From 8733510adfd8ab2bb81b21c89890c6a7b0900c32 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 1 Oct 2018 12:33:06 -0600 Subject: [PATCH 1/2] lang updates --- languages/en.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/languages/en.yaml b/languages/en.yaml index e809d141..6034cf99 100644 --- a/languages/en.yaml +++ b/languages/en.yaml @@ -728,8 +728,10 @@ PLUGIN_ADMIN: XSS_SECURITY: "XSS Security" XSS_WHITELIST_PERMISSIONS: "Whitelist Permissions" XSS_WHITELIST_PERMISSIONS_HELP: "Users with these permissions will skip the XSS rules when saving content" - XSS_RULES: "Rules" - XSS_RULES_HELP: "Be careful when tweaking these rules, a broken regex will break things badly!" - XSS_RULE_LABEL: "Label" - XSS_RULE_REGEX: "Regex" + XSS_ON_EVENTS: "On-events" + XSS_INVALID_PROTOCOLS: "Enable Invalid protocols" + XSS_MOZ_BINDINGS: "Moz bindings" + XSS_HTML_INLINE_STYLES: "HTML inline styles" + XSS_DANGEROUS_TAGS: "Dangerous HTML tags" + XSS_DANGEROUS_TAGS_LIST: "Dangerous HTML tags list" XSS_ISSUE: "Save failed: Found potential XSS code in %s. Please remove or disable the XSS filter." From f497551873f7c7ba66813fdbff04043d57526da5 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 1 Oct 2018 14:05:16 -0600 Subject: [PATCH 2/2] XSS notifications via field which is always shown --- blueprints/admin/pages/raw.yaml | 3 +++ classes/admincontroller.php | 5 +---- languages/en.yaml | 3 ++- themes/grav/templates/forms/fields/xss/xss.html.twig | 6 ++++++ 4 files changed, 12 insertions(+), 5 deletions(-) create mode 100644 themes/grav/templates/forms/fields/xss/xss.html.twig diff --git a/blueprints/admin/pages/raw.yaml b/blueprints/admin/pages/raw.yaml index 3ddf2ac2..788e9e23 100644 --- a/blueprints/admin/pages/raw.yaml +++ b/blueprints/admin/pages/raw.yaml @@ -18,6 +18,9 @@ form: title: PLUGIN_ADMIN.CONTENT fields: + xss_check: + type: xss + frontmatter: classes: frontmatter type: editor diff --git a/classes/admincontroller.php b/classes/admincontroller.php index a04ae000..5f6ab857 100644 --- a/classes/admincontroller.php +++ b/classes/admincontroller.php @@ -661,10 +661,7 @@ class AdminController extends AdminBaseController $check_what = ['header' => $data['header'], 'content' => $data['content']]; $results = Security::detectXssFromArray($check_what); if (!empty($results)) { - $results_parts = array_map(function($value, $key) { - return $key.': \''.$value . '\''; - }, array_values($results), array_keys($results)); - $this->admin->setMessage(' ' . sprintf($this->admin->translate('PLUGIN_ADMIN.XSS_ISSUE'), implode(', ', $results_parts)), + $this->admin->setMessage(' ' . $this->admin->translate('PLUGIN_ADMIN.XSS_ONSAVE_ISSUE'), 'error'); return false; } diff --git a/languages/en.yaml b/languages/en.yaml index 6034cf99..82b2c13e 100644 --- a/languages/en.yaml +++ b/languages/en.yaml @@ -734,4 +734,5 @@ PLUGIN_ADMIN: XSS_HTML_INLINE_STYLES: "HTML inline styles" XSS_DANGEROUS_TAGS: "Dangerous HTML tags" XSS_DANGEROUS_TAGS_LIST: "Dangerous HTML tags list" - XSS_ISSUE: "Save failed: Found potential XSS code in %s. Please remove or disable the XSS filter." + XSS_ONSAVE_ISSUE: "Save failed: XSS issue detected..." + XSS_ISSUE: "NOTICE: Grav found potential XSS issues in %s" diff --git a/themes/grav/templates/forms/fields/xss/xss.html.twig b/themes/grav/templates/forms/fields/xss/xss.html.twig new file mode 100644 index 00000000..3d858c41 --- /dev/null +++ b/themes/grav/templates/forms/fields/xss/xss.html.twig @@ -0,0 +1,6 @@ +{% set xss_header = data.value('header')|array %} +{% set xss_content = data.value('content') %} +{% set xss_status = xss({header: xss_header, content: xss_content}) %} +{% if xss_status is not empty %} +
{{ "PLUGIN_ADMIN.XSS_ISSUE"|tu([xss_status])|raw }}
+{% endif %}