From cf4c5df286815c9c343372c7210d3aedccb6e3cb Mon Sep 17 00:00:00 2001 From: Michael Babker Date: Sun, 20 May 2018 10:24:28 -0500 Subject: [PATCH] Update joomla/filter package --- composer.lock | 16 ++--- .../vendor/composer/autoload_classmap.php | 15 +++++ libraries/vendor/composer/autoload_static.php | 15 +++++ libraries/vendor/composer/installed.json | 18 ++--- .../vendor/joomla/filter/src/InputFilter.php | 65 +++++++++++-------- .../vendor/joomla/filter/src/OutputFilter.php | 20 +++--- 6 files changed, 95 insertions(+), 54 deletions(-) diff --git a/composer.lock b/composer.lock index 46f6d9dff572f..bf6cf7cf53e1d 100644 --- a/composer.lock +++ b/composer.lock @@ -387,16 +387,16 @@ }, { "name": "joomla/filter", - "version": "1.3.3", + "version": "1.3.4", "source": { "type": "git", "url": "https://github.com/joomla-framework/filter.git", - "reference": "1ee770b83790c02d0fbcef77ad0647153e1faf74" + "reference": "6ec4c6020f7ef12c57a015410bdd11031620d952" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/joomla-framework/filter/zipball/1ee770b83790c02d0fbcef77ad0647153e1faf74", - "reference": "1ee770b83790c02d0fbcef77ad0647153e1faf74", + "url": "https://api.github.com/repos/joomla-framework/filter/zipball/6ec4c6020f7ef12c57a015410bdd11031620d952", + "reference": "6ec4c6020f7ef12c57a015410bdd11031620d952", "shasum": "" }, "require": { @@ -404,9 +404,9 @@ "php": "^5.3.10|~7.0" }, "require-dev": { + "joomla/coding-standards": "~2.0@alpha", "joomla/language": "~1.3", - "phpunit/phpunit": "^4.8.35|^5.4.3|~6.0", - "squizlabs/php_codesniffer": "1.*" + "phpunit/phpunit": "^4.8.35|^5.4.3|~6.0" }, "suggest": { "joomla/language": "Required only if you want to use `OutputFilter::stringURLSafe`." @@ -424,7 +424,7 @@ }, "notification-url": "https://packagist.org/downloads/", "license": [ - "GPL-2.0+" + "GPL-2.0-or-later" ], "description": "Joomla Filter Package", "homepage": "https://github.com/joomla-framework/filter", @@ -433,7 +433,7 @@ "framework", "joomla" ], - "time": "2017-07-04T15:07:30+00:00" + "time": "2018-05-20T15:17:26+00:00" }, { "name": "joomla/image", diff --git a/libraries/vendor/composer/autoload_classmap.php b/libraries/vendor/composer/autoload_classmap.php index f6b5443aa5966..2e6b35fa4a07c 100644 --- a/libraries/vendor/composer/autoload_classmap.php +++ b/libraries/vendor/composer/autoload_classmap.php @@ -76,6 +76,13 @@ 'Joomla\\Input\\Files' => $vendorDir . '/joomla/input/src/Files.php', 'Joomla\\Input\\Input' => $vendorDir . '/joomla/input/src/Input.php', 'Joomla\\Input\\Json' => $vendorDir . '/joomla/input/src/Json.php', + 'Joomla\\Input\\Tests\\CliTest' => $vendorDir . '/joomla/input/Tests/CliTest.php', + 'Joomla\\Input\\Tests\\CookieTest' => $vendorDir . '/joomla/input/Tests/CookieTest.php', + 'Joomla\\Input\\Tests\\FilesTest' => $vendorDir . '/joomla/input/Tests/FilesTest.php', + 'Joomla\\Input\\Tests\\FilterInputMock' => $vendorDir . '/joomla/input/Tests/Stubs/FilterInputMock.php', + 'Joomla\\Input\\Tests\\InputMocker' => $vendorDir . '/joomla/input/Tests/InputMocker.php', + 'Joomla\\Input\\Tests\\InputTest' => $vendorDir . '/joomla/input/Tests/InputTest.php', + 'Joomla\\Input\\Tests\\JsonTest' => $vendorDir . '/joomla/input/Tests/JsonTest.php', 'Joomla\\Ldap\\LdapClient' => $vendorDir . '/joomla/ldap/src/LdapClient.php', 'Joomla\\Registry\\AbstractRegistryFormat' => $vendorDir . '/joomla/registry/src/AbstractRegistryFormat.php', 'Joomla\\Registry\\Factory' => $vendorDir . '/joomla/registry/src/Factory.php', @@ -95,6 +102,14 @@ 'Joomla\\Session\\Storage\\None' => $vendorDir . '/joomla/session/Joomla/Session/Storage/None.php', 'Joomla\\Session\\Storage\\Wincache' => $vendorDir . '/joomla/session/Joomla/Session/Storage/Wincache.php', 'Joomla\\Session\\Storage\\Xcache' => $vendorDir . '/joomla/session/Joomla/Session/Storage/Xcache.php', + 'Joomla\\Session\\Tests\\Handler\\ApcuHandlerTest' => $vendorDir . '/joomla/session/tests/Handler/ApcuHandlerTest.php', + 'Joomla\\Session\\Tests\\Handler\\DatabaseHandlerTest' => $vendorDir . '/joomla/session/tests/Handler/DatabaseHandlerTest.php', + 'Joomla\\Session\\Tests\\Handler\\FilesystemHandlerTest' => $vendorDir . '/joomla/session/tests/Handler/FilesystemHandlerTest.php', + 'Joomla\\Session\\Tests\\Handler\\MemcachedHandlerTest' => $vendorDir . '/joomla/session/tests/Handler/MemcachedHandlerTest.php', + 'Joomla\\Session\\Tests\\Handler\\NativeStorageTest' => $vendorDir . '/joomla/session/tests/Storage/NativeStorageTest.php', + 'Joomla\\Session\\Tests\\Handler\\RedisHandlerTest' => $vendorDir . '/joomla/session/tests/Handler/RedisHandlerTest.php', + 'Joomla\\Session\\Tests\\Handler\\WincacheHandlerTest' => $vendorDir . '/joomla/session/tests/Handler/WincacheHandlerTest.php', + 'Joomla\\Session\\Tests\\SessionTest' => $vendorDir . '/joomla/session/tests/SessionTest.php', 'Joomla\\String\\Inflector' => $vendorDir . '/joomla/string/src/Inflector.php', 'Joomla\\String\\Normalise' => $vendorDir . '/joomla/string/src/Normalise.php', 'Joomla\\String\\String' => $vendorDir . '/joomla/string/src/String.php', diff --git a/libraries/vendor/composer/autoload_static.php b/libraries/vendor/composer/autoload_static.php index 0b20391e6ab76..e9131afecc631 100644 --- a/libraries/vendor/composer/autoload_static.php +++ b/libraries/vendor/composer/autoload_static.php @@ -253,6 +253,13 @@ class ComposerStaticInit205c915b9c7d3e718e7c95793ee67ffe 'Joomla\\Input\\Files' => __DIR__ . '/..' . '/joomla/input/src/Files.php', 'Joomla\\Input\\Input' => __DIR__ . '/..' . '/joomla/input/src/Input.php', 'Joomla\\Input\\Json' => __DIR__ . '/..' . '/joomla/input/src/Json.php', + 'Joomla\\Input\\Tests\\CliTest' => __DIR__ . '/..' . '/joomla/input/Tests/CliTest.php', + 'Joomla\\Input\\Tests\\CookieTest' => __DIR__ . '/..' . '/joomla/input/Tests/CookieTest.php', + 'Joomla\\Input\\Tests\\FilesTest' => __DIR__ . '/..' . '/joomla/input/Tests/FilesTest.php', + 'Joomla\\Input\\Tests\\FilterInputMock' => __DIR__ . '/..' . '/joomla/input/Tests/Stubs/FilterInputMock.php', + 'Joomla\\Input\\Tests\\InputMocker' => __DIR__ . '/..' . '/joomla/input/Tests/InputMocker.php', + 'Joomla\\Input\\Tests\\InputTest' => __DIR__ . '/..' . '/joomla/input/Tests/InputTest.php', + 'Joomla\\Input\\Tests\\JsonTest' => __DIR__ . '/..' . '/joomla/input/Tests/JsonTest.php', 'Joomla\\Ldap\\LdapClient' => __DIR__ . '/..' . '/joomla/ldap/src/LdapClient.php', 'Joomla\\Registry\\AbstractRegistryFormat' => __DIR__ . '/..' . '/joomla/registry/src/AbstractRegistryFormat.php', 'Joomla\\Registry\\Factory' => __DIR__ . '/..' . '/joomla/registry/src/Factory.php', @@ -272,6 +279,14 @@ class ComposerStaticInit205c915b9c7d3e718e7c95793ee67ffe 'Joomla\\Session\\Storage\\None' => __DIR__ . '/..' . '/joomla/session/Joomla/Session/Storage/None.php', 'Joomla\\Session\\Storage\\Wincache' => __DIR__ . '/..' . '/joomla/session/Joomla/Session/Storage/Wincache.php', 'Joomla\\Session\\Storage\\Xcache' => __DIR__ . '/..' . '/joomla/session/Joomla/Session/Storage/Xcache.php', + 'Joomla\\Session\\Tests\\Handler\\ApcuHandlerTest' => __DIR__ . '/..' . '/joomla/session/tests/Handler/ApcuHandlerTest.php', + 'Joomla\\Session\\Tests\\Handler\\DatabaseHandlerTest' => __DIR__ . '/..' . '/joomla/session/tests/Handler/DatabaseHandlerTest.php', + 'Joomla\\Session\\Tests\\Handler\\FilesystemHandlerTest' => __DIR__ . '/..' . '/joomla/session/tests/Handler/FilesystemHandlerTest.php', + 'Joomla\\Session\\Tests\\Handler\\MemcachedHandlerTest' => __DIR__ . '/..' . '/joomla/session/tests/Handler/MemcachedHandlerTest.php', + 'Joomla\\Session\\Tests\\Handler\\NativeStorageTest' => __DIR__ . '/..' . '/joomla/session/tests/Storage/NativeStorageTest.php', + 'Joomla\\Session\\Tests\\Handler\\RedisHandlerTest' => __DIR__ . '/..' . '/joomla/session/tests/Handler/RedisHandlerTest.php', + 'Joomla\\Session\\Tests\\Handler\\WincacheHandlerTest' => __DIR__ . '/..' . '/joomla/session/tests/Handler/WincacheHandlerTest.php', + 'Joomla\\Session\\Tests\\SessionTest' => __DIR__ . '/..' . '/joomla/session/tests/SessionTest.php', 'Joomla\\String\\Inflector' => __DIR__ . '/..' . '/joomla/string/src/Inflector.php', 'Joomla\\String\\Normalise' => __DIR__ . '/..' . '/joomla/string/src/Normalise.php', 'Joomla\\String\\String' => __DIR__ . '/..' . '/joomla/string/src/String.php', diff --git a/libraries/vendor/composer/installed.json b/libraries/vendor/composer/installed.json index 041086adbfe02..597b332a098b9 100644 --- a/libraries/vendor/composer/installed.json +++ b/libraries/vendor/composer/installed.json @@ -396,17 +396,17 @@ }, { "name": "joomla/filter", - "version": "1.3.3", - "version_normalized": "1.3.3.0", + "version": "1.3.4", + "version_normalized": "1.3.4.0", "source": { "type": "git", "url": "https://github.com/joomla-framework/filter.git", - "reference": "1ee770b83790c02d0fbcef77ad0647153e1faf74" + "reference": "6ec4c6020f7ef12c57a015410bdd11031620d952" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/joomla-framework/filter/zipball/1ee770b83790c02d0fbcef77ad0647153e1faf74", - "reference": "1ee770b83790c02d0fbcef77ad0647153e1faf74", + "url": "https://api.github.com/repos/joomla-framework/filter/zipball/6ec4c6020f7ef12c57a015410bdd11031620d952", + "reference": "6ec4c6020f7ef12c57a015410bdd11031620d952", "shasum": "" }, "require": { @@ -414,14 +414,14 @@ "php": "^5.3.10|~7.0" }, "require-dev": { + "joomla/coding-standards": "~2.0@alpha", "joomla/language": "~1.3", - "phpunit/phpunit": "^4.8.35|^5.4.3|~6.0", - "squizlabs/php_codesniffer": "1.*" + "phpunit/phpunit": "^4.8.35|^5.4.3|~6.0" }, "suggest": { "joomla/language": "Required only if you want to use `OutputFilter::stringURLSafe`." }, - "time": "2017-07-04T15:07:30+00:00", + "time": "2018-05-20T15:17:26+00:00", "type": "joomla-package", "extra": { "branch-alias": { @@ -436,7 +436,7 @@ }, "notification-url": "https://packagist.org/downloads/", "license": [ - "GPL-2.0+" + "GPL-2.0-or-later" ], "description": "Joomla Filter Package", "homepage": "https://github.com/joomla-framework/filter", diff --git a/libraries/vendor/joomla/filter/src/InputFilter.php b/libraries/vendor/joomla/filter/src/InputFilter.php index 6aa5368a3a3fe..3dccca490b728 100644 --- a/libraries/vendor/joomla/filter/src/InputFilter.php +++ b/libraries/vendor/joomla/filter/src/InputFilter.php @@ -2,7 +2,7 @@ /** * Part of the Joomla Framework Filter Package * - * @copyright Copyright (C) 2005 - 2016 Open Source Matters, Inc. All rights reserved. + * @copyright Copyright (C) 2005 - 2018 Open Source Matters, Inc. All rights reserved. * @license GNU General Public License version 2 or later; see LICENSE */ @@ -113,6 +113,7 @@ class InputFilter 'bgsound', 'base', 'basefont', + 'canvas', 'embed', 'frame', 'frameset', @@ -172,7 +173,8 @@ class InputFilter * @since 1.0 */ public function __construct($tagsArray = array(), $attrArray = array(), $tagsMethod = self::TAGS_WHITELIST, $attrMethod = self::ATTR_WHITELIST, - $xssAuto = 1) + $xssAuto = 1 + ) { // Make sure user defined arrays are in lowercase $tagsArray = array_map('strtolower', (array) $tagsArray); @@ -598,49 +600,49 @@ protected function cleanTags($source) $attr = ''; // Is there a tag? If so it will certainly start with a '<'. - $tagOpen_start = StringHelper::strpos($source, '<'); + $tagOpenStart = StringHelper::strpos($source, '<'); - while ($tagOpen_start !== false) + while ($tagOpenStart !== false) { // Get some information about the tag we are processing - $preTag .= StringHelper::substr($postTag, 0, $tagOpen_start); - $postTag = StringHelper::substr($postTag, $tagOpen_start); + $preTag .= StringHelper::substr($postTag, 0, $tagOpenStart); + $postTag = StringHelper::substr($postTag, $tagOpenStart); $fromTagOpen = StringHelper::substr($postTag, 1); - $tagOpen_end = StringHelper::strpos($fromTagOpen, '>'); + $tagOpenEnd = StringHelper::strpos($fromTagOpen, '>'); // Check for mal-formed tag where we have a second '<' before the first '>' - $nextOpenTag = (StringHelper::strlen($postTag) > $tagOpen_start) ? StringHelper::strpos($postTag, '<', $tagOpen_start + 1) : false; + $nextOpenTag = (StringHelper::strlen($postTag) > $tagOpenStart) ? StringHelper::strpos($postTag, '<', $tagOpenStart + 1) : false; - if (($nextOpenTag !== false) && ($nextOpenTag < $tagOpen_end)) + if (($nextOpenTag !== false) && ($nextOpenTag < $tagOpenEnd)) { // At this point we have a mal-formed tag -- remove the offending open - $postTag = StringHelper::substr($postTag, 0, $tagOpen_start) . StringHelper::substr($postTag, $tagOpen_start + 1); - $tagOpen_start = StringHelper::strpos($postTag, '<'); + $postTag = StringHelper::substr($postTag, 0, $tagOpenStart) . StringHelper::substr($postTag, $tagOpenStart + 1); + $tagOpenStart = StringHelper::strpos($postTag, '<'); continue; } // Let's catch any non-terminated tags and skip over them - if ($tagOpen_end === false) + if ($tagOpenEnd === false) { - $postTag = StringHelper::substr($postTag, $tagOpen_start + 1); - $tagOpen_start = StringHelper::strpos($postTag, '<'); + $postTag = StringHelper::substr($postTag, $tagOpenStart + 1); + $tagOpenStart = StringHelper::strpos($postTag, '<'); continue; } // Do we have a nested tag? - $tagOpen_nested = StringHelper::strpos($fromTagOpen, '<'); + $tagOpenNested = StringHelper::strpos($fromTagOpen, '<'); - if (($tagOpen_nested !== false) && ($tagOpen_nested < $tagOpen_end)) + if (($tagOpenNested !== false) && ($tagOpenNested < $tagOpenEnd)) { - $preTag .= StringHelper::substr($postTag, 0, ($tagOpen_nested + 1)); - $postTag = StringHelper::substr($postTag, ($tagOpen_nested + 1)); - $tagOpen_start = StringHelper::strpos($postTag, '<'); + $preTag .= StringHelper::substr($postTag, 0, ($tagOpenNested + 1)); + $postTag = StringHelper::substr($postTag, ($tagOpenNested + 1)); + $tagOpenStart = StringHelper::strpos($postTag, '<'); continue; } // Let's get some information about our tag and setup attribute pairs - $tagOpen_nested = (StringHelper::strpos($fromTagOpen, '<') + $tagOpen_start + 1); - $currentTag = StringHelper::substr($fromTagOpen, 0, $tagOpen_end); + $tagOpenNested = (StringHelper::strpos($fromTagOpen, '<') + $tagOpenStart + 1); + $currentTag = StringHelper::substr($fromTagOpen, 0, $tagOpenEnd); $tagLength = StringHelper::strlen($currentTag); $tagLeft = $currentTag; $attrSet = array(); @@ -671,7 +673,7 @@ protected function cleanTags($source) || ((in_array(strtolower($tagName), $this->tagBlacklist)) && ($this->xssAuto))) { $postTag = StringHelper::substr($postTag, ($tagLength + 2)); - $tagOpen_start = StringHelper::strpos($postTag, '<'); + $tagOpenStart = StringHelper::strpos($postTag, '<'); // Strip tag continue; @@ -804,7 +806,7 @@ protected function cleanTags($source) // Find next tag's start and continue iteration $postTag = StringHelper::substr($postTag, ($tagLength + 2)); - $tagOpen_start = StringHelper::strpos($postTag, '<'); + $tagOpenStart = StringHelper::strpos($postTag, '<'); } // Append any code after the end of tags and return @@ -844,8 +846,8 @@ protected function cleanAttributes($attrSet) $attrSubSet = explode('=', trim($attrSet[$i]), 2); // Take the last attribute in case there is an attribute with no value - $attrSubSet_0 = explode(' ', trim($attrSubSet[0])); - $attrSubSet[0] = array_pop($attrSubSet_0); + $attrSubSet0 = explode(' ', trim($attrSubSet[0])); + $attrSubSet[0] = array_pop($attrSubSet0); $attrSubSet[0] = strtolower($attrSubSet[0]); $quoteStyle = version_compare(PHP_VERSION, '5.4', '>=') ? ENT_QUOTES | ENT_HTML401 : ENT_QUOTES; @@ -855,12 +857,15 @@ protected function cleanAttributes($attrSet) $attrSubSet[0] = preg_replace('/^[\pZ\pC]+|[\pZ\pC]+$/u', '', $attrSubSet[0]); $attrSubSet[0] = preg_replace('/\s+/u', '', $attrSubSet[0]); - // Replace special blacklisted chars here + // Remove blacklisted chars from the attribute name foreach ($this->blacklistedChars as $blacklistedChar) { - $attrSubSet[0] = str_replace($blacklistedChar, '', $attrSubSet[0]); + $attrSubSet[0] = str_ireplace($blacklistedChar, '', $attrSubSet[0]); } + // Remove all symbols + $attrSubSet[0] = preg_replace('/[^\p{L}\p{N}\s]/u', '', $attrSubSet[0]); + // Remove all "non-regular" attribute names // AND blacklisted attributes if ((!preg_match('/[a-z]*$/i', $attrSubSet[0])) @@ -876,6 +881,12 @@ protected function cleanAttributes($attrSet) continue; } + // Remove blacklisted chars from the attribute value + foreach ($this->blacklistedChars as $blacklistedChar) + { + $attrSubSet[1] = str_ireplace($blacklistedChar, '', $attrSubSet[1]); + } + // Trim leading and trailing spaces $attrSubSet[1] = trim($attrSubSet[1]); diff --git a/libraries/vendor/joomla/filter/src/OutputFilter.php b/libraries/vendor/joomla/filter/src/OutputFilter.php index c6ba9708deb0c..8ca20e4e8c87a 100644 --- a/libraries/vendor/joomla/filter/src/OutputFilter.php +++ b/libraries/vendor/joomla/filter/src/OutputFilter.php @@ -2,7 +2,7 @@ /** * Part of the Joomla Framework Filter Package * - * @copyright Copyright (C) 2005 - 2016 Open Source Matters, Inc. All rights reserved. + * @copyright Copyright (C) 2005 - 2018 Open Source Matters, Inc. All rights reserved. * @license GNU General Public License version 2 or later; see LICENSE */ @@ -24,15 +24,15 @@ class OutputFilter * Object parameters that are non-string, array, object or start with underscore * will be converted * - * @param object &$mixed An object to be parsed - * @param integer $quote_style The optional quote style for the htmlspecialchars function - * @param mixed $exclude_keys An optional string single field name or array of field names not to be parsed (eg, for a textarea) + * @param object $mixed An object to be parsed + * @param integer $quoteStyle The optional quote style for the htmlspecialchars function + * @param mixed $excludeKeys An optional string single field name or array of field names not to be parsed (eg, for a textarea) * * @return void * * @since 1.0 */ - public static function objectHtmlSafe(&$mixed, $quote_style = ENT_QUOTES, $exclude_keys = '') + public static function objectHtmlSafe(&$mixed, $quoteStyle = ENT_QUOTES, $excludeKeys = '') { if (is_object($mixed)) { @@ -43,16 +43,16 @@ public static function objectHtmlSafe(&$mixed, $quote_style = ENT_QUOTES, $exclu continue; } - if (is_string($exclude_keys) && $k == $exclude_keys) + if (is_string($excludeKeys) && $k == $excludeKeys) { continue; } - elseif (is_array($exclude_keys) && in_array($k, $exclude_keys)) + elseif (is_array($excludeKeys) && in_array($k, $excludeKeys)) { continue; } - $mixed->$k = htmlspecialchars($v, $quote_style, 'UTF-8'); + $mixed->$k = htmlspecialchars($v, $quoteStyle, 'UTF-8'); } } } @@ -72,7 +72,7 @@ public static function linkXhtmlSafe($input) return preg_replace_callback( "#$regex#i", - function($m) + function ($m) { return preg_replace('#&(?!amp;)#', '&', $m[0]); }, @@ -163,7 +163,7 @@ public static function ampReplace($text) /** * Cleans text of all formatting and scripting code * - * @param string &$text Text to clean + * @param string $text Text to clean * * @return string Cleaned text. *