Permalink
Browse files

Fix all those nasty xss and javascript injection by htmlspecialchar()ing

 attributes


git-svn-id: https://svn.php.net/repository/pear/packages/HTML_BBCodeParser/trunk@239032 c90b9560-bf6c-de11-be94-00142212c4b1
  • Loading branch information...
1 parent f9c7a3d commit a0243c7f7b1e0fcbd7f415b87f197f6150086a46 @cweiske cweiske committed Jul 2, 2007
Showing with 4 additions and 6 deletions.
  1. +2 −0 BBCodeParser.php
  2. +0 −4 BBCodeParser/Filter/Links.php
  3. +2 −2 tests/BBCodeParser.phpt
View
@@ -741,6 +741,8 @@ function _buildParsedString()
//prevent XSS attacks. IMHO this is not enough, though...
//@see http://pear.php.net/bugs/bug.php?id=5609
$v = preg_replace('#(script|about|applet|activex|chrome):#is', "\\1:", $v);
+ $v = htmlspecialchars($v);
+ $v = str_replace('&', '&', $v);
if (($this->_options['quotewhat'] == 'nothing') ||
(($this->_options['quotewhat'] == 'strings') && is_numeric($v))
@@ -172,10 +172,6 @@ function smarterPPLink($matches)
$urlServ = $matches[1];
$path = $matches[5];
- //fix & only when not already done
- if (strpos($path, '&') === false) {
- $path = str_replace('&', '&', $path);
- }
$off = strpos($urlServ, ':');
View
@@ -157,7 +157,7 @@ class BBCodeParser_TestCase extends PHPUnit_TestCase
$bbc->$funcNam('[url=http://domain.com/index.php?i=1&j=2]linked text[/URL]'));
//Bug #5609: BBCodeParser allows XSS
$this->assertEquals(
- '<a href="javascript&#058;//%0ASh=alert(%22CouCou%22);window.close();">Alert box with "CouCou"</a>',
+ '<a href="javascript&amp;#058;//%0ASh=alert(%22CouCou%22);window.close();">Alert box with "CouCou"</a>',
$bbc->$funcNam('[url=javascript://%0ASh=alert(%22CouCou%22);window.close();]Alert box with "CouCou"[/url]')
);
/*
@@ -190,7 +190,7 @@ class BBCodeParser_TestCase extends PHPUnit_TestCase
);
//Bug #4844: Arbitrary HTML injection
$this->assertEquals(
- '<div style="text-align:foo&#039;&gt;&lt;script&gt;alert(&#039;JavaScript_Enabled&#039;);&lt;/script&gt;&#039;&gt;&lt;">',
+ '<div style="text-align:foo&quot;&gt;&lt;script&gt;alert(\'JavaScript_Enabled\');&lt;/script&gt;"></div>',
$bbc->$funcNam('[align=foo"><script>alert(\'JavaScript_Enabled\');</script>][/align]')
);
}

0 comments on commit a0243c7

Please sign in to comment.