Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Latte: apply modifier safeUrl automatically to attribute href #1302

Merged
merged 1 commit into from
Dec 12, 2013
Merged

Latte: apply modifier safeUrl automatically to attribute href #1302

merged 1 commit into from
Dec 12, 2013

Conversation

dg
Copy link
Member

@dg dg commented Dec 12, 2013

Yes, this is not about escaping, this is sanitization. In fact, escapeXML() provides some kind of sanitization too. Pros and cons?

@dg dg mentioned this pull request Dec 12, 2013
Closed
enumag
enumag reviewed Dec 12, 2013
View reviewed changes
Nette/Latte/Compiler.php
@@ -343,6 +344,8 @@ private function processHtmlAttribute(Token $token)
$context = self::CONTENT_JS;
} elseif ($token->name === 'style') {
$context = self::CONTENT_CSS;
} elseif ($token->name === 'href') {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about src?

@Majkl578
Copy link
Contributor

Is there a way to turn it off?

@dg
Copy link
Member Author

dg commented Dec 12, 2013

no

yes, with |nosafeurl

@Majkl578
Copy link
Contributor

This:

<a href=https://example.com/?id={$id}></a>

produces:

<a href=https://example.com/?id="123"></a>

@Majkl578
Copy link
Contributor

Plus I think variant without protocol should be considered valid as well, it's a standard way on sites using both SSL and non-SSL variant.

@milo
Copy link
Member

milo commented Dec 12, 2013

I am in.

Pros

10x security

Cons

Relative URLs like {link Presenter:action}? Just now I cannot imagine if will work or not.
Hard to add next allowed protocol, e.g. nntp://, or editor://
BC break which is hard to find.

Is there a way to turn it off?

What about n:unsafeHref="$url".

It is hard to list or distinct between safe/unsafe protocols :(

@fprochazka
Copy link
Contributor

What about Utils\Html ?

@Majkl578
Copy link
Contributor

What about Utils\Html?

Why would you pass html as a value of href/src? But I am thinking about Http\Url.

@dg
Copy link
Member Author

dg commented Dec 12, 2013

I added |nosafeurl modifier.

It works without protocol, or not? {link Presenter:action} works too, or not?

Ad it produces <a href=https://example.com/?id="123"></a> - yes, for the past two years.

@soaj1664
Copy link

You may also include the following attributes for safeURL:

xlink:href
action
formaction
data attribute e.g. on object tag: see http://jsfiddle.net/2Tx5L/ in Firefox.

Regards,

ashar

@fprochazka
Copy link
Contributor

I was speaking about href attributes in Html objects, how they should act?

@Majkl578
Copy link
Contributor

I was speaking about href attributes in Html objects, how they should act?

Well, it has nothing to do with Latte so I guess it should stay untouched by this.

dg added a commit that referenced this pull request Dec 12, 2013
@dg
Merge pull request #1302 from nette/latte-safe-url
721a5a7 
Latte: apply modifier safeUrl automatically to attribute href, src, action & formaction
@dg dg merged commit 721a5a7 into master Dec 12, 2013
@dg dg deleted the latte-safe-url branch December 12, 2013 23:50
@soaj1664
Copy link

@dg @milo Good to see that now you have added action, formaction attributes for "safeURL" stuff! It would be great if you will also add the following: (attributes along with related XSS vector)

  1. xlink:href
    <svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script Here is the related Fiddle: http://jsfiddle.net/gwTz5/1/
    It is a candidate for safeURL: see https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/xlink:href

  2. x:href (It works in Opera only)
    <svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' Here is the related Fiddle: http://jsfiddle.net/XVECQ/1/

  3. data attribute of object Tag (see: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/object)
    XSS vector is: <object/data=javascript:alert(1)> and Fiddle (works in Firefox: http://jsfiddle.net/gwTz5/2/)

I hope it helps!

Regards,

ashar

@dg
Copy link
Member Author

dg commented Dec 13, 2013

I added support for <object data>. SVG is not supported (and maybe not works with Latte), so this attributes are not automatically shielded.

s4muel added a commit to s4muel/nette-plugins-componenttreepanel that referenced this pull request Feb 24, 2014
@s4muel
nette 2.1 editor:// link fix
02feeea 
|safeurl modifier is automatically added to template <a href="$url">... nette/nette#1302 so editor:// links didnt get generated, needs to be overridden by using |nosafeurl modifier
more info(cs): http://phpfashion.com/prejdete-na-nette-2-1
@s4muel s4muel mentioned this pull request Feb 24, 2014
Merged
jasir pushed a commit to jasir/ComponentTreePanel that referenced this pull request Feb 15, 2017
@s4muel
nette 2.1 editor:// link fix
f0e63b4 
|safeurl modifier is automatically added to template <a href="$url">... nette/nette#1302 so editor:// links didnt get generated, needs to be overridden by using |nosafeurl modifier
more info(cs): http://phpfashion.com/prejdete-na-nette-2-1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@dg @Majkl578 @milo @fprochazka @soaj1664 @enumag