Merge pull request #1856

* fix: Encode XSS related characters and strip tags.
nuxsmin · Jul 2, 2022 · 9d0e169 · 9d0e169
1 parent c39b60c
commit 9d0e169
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 5 deletions.
diff --git a/lib/SP/Html/Html.php b/lib/SP/Html/Html.php
@@ -191,12 +191,12 @@ public static function getSafeUrl(string $url): string
         }
 
         return preg_replace_callback(
-            '/[^:\/@?&=#%\w]+/u',
+            '/["<>\']+/u',
             function ($matches)
             {
                 return urlencode($matches[0]);
             },
-            $url
+            strip_tags($url)
         );
     }
 }
diff --git a/lib/SP/Services/Install/Installer.php b/lib/SP/Services/Install/Installer.php
@@ -60,9 +60,9 @@ final class Installer extends Service
     /**
      * sysPass' version and build number
      */
-    const VERSION      = [3, 2, 10];
+    const VERSION      = [3, 2, 11];
     const VERSION_TEXT = '3.2';
-    const BUILD        = 22070101;
+    const BUILD        = 22070201;
 
     /**
      * @var DatabaseSetupInterface

diff --git a/tests/SP/Html/HtmlTest.php b/tests/SP/Html/HtmlTest.php
@@ -56,7 +56,7 @@ public function testGetSafeUrlOk()
      */
     public function testGetSafeUrlEncoded(string $url)
     {
-        $this->assertEquals(0, preg_match('/["<>]+/', Html::getSafeUrl($url)));
+        $this->assertEquals(0, preg_match('/["<>\']+/', Html::getSafeUrl($url)));
     }
 
     private function urlProvider(): array
@@ -67,6 +67,7 @@ private function urlProvider(): array
             ['https://foo.com/"><script>alert("TEST");</script>'],
             ['https://foo.com/"%20onClick="alert(\'TEST\'")'],
             ['https://foo.com/" onClick="alert(\'TEST\')"'],
+            ['mongodb+srv://cluster.foo.mongodb.net/bar'],
         ];
     }
 }