Skip to content

Commit

Permalink
fix: disallow certain dangerous LESS features
Browse files Browse the repository at this point in the history
Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
  • Loading branch information
SychO9 committed Mar 4, 2023
1 parent 8ddb0fe commit 1761660
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 0 deletions.
1 change: 1 addition & 0 deletions framework/core/locale/core.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ core:
custom_footer_text: => core.ref.custom_footer_text
custom_header_heading: Custom Header
custom_header_text: => core.ref.custom_header_text
custom_styles_cannot_use_less_features: "The @import and data-uri features are not allowed in custom LESS."
custom_styles_heading: Custom Styles
custom_styles_text: Customize your forum's appearance by adding your own Less/CSS code to be applied on top of Flarum's default styles.
dark_mode_label: Dark Mode
Expand Down
10 changes: 10 additions & 0 deletions framework/core/src/Forum/ValidateCustomLess.php
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
use League\Flysystem\Adapter\NullAdapter;
use League\Flysystem\Filesystem;
use Less_Exception_Parser;
use Symfony\Contracts\Translation\TranslatorInterface;

/**
* @internal
Expand Down Expand Up @@ -61,6 +62,15 @@ public function whenSettingsSaving(Saving $event)
return;
}

// Restrict what features can be used in custom LESS
if (preg_match('/@import|data-uri\s*\(/i', $event->settings['custom_less'])) {
$translator = $this->container->make(TranslatorInterface::class);

throw new ValidationException([
'custom_less' => $translator->trans('core.admin.appearance.custom_styles_cannot_use_less_features')
]);
}

// We haven't saved the settings yet, but we want to trial a full
// recompile of the CSS to see if this custom LESS will break
// anything. In order to do that, we will temporarily override the
Expand Down

0 comments on commit 1761660

Please sign in to comment.