-
Notifications
You must be signed in to change notification settings - Fork 76
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'hotfix-10.3.6' into stable
- Loading branch information
Showing
9 changed files
with
188 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
--- | ||
id: xss | ||
title: XSS Protection | ||
--- | ||
|
||
>>> This feature was first introduced in **PresideCMS v10.3.6**. The details below do not apply for older versions of the software. | ||
PresideCMS comes with XSS protection out of the box using the AntiSamy project. This protection will automatically strip unwanted HTML from user input in order to prevent the possibility of successful cross site scripting attacks. | ||
|
||
## Configuring protection | ||
|
||
The protection is turned on by default but bypassed by default when the logged in user is a CMS administrator. These settings, and also the AntiSamy profile to be used, can be edited in your sites `Config.cfc` file: | ||
|
||
```luceescript | ||
public void function configure() { | ||
super.configure(); | ||
// turn off antisamy (don't do this!) | ||
settings.antiSamy.enabled = false; | ||
// use the "tinymce" AntiSamy policy (default is myspace) | ||
settings.antiSamy.policy = "tinymce"; | ||
// do not bypass antisamy, even when logged in user is admin | ||
settings.antiSamy.bypassForAdministrators = false; | ||
// ... | ||
} | ||
``` | ||
|
||
The list of possible policies to use are: | ||
|
||
* antisamy | ||
* ebay | ||
* myspace | ||
* slashdot | ||
* tinymce | ||
|
||
We plan to provide the ability for custom antisamy profiles to be used, but as of v10.3.6, these are the only options available. | ||
|
||
For more information on the AntiSamy project, visit [https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project](https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
44 changes: 44 additions & 0 deletions
44
support/tests/integration/api/security/AntiSamyServiceTest.cfc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
component extends="testbox.system.BaseSpec" { | ||
|
||
function beforeAll() { | ||
antiSamy = new preside.system.services.security.AntiSamyService(); | ||
} | ||
|
||
function run(){ | ||
|
||
describe( "clean()", function(){ | ||
|
||
it( "should strip script tags from content (we know it should do much more, but just to test...)", function(){ | ||
var dirty = "some test <script>alert('hello')</script> to be cleaned"; | ||
var cleaned = "some test to be cleaned"; | ||
var actual = antiSamy.clean( dirty ); | ||
|
||
expect( actual ).toBe( cleaned ); | ||
} ); | ||
|
||
it( "should wrap css in CDATA for the myspace policy", function(){ | ||
var dirty = "some input <style>.class { color: red }</style> with css in it"; | ||
var cleaned = "some input <style><![CDATA[*.class { color: red; } ]]></style> with css in it"; | ||
var actual = antiSamy.clean( dirty, "myspace" ); | ||
|
||
expect( actual contains "CDATA").toBeTrue(); | ||
} ); | ||
|
||
it( "should entirely strip css for more stricter policies", function(){ | ||
var dirty = "some input <style>.class { color: red }</style> with css in it"; | ||
var cleaned = "some input with css in it"; | ||
var actual = antiSamy.clean( dirty, "tinymce" ); | ||
|
||
expect( actual ).toBe( cleaned ); | ||
} ); | ||
|
||
it( "should throw a helpful error when the passed policy does not exist", function(){ | ||
expect( function(){ | ||
antiSamy.clean( "blah", "non-existant-policy" ); | ||
} ).toThrow( type="preside.antisamyservice.policy.not.found" ); | ||
} ); | ||
|
||
} ); | ||
|
||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
/** | ||
* @singleton | ||
* | ||
*/ | ||
component { | ||
|
||
// CONSTRUCTOR | ||
public any function init() { | ||
_setLibPath( ExpandPath( "/coldbox/system/plugins/AntiSamy-lib" ) ); | ||
_setupPolicyFiles(); | ||
_setupAntiSamy(); | ||
|
||
return this; | ||
} | ||
|
||
// PUBLIC API | ||
public any function clean( required string input, string policy="myspace" ) { | ||
var antiSamyResult = _getAntiSamy().scan( arguments.input, _getPolicyFile( arguments.policy ) ); | ||
|
||
return antiSamyResult.getCleanHtml(); | ||
} | ||
|
||
// PRIVATE HELPERS | ||
private void function _setupPolicyFiles() { | ||
var libPath = _getLibPath(); | ||
|
||
_setPolicyFiles ( { | ||
antisamy = libPath & '/antisamy-anythinggoes-1.4.4.xml' | ||
, ebay = libPath & '/antisamy-ebay-1.4.4.xml' | ||
, myspace = libPath & '/antisamy-myspace-1.4.4.xml' | ||
, slashdot = libPath & '/antisamy-slashdot-1.4.4.xml' | ||
, tinymce = libPath & '/antisamy-tinymce-1.4.4.xml' | ||
} ); | ||
} | ||
|
||
private void function _setupAntiSamy() { | ||
var jars = DirectoryList( _getLibPath(), false, "path", "*.jar" ); | ||
|
||
_setAntiSamy( CreateObject( "java", "org.owasp.validator.html.AntiSamy", jars ) ); | ||
} | ||
|
||
private array function _listJars( required string directory ) { | ||
return ; | ||
} | ||
|
||
private string function _getPolicyFile( required string policy ) { | ||
var policies = _getPolicyFiles(); | ||
|
||
return policies[ arguments.policy ] ?: throw( type="preside.antisamyservice.policy.not.found", message="The policy [#arguments.policy#] was not found. Existing policies: '#SerializeJson( policies.keyArray() )#" ); | ||
} | ||
|
||
// GETTERS AND SETTERS | ||
private string function _getLibPath() { | ||
return _libPath; | ||
} | ||
private void function _setLibPath( required string libPath ) { | ||
_libPath = arguments.libPath; | ||
} | ||
|
||
private struct function _getPolicyFiles() { | ||
return _policyFiles; | ||
} | ||
private void function _setPolicyFiles( required struct policyFiles ) { | ||
_policyFiles = arguments.policyFiles; | ||
} | ||
|
||
private any function _getAntiSamy() { | ||
return _antiSamy; | ||
} | ||
private void function _setAntiSamy( required any antiSamy ) { | ||
_antiSamy = arguments.antiSamy; | ||
} | ||
} |