Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix xss though the description in the info.xml file of a theme or module #3499

Merged
merged 1 commit into from
Mar 23, 2022
Merged

Fix xss though the description in the info.xml file of a theme or module #3499

merged 1 commit into from
Mar 23, 2022

Conversation

carakas
Copy link
Member

@carakas carakas commented Mar 23, 2022

Type

  • Security

Resolves the following issues

Pull request description

Sanitise the HTML that is allowed in the description of a module or theme to prevent XSS

@carakas carakas added this to the 5.11.1 milestone Mar 23, 2022
@carakas carakas requested a review from a team March 23, 2022 13:21
@carakas carakas added Extensions security Pull requests that address a security vulnerability labels Mar 23, 2022
@codecov
Copy link

codecov bot commented Mar 23, 2022
edited
Loading

Codecov Report

Merging #3499 (981730f) into master (1b38e33) will not change coverage.
The diff coverage is 100.00%.

@@            Coverage Diff            @@
##             master    #3499   +/-   ##
=========================================
  Coverage     27.88%   27.88%           
  Complexity     8145     8145           
=========================================
  Files           575      575           
  Lines         30691    30691           
=========================================
  Hits           8557     8557           
  Misses        22134    22134
Flag Coverage Δ
functional 23.78% <100.00%> (ø)
installer 3.84% <0.00%> (ø)
unit 7.69% <0.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
src/Backend/Modules/Extensions/Engine/Model.php 44.57% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1b38e33...981730f. Read the comment docs.

tijsverkoyen
tijsverkoyen approved these changes Mar 23, 2022
View reviewed changes
src/Backend/Modules/Extensions/Engine/Model.php
@@ -839,7 +839,7 @@ public static function processModuleXml(\SimpleXMLElement $xml): array
$information['name'] = (string) $module->name;
$information['version'] = (string) $module->version;
$information['requirements'] = (array) $module->requirements;
$information['description'] = (string) $module->description;
$information['description'] = strip_tags((string) $module->description, '<h1><h2><h3><h4><h5><h6><p><li><a>');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fine by me, but shouldn't this be some generic function where we can centralise the safe tags?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

symfony is busy making a package (no 1.0.0 release yet) that will be included in version 6.1 that I'm already using in fork 6 so didn't think of making something custom for this.
Fixed this because of a security issue that was reported to me

@carakas carakas merged commit 73ced08 into forkcms:master Mar 23, 2022
@carakas carakas deleted the fix-xss-though-theme-or-module-description branch March 23, 2022 18:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tijsverkoyen tijsverkoyen tijsverkoyen approved these changes

Assignees

@tijsverkoyen tijsverkoyen

Labels
Extensions security Pull requests that address a security vulnerability
Projects
None yet
Milestone
5.11.1
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@carakas @tijsverkoyen