forked from ushahidi/Ushahidi_Web
Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Better XSS protection
* Add HTMLPurifier library (LGPL) * Add helper functions to html helper * Set default encoding header to UTF-8 * Make sure the doctype is the same everywhere (admin/members/frontend) * Remove use of strip_tags() and htmlspecialchars() * Replace vanilla htmlentities with html::escape() - make sure no one forgets the UTF-8 * Remove _csv_text() fn - no longer used and was using strip_tags()
- Loading branch information
Showing
409 changed files
with
27,911 additions
and
180 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| <?php defined('SYSPATH') OR die('No direct access allowed.'); | ||
| /** | ||
| * HTML helper class. | ||
| * | ||
| * LICENSE: This source file is subject to LGPL license | ||
| * that is available through the world-wide-web at the following URI: | ||
| * http://www.gnu.org/copyleft/lesser.html | ||
| * @author Ushahidi Team <team@ushahidi.com> | ||
| * @package Ushahidi - http://source.ushahididev.com | ||
| * @module File Helper | ||
| * @copyright Ushahidi - http://www.ushahidi.com | ||
| * @license http://www.gnu.org/copyleft/lesser.html GNU Lesser General Public License (LGPL) | ||
| */ | ||
| class html extends html_Core { | ||
|
|
||
| /** | ||
| * Helper function for easy use of HTMLPurifier | ||
| */ | ||
| public function clean($input) | ||
| { | ||
| require_once APPPATH.'libraries/htmlpurifier/HTMLPurifier.auto.php'; | ||
|
|
||
| $config = HTMLPurifier_Config::createDefault(); | ||
| // Defaults to UTF-8 | ||
| // $config->set('Core.Encoding', 'UTF-8'); | ||
| // $config->set('HTML.Doctype', 'XHTML 1.0 Transitional'); | ||
| $config->set('Core.EnableIDNA', TRUE); | ||
| $config->set('HTML.Allowed', "a[href|title],p,img[src|alt],br,b,u,strong,em,i"); | ||
| // Allow some basic iframes | ||
| $config->set('HTML.SafeIframe', true); | ||
| $config->set('URI.SafeIframeRegexp', | ||
| '%^http://(www.youtube.com/embed/|player.vimeo.com/video/|w.soundcloud.com/player)%' | ||
| ); | ||
| $config->set('Filter.YouTube', true); | ||
| $purifier = new HTMLPurifier($config); | ||
| $clean_html = $purifier->purify($input); | ||
|
|
||
| return $clean_html; | ||
| } | ||
|
|
||
| /** | ||
| * Helper function to clean and escape plaintext before display | ||
| * | ||
| * This should be used to strip tags and then escape html entities, etc. | ||
| */ | ||
| public function strip_tags($input, $encode = TRUE) | ||
| { | ||
| require_once APPPATH.'libraries/htmlpurifier/HTMLPurifier.auto.php'; | ||
|
|
||
| $config = HTMLPurifier_Config::createDefault(); | ||
| // Defaults to UTF-8 | ||
| // $config->set('Core.Encoding', 'UTF-8'); | ||
| // $config->set('HTML.Doctype', 'XHTML 1.0 Transitional'); | ||
| $config->set('Core.EnableIDNA', TRUE); | ||
| $config->set('HTML.Allowed', ""); | ||
|
|
||
| $purifier = new HTMLPurifier($config); | ||
| $clean_html = $purifier->purify($input); | ||
|
|
||
| return $encode ? self::escape($clean_html) : $clean_html; | ||
| } | ||
|
|
||
| /** | ||
| * Helper function to escape plaintext before display | ||
| * | ||
| * This should be used to escape html entities, etc. | ||
| */ | ||
| public function escape($input) | ||
| { | ||
| // Ensure we have valid correctly encoded string.. | ||
| // http://stackoverflow.com/questions/1412239/why-call-mb-convert-encoding-to-sanitize-text | ||
| $input = mb_convert_encoding($input, "UTF-8", "UTF-8"); | ||
| // why are we using html entities? this -> http://stackoverflow.com/a/110576/992171 | ||
| return htmlentities($input, ENT_QUOTES, 'UTF-8'); | ||
| } | ||
|
|
||
| } | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
|
|
||
| CREDITS | ||
|
|
||
| Almost everything written by Edward Z. Yang (Ambush Commander). Lots of thanks | ||
| to the DevNetwork Community for their help (see docs/ref-devnetwork.html for | ||
| more details), Feyd especially (namely IPv6 and optimization). Thanks to RSnake | ||
| for letting me package his fantastic XSS cheatsheet for a smoketest. | ||
|
|
||
| vim: et sw=4 sts=4 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| <?php | ||
|
|
||
| /** | ||
| * This is a stub include that automatically configures the include path. | ||
| */ | ||
|
|
||
| set_include_path(dirname(__FILE__) . PATH_SEPARATOR . get_include_path() ); | ||
| require_once 'HTMLPurifier/Bootstrap.php'; | ||
| require_once 'HTMLPurifier.autoload.php'; | ||
|
|
||
| // vim: et sw=4 sts=4 |
Oops, something went wrong.