From 0e065d8427ba9474590025e6312044be919e4107 Mon Sep 17 00:00:00 2001 From: Charlie Jade Date: Tue, 26 Aug 2014 23:55:51 +0800 Subject: [PATCH 1/3] fixing the xss problem --- app/Lio/Markdown/HtmlMarkdownConvertor.php | 4 +- app/config/app.php | 2 + app/config/packages/mews/purifier/.gitkeep | 0 app/config/packages/mews/purifier/config.php | 31 +++++ composer.json | 3 +- composer.lock | 117 +++++++++++++++++-- 6 files changed, 143 insertions(+), 14 deletions(-) create mode 100644 app/config/packages/mews/purifier/.gitkeep create mode 100644 app/config/packages/mews/purifier/config.php diff --git a/app/Lio/Markdown/HtmlMarkdownConvertor.php b/app/Lio/Markdown/HtmlMarkdownConvertor.php index 7b2cafc0c..1e641eddf 100644 --- a/app/Lio/Markdown/HtmlMarkdownConvertor.php +++ b/app/Lio/Markdown/HtmlMarkdownConvertor.php @@ -2,6 +2,7 @@ use HTML_To_Markdown; use Michelf\MarkdownExtra; +use Purifier; class HtmlMarkdownConvertor { @@ -24,6 +25,7 @@ public function convertHtmlToMarkdown($html) public function convertMarkdownToHtml($markdown) { - return $this->markdownParser->transform($markdown); + $html = $this->markdownParser->transform($markdown); + return Purifier::clean($html, 'markdown'); } } \ No newline at end of file diff --git a/app/config/app.php b/app/config/app.php index 767223e34..806680ee4 100644 --- a/app/config/app.php +++ b/app/config/app.php @@ -111,6 +111,7 @@ 'McCool\LaravelAutoPresenter\LaravelAutoPresenterServiceProvider', 'McCool\DatabaseBackup\ServiceProviders\LaravelServiceProvider', 'Artdarek\OAuth\OAuthServiceProvider', + 'Mews\Purifier\PurifierServiceProvider', 'Lio\ServiceProviders\GithubServiceProvider', 'Lio\ServiceProviders\CommentServiceProvider', @@ -185,6 +186,7 @@ 'Profiler' => 'Juy\Profiler\Facades\Profiler', 'OAuth' => 'Artdarek\OAuth\Facade\OAuth', 'GitHub' => 'Lio\GitHub\GitHubFacade', + 'Purifier' => 'Mews\Purifier\Facades\Purifier', ), ); diff --git a/app/config/packages/mews/purifier/.gitkeep b/app/config/packages/mews/purifier/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/app/config/packages/mews/purifier/config.php b/app/config/packages/mews/purifier/config.php new file mode 100644 index 000000000..1622fce2f --- /dev/null +++ b/app/config/packages/mews/purifier/config.php @@ -0,0 +1,31 @@ + 'UTF-8', + 'finalize' => true, + 'preload' => false, + 'settings' => array( + 'default' => array( + 'HTML.Doctype' => 'XHTML 1.0 Strict', + 'HTML.Allowed' => 'div,b,strong,i,em,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src]', + 'CSS.AllowedProperties' => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align', + 'AutoFormat.AutoParagraph' => true, + 'AutoFormat.RemoveEmpty' => true, + ), + 'markdown' => array( + 'HTML.Doctype' => 'XHTML 1.0 Strict', + 'HTML.Allowed' => 'div,b,strong,i,em,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src],*[style|class],pre,code,h1,h2,h3,h4,h5,h6,blockquote', + 'CSS.AllowedProperties' => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align', + 'AutoFormat.AutoParagraph' => true, + 'AutoFormat.RemoveEmpty' => true, + ) + ), +); diff --git a/composer.json b/composer.json index 8b4830418..c02231871 100644 --- a/composer.json +++ b/composer.json @@ -11,7 +11,8 @@ "michelf/php-markdown": "1.4.*", "nickcernis/html-to-markdown": "2.1.*", "misd/linkify": "1.1.*", - "hashids/hashids": "0.3.*@dev" + "hashids/hashids": "0.3.*@dev", + "mews/purifier": "dev-master" }, "require-dev": { "phpunit/phpunit": "4.2.*", diff --git a/composer.lock b/composer.lock index 6ed029a78..217a6f89d 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "hash": "ec4289ac953ef40e15eac74c606cbd6d", + "hash": "ec42a7d4efe1aa97673b81f598edb6be", "packages": [ { "name": "artdarek/oauth-4-laravel", @@ -254,6 +254,51 @@ "notification-url": "https://packagist.org/downloads/", "time": "2014-01-17 12:21:18" }, + { + "name": "ezyang/htmlpurifier", + "version": "v4.6.0", + "source": { + "type": "git", + "url": "https://github.com/ezyang/htmlpurifier.git", + "reference": "6f389f0f25b90d0b495308efcfa073981177f0fd" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/6f389f0f25b90d0b495308efcfa073981177f0fd", + "reference": "6f389f0f25b90d0b495308efcfa073981177f0fd", + "shasum": "" + }, + "require": { + "php": ">=5.2" + }, + "type": "library", + "autoload": { + "psr-0": { + "HTMLPurifier": "library/" + }, + "files": [ + "library/HTMLPurifier.composer.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "LGPL" + ], + "authors": [ + { + "name": "Edward Z. Yang", + "email": "admin@htmlpurifier.org", + "homepage": "http://ezyang.com", + "role": "Developer" + } + ], + "description": "Standards compliant HTML filter written in PHP", + "homepage": "http://htmlpurifier.org/", + "keywords": [ + "html" + ], + "time": "2013-11-30 08:25:19" + }, { "name": "filp/whoops", "version": "1.0.10", @@ -873,6 +918,52 @@ ], "time": "2014-06-05 12:56:14" }, + { + "name": "mews/purifier", + "version": "dev-master", + "source": { + "type": "git", + "url": "https://github.com/mewebstudio/Purifier.git", + "reference": "5750567e1213edeb39683b0e35b9cac2ad5d9a38" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/mewebstudio/Purifier/zipball/5750567e1213edeb39683b0e35b9cac2ad5d9a38", + "reference": "5750567e1213edeb39683b0e35b9cac2ad5d9a38", + "shasum": "" + }, + "require": { + "ezyang/htmlpurifier": "4.6.*", + "illuminate/support": "4.*", + "php": ">=5.3.0" + }, + "type": "library", + "autoload": { + "psr-0": { + "Mews\\Purifier": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "LGPL" + ], + "authors": [ + { + "name": "Muharrem ERIN", + "email": "me@mewebstudio.com" + } + ], + "description": "HTMLPurifier Package for Laravel 4", + "homepage": "http://github.com/mewebstudio/Purifier", + "keywords": [ + "L4", + "Laravel 4", + "Purifier", + "htmlpurifier", + "laravel" + ], + "time": "2014-01-25 20:20:17" + }, { "name": "michelf/php-markdown", "version": "1.4.1", @@ -1045,16 +1136,16 @@ }, { "name": "nesbot/carbon", - "version": "1.10.0", + "version": "1.11.0", "source": { "type": "git", "url": "https://github.com/briannesbitt/Carbon.git", - "reference": "9b42a1aec56011c2ac4d75c0ddad0794762344fc" + "reference": "2b60366be6dcb9f9cd3e244ab25eb98eaea99551" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/briannesbitt/Carbon/zipball/9b42a1aec56011c2ac4d75c0ddad0794762344fc", - "reference": "9b42a1aec56011c2ac4d75c0ddad0794762344fc", + "url": "https://api.github.com/repos/briannesbitt/Carbon/zipball/2b60366be6dcb9f9cd3e244ab25eb98eaea99551", + "reference": "2b60366be6dcb9f9cd3e244ab25eb98eaea99551", "shasum": "" }, "require": { @@ -1087,7 +1178,7 @@ "datetime", "time" ], - "time": "2014-07-18 03:44:47" + "time": "2014-08-26 03:18:44" }, { "name": "nickcernis/html-to-markdown", @@ -2389,16 +2480,16 @@ }, { "name": "ocramius/instantiator", - "version": "1.1.2", + "version": "1.1.3", "source": { "type": "git", "url": "https://github.com/Ocramius/Instantiator.git", - "reference": "a7abbb5fc9df6e7126af741dd6c140d1a7369435" + "reference": "e24a12178906ff2e7471b8aaf3a0eb789b59f881" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/Ocramius/Instantiator/zipball/a7abbb5fc9df6e7126af741dd6c140d1a7369435", - "reference": "a7abbb5fc9df6e7126af741dd6c140d1a7369435", + "url": "https://api.github.com/repos/Ocramius/Instantiator/zipball/e24a12178906ff2e7471b8aaf3a0eb789b59f881", + "reference": "e24a12178906ff2e7471b8aaf3a0eb789b59f881", "shasum": "" }, "require": { @@ -2440,7 +2531,7 @@ "constructor", "instantiate" ], - "time": "2014-08-14 15:10:55" + "time": "2014-08-25 14:48:16" }, { "name": "ocramius/lazy-map", @@ -3201,8 +3292,10 @@ ], "minimum-stability": "stable", "stability-flags": { - "hashids/hashids": 20 + "hashids/hashids": 20, + "mews/purifier": 20 }, + "prefer-stable": false, "platform": [ ], From 8091404ef7481edcc5121c85e88c45f1ebec9470 Mon Sep 17 00:00:00 2001 From: Charlie Jade Date: Wed, 27 Aug 2014 08:12:45 +0800 Subject: [PATCH 2/3] real version for HTMLPurifier package --- composer.json | 2 +- composer.lock | 7 +++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/composer.json b/composer.json index c02231871..9fa088cdb 100644 --- a/composer.json +++ b/composer.json @@ -12,7 +12,7 @@ "nickcernis/html-to-markdown": "2.1.*", "misd/linkify": "1.1.*", "hashids/hashids": "0.3.*@dev", - "mews/purifier": "dev-master" + "mews/purifier": "1.0.1" }, "require-dev": { "phpunit/phpunit": "4.2.*", diff --git a/composer.lock b/composer.lock index 217a6f89d..08b699ff8 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "hash": "ec42a7d4efe1aa97673b81f598edb6be", + "hash": "30096d97d3b6b682454c5438a6b15ee0", "packages": [ { "name": "artdarek/oauth-4-laravel", @@ -920,7 +920,7 @@ }, { "name": "mews/purifier", - "version": "dev-master", + "version": "1.0.1", "source": { "type": "git", "url": "https://github.com/mewebstudio/Purifier.git", @@ -3292,8 +3292,7 @@ ], "minimum-stability": "stable", "stability-flags": { - "hashids/hashids": 20, - "mews/purifier": 20 + "hashids/hashids": 20 }, "prefer-stable": false, "platform": [ From 5ec5be30189708af6ee0e79e42938002cd9f5872 Mon Sep 17 00:00:00 2001 From: Charlie Jade Date: Wed, 27 Aug 2014 19:16:48 +0800 Subject: [PATCH 3/3] purifier version and indentation --- app/config/packages/mews/purifier/config.php | 2 +- composer.json | 2 +- composer.lock | 12 ++++++------ 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/app/config/packages/mews/purifier/config.php b/app/config/packages/mews/purifier/config.php index 1622fce2f..968b5ced4 100644 --- a/app/config/packages/mews/purifier/config.php +++ b/app/config/packages/mews/purifier/config.php @@ -9,7 +9,7 @@ */ return array( - 'encoding' => 'UTF-8', + 'encoding' => 'UTF-8', 'finalize' => true, 'preload' => false, 'settings' => array( diff --git a/composer.json b/composer.json index 9fa088cdb..912284695 100644 --- a/composer.json +++ b/composer.json @@ -12,7 +12,7 @@ "nickcernis/html-to-markdown": "2.1.*", "misd/linkify": "1.1.*", "hashids/hashids": "0.3.*@dev", - "mews/purifier": "1.0.1" + "mews/purifier": "1.0.*" }, "require-dev": { "phpunit/phpunit": "4.2.*", diff --git a/composer.lock b/composer.lock index 08b699ff8..d5dd160f2 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "hash": "30096d97d3b6b682454c5438a6b15ee0", + "hash": "4631eaeb850f4c34f0c6e0a3c228a3d2", "packages": [ { "name": "artdarek/oauth-4-laravel", @@ -124,16 +124,16 @@ }, { "name": "barryvdh/laravel-debugbar", - "version": "v1.6.7", + "version": "v1.6.8", "source": { "type": "git", "url": "https://github.com/barryvdh/laravel-debugbar.git", - "reference": "ccf9ababfb2b5ddbf8c3ece2ca3fc9989b11ec0d" + "reference": "6668cf335a7b6461debbedc9ed95f2f3784eb537" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/barryvdh/laravel-debugbar/zipball/ccf9ababfb2b5ddbf8c3ece2ca3fc9989b11ec0d", - "reference": "ccf9ababfb2b5ddbf8c3ece2ca3fc9989b11ec0d", + "url": "https://api.github.com/repos/barryvdh/laravel-debugbar/zipball/6668cf335a7b6461debbedc9ed95f2f3784eb537", + "reference": "6668cf335a7b6461debbedc9ed95f2f3784eb537", "shasum": "" }, "require": { @@ -171,7 +171,7 @@ "profiler", "webprofiler" ], - "time": "2014-08-09 20:41:59" + "time": "2014-08-27 08:56:54" }, { "name": "classpreloader/classpreloader",