define('view-helper', ['lib!client/lib/purify.min.js'], function () {
sanitizeHtml: function (text, options) {
return DOMPurify.sanitize(text, options);
},

moderateSanitizeHtml: function (value) {
value = value || '';
value = value.replace(/<[\/]{0,1}(base)[^><]*>/gi, '');
value = value.replace(/<[\/]{0,1}(object)[^><]*>/gi, '');
value = value.replace(/<[\/]{0,1}(embed)[^><]*>/gi, '');
value = value.replace(/<[\/]{0,1}(applet)[^><]*>/gi, '');
value = value.replace(/<[\/]{0,1}(iframe)[^><]*>/gi, '');
value = value.replace(/<[\/]{0,1}(script)[^><]*>/gi, '');
value = value.replace(/<[^><]*([^a-z]{1}on[a-z]+)=[^><]*>/gi, function (match) {
return match.replace(/[^a-z]{1}on[a-z]+=/gi, ' data-handler-stripped=');
});

value = this.stripEventHandlersInHtml(value);

value = value.replace(/href=" *javascript\:(.*?)"/gi, function(m, $1) {
return 'removed=""';
});
value = value.replace(/href=' *javascript\:(.*?)'/gi, function(m, $1) {
return 'removed=""';
});
value = value.replace(/src=" *javascript\:(.*?)"/gi, function(m, $1) {
return 'removed=""';
});
value = value.replace(/src=' *javascript\:(.*?)'/gi, function(m, $1) {
return 'removed=""';
});

return value;
},

stripEventHandlersInHtml: function (html) {
function stripHTML(){
html = html.slice(0, strip) + html.slice(j);
j = strip;
strip = false;
}
function isValidTagChar(str) {
return str.match(/[a-z?\\\/!]/i);
}
var strip = false;
var lastQuote = false;
for (var i = 0; i<html.length; i++){
if (html[i] === "<" && html[i+1] && isValidTagChar(html[i+1])) {
i++;
for (var j = i; j<html.length; j++){
if (!lastQuote && html[j] === ">"){
if (strip) {
stripHTML();
}
i = j;
break;
}
if (lastQuote === html[j]){
lastQuote = false;
continue;
}
if (!lastQuote && html[j-1] === "=" && (html[j] === "'" || html[j] === '"')){
lastQuote = html[j];
}
if (!lastQuote && html[j-2] === " " && html[j-1] === "o" && html[j] === "n"){
strip = j-2;
}
if (strip && html[j] === " " && !lastQuote){
stripHTML();
}
}
}
}
return html;
},
});

return ViewHelper;
@@ -26,7 +26,7 @@
* these Appropriate Legal Notices must retain the display of tтhe "EspoCRM" word.
************************************************************************/

Espo.define('views/attachment/fields/name', 'views/fields/varchar', function (Dep) {
define('views/attachment/fields/name', 'views/fields/varchar', function (Dep) {

return Dep.extend({

@@ -165,30 +165,7 @@ Espo.define('views/fields/wysiwyg', ['views/fields/text', 'lib!Summernote'], fun


sanitizeHtmlLight: function (value) {
value = value || '';
value = value.replace(/<[\/]{0,1}(base)[^><]*>/gi, '');
value = value.replace(/<[\/]{0,1}(object)[^><]*>/gi, '');
value = value.replace(/<[\/]{0,1}(embed)[^><]*>/gi, '');
value = value.replace(/<[\/]{0,1}(applet)[^><]*>/gi, '');
value = value.replace(/<[\/]{0,1}(iframe)[^><]*>/gi, '');
value = value.replace(/<[\/]{0,1}(script)[^><]*>/gi, '');
value = value.replace(/<[^><]*([^a-z]{1}on[a-z]+)=[^><]*>/gi, function (match) {
return match.replace(/[^a-z]{1}on[a-z]+=/gi, ' data-handler-stripped=');
});

value = value.replace(/href=" *javascript\:(.*?)"/gi, function(m, $1) {
return 'removed=""';
});
value = value.replace(/href=' *javascript\:(.*?)'/gi, function(m, $1) {
return 'removed=""';
});
value = value.replace(/src=" *javascript\:(.*?)"/gi, function(m, $1) {
return 'removed=""';
});
value = value.replace(/src=' *javascript\:(.*?)'/gi, function(m, $1) {
return 'removed=""';
});
return value;
return this.getHelper().moderateSanitizeHtml(value);
},

getValueForEdit: function () {
@@ -26,7 +26,7 @@
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/

Espo.define('views/preferences/fields/dashboard-tab-list', 'views/fields/array', function (Dep) {
define('views/preferences/fields/dashboard-tab-list', 'views/fields/array', function (Dep) {

return Dep.extend({

@@ -39,17 +39,18 @@ Espo.define('views/preferences/fields/dashboard-tab-list', 'views/fields/array',
this.translatedOptions[value] = value;
}, this);
},

getItemHtml: function (value) {
var translatedValue = this.translatedOptions[value] || value;
value = value.toString();
var valueSanitized = this.escapeValue(value);
var translatedValue = this.escapeValue(this.translatedOptions[value] || value);

var html = '' +
'<div class="list-group-item link-with-role form-inline" data-value="' + value + '">' +
'<div class="list-group-item link-with-role form-inline" data-value="' + valueSanitized + '">' +
'<div class="pull-left" style="width: 92%; display: inline-block;">' +
'<input data-name="translatedValue" data-value="' + value + '" class="role form-control input-sm" value="'+translatedValue+'">' +
'<input data-name="translatedValue" data-value="' + valueSanitized + '" class="role form-control input-sm" value="'+translatedValue+'">' +
'</div>' +
'<div style="width: 8%; display: inline-block; vertical-align: top;">' +
'<a href="javascript:" class="pull-right" data-value="' + value + '" data-action="removeValue"><span class="fas fa-times"></a>' +
'<a href="javascript:" class="pull-right" data-value="' + valueSanitized + '" data-action="removeValue"><span class="fas fa-times"></a>' +
'</div><br style="clear: both;" />' +
'</div>';

@@ -60,7 +61,8 @@ Espo.define('views/preferences/fields/dashboard-tab-list', 'views/fields/array',
var data = Dep.prototype.fetch.call(this);
data.translatedOptions = {};
(data[this.name] || []).forEach(function (value) {
data.translatedOptions[value] = this.$el.find('input[data-name="translatedValue"][data-value="'+value+'"]').val() || value;
var valueInternal = value.replace(/"/g, '\\"');
data.translatedOptions[value] = this.$el.find('input[data-name="translatedValue"][data-value="'+valueInternal+'"]').val() || value;
}, this);

return data;

0 comments on commit ffd3f76

Please sign in to comment.
You can’t perform that action at this time.