mirror of
https://github.com/getgrav/grav.git
synced 2026-07-04 13:59:12 +02:00
Added new XSS Twig function
This commit is contained in:
@@ -21,6 +21,9 @@ form:
|
||||
title: PLUGIN_ADMIN.CONTENT
|
||||
|
||||
fields:
|
||||
xss_check:
|
||||
type: xss
|
||||
|
||||
header.title:
|
||||
type: text
|
||||
autofocus: true
|
||||
|
||||
@@ -119,6 +119,8 @@ class Security
|
||||
$config = Grav::instance()['config'];
|
||||
|
||||
$dangerous_tags = $config->get('security.xss_dangerous_tags');
|
||||
$dangerous_tags = array_map('preg_quote', array_map("trim", $dangerous_tags));
|
||||
|
||||
$enabled_rules = $config->get('security.xss_enabled');
|
||||
|
||||
// Set the patterns we'll test against
|
||||
@@ -127,7 +129,7 @@ class Security
|
||||
'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])(\son|\sxmlns)[a-z].*=>?#iUu',
|
||||
|
||||
// Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols
|
||||
'invalid_protocols' => '#((java|live|vb)script|mocha|feed|data):.*?#!iUu',
|
||||
'invalid_protocols' => '#((java|live|vb)script|mocha|feed|data):.*?#iUu',
|
||||
|
||||
// Match -moz-bindings
|
||||
'moz_binding' => '#-moz-binding[a-z\x00-\x20]*:#u',
|
||||
@@ -136,7 +138,7 @@ class Security
|
||||
'html_inline_styles' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(style=[^>]*(url\:|x\:expression).*)>?#iUu',
|
||||
|
||||
// Match potentially dangerous tags
|
||||
'dangerous_tags' => '#</*(' . implode('|', array_map("trim",$dangerous_tags)) . ')[^>]*>?#ui'
|
||||
'dangerous_tags' => '#</*(' . implode('|', $dangerous_tags ) . ')[^>]*>?#ui'
|
||||
];
|
||||
|
||||
|
||||
|
||||
@@ -11,6 +11,7 @@ namespace Grav\Common\Twig;
|
||||
use Grav\Common\Grav;
|
||||
use Grav\Common\Page\Collection;
|
||||
use Grav\Common\Page\Media;
|
||||
use Grav\Common\Security;
|
||||
use Grav\Common\Twig\TokenParser\TwigTokenParserScript;
|
||||
use Grav\Common\Twig\TokenParser\TwigTokenParserStyle;
|
||||
use Grav\Common\Twig\TokenParser\TwigTokenParserSwitch;
|
||||
@@ -156,6 +157,7 @@ class TwigExtension extends \Twig_Extension implements \Twig_Extension_GlobalsIn
|
||||
new \Twig_SimpleFunction('nicenumber', [$this, 'niceNumberFunc']),
|
||||
new \Twig_SimpleFunction('nicefilesize', [$this, 'niceFilesizeFunc']),
|
||||
new \Twig_SimpleFunction('nicetime', [$this, 'nicetimeFunc']),
|
||||
new \Twig_SimpleFunction('xss', [$this, 'xssFunc']),
|
||||
|
||||
// Translations
|
||||
new \Twig_simpleFunction('t', [$this, 'translate']),
|
||||
@@ -530,6 +532,27 @@ class TwigExtension extends \Twig_Extension implements \Twig_Extension_GlobalsIn
|
||||
return "$difference $periods[$j] {$tense}";
|
||||
}
|
||||
|
||||
/**
|
||||
* Allow quick check of a string for XSS Vulnerabilities
|
||||
*
|
||||
* @param $string
|
||||
* @return bool|string|array
|
||||
*/
|
||||
public function xssFunc($data)
|
||||
{
|
||||
if (is_array($data)) {
|
||||
$results = Security::detectXssFromArray($data);
|
||||
} else {
|
||||
return Security::detectXss($data);
|
||||
}
|
||||
|
||||
$results_parts = array_map(function($value, $key) {
|
||||
return $key.': \''.$value . '\'';
|
||||
}, array_values($results), array_keys($results));
|
||||
|
||||
return implode(', ', $results_parts);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param $string
|
||||
*
|
||||
|
||||
Reference in New Issue
Block a user