From 44dbcdf2b1238583eaf7ef4e747c386a7c0a05d3 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 1 Oct 2018 14:07:14 -0600 Subject: [PATCH] Added new XSS Twig function --- system/blueprints/pages/default.yaml | 3 +++ system/src/Grav/Common/Security.php | 6 +++-- system/src/Grav/Common/Twig/TwigExtension.php | 23 +++++++++++++++++++ 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/system/blueprints/pages/default.yaml b/system/blueprints/pages/default.yaml index 8f81e527f..0e7b8c374 100644 --- a/system/blueprints/pages/default.yaml +++ b/system/blueprints/pages/default.yaml @@ -21,6 +21,9 @@ form: title: PLUGIN_ADMIN.CONTENT fields: + xss_check: + type: xss + header.title: type: text autofocus: true diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php index e8d3fd70c..8fa00e136 100644 --- a/system/src/Grav/Common/Security.php +++ b/system/src/Grav/Common/Security.php @@ -119,6 +119,8 @@ class Security $config = Grav::instance()['config']; $dangerous_tags = $config->get('security.xss_dangerous_tags'); + $dangerous_tags = array_map('preg_quote', array_map("trim", $dangerous_tags)); + $enabled_rules = $config->get('security.xss_enabled'); // Set the patterns we'll test against @@ -127,7 +129,7 @@ class Security 'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])(\son|\sxmlns)[a-z].*=>?#iUu', // Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols - 'invalid_protocols' => '#((java|live|vb)script|mocha|feed|data):.*?#!iUu', + 'invalid_protocols' => '#((java|live|vb)script|mocha|feed|data):.*?#iUu', // Match -moz-bindings 'moz_binding' => '#-moz-binding[a-z\x00-\x20]*:#u', @@ -136,7 +138,7 @@ class Security 'html_inline_styles' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(style=[^>]*(url\:|x\:expression).*)>?#iUu', // Match potentially dangerous tags - 'dangerous_tags' => '#]*>?#ui' + 'dangerous_tags' => '#]*>?#ui' ]; diff --git a/system/src/Grav/Common/Twig/TwigExtension.php b/system/src/Grav/Common/Twig/TwigExtension.php index 2de622bf0..adb466ac6 100644 --- a/system/src/Grav/Common/Twig/TwigExtension.php +++ b/system/src/Grav/Common/Twig/TwigExtension.php @@ -11,6 +11,7 @@ namespace Grav\Common\Twig; use Grav\Common\Grav; use Grav\Common\Page\Collection; use Grav\Common\Page\Media; +use Grav\Common\Security; use Grav\Common\Twig\TokenParser\TwigTokenParserScript; use Grav\Common\Twig\TokenParser\TwigTokenParserStyle; use Grav\Common\Twig\TokenParser\TwigTokenParserSwitch; @@ -156,6 +157,7 @@ class TwigExtension extends \Twig_Extension implements \Twig_Extension_GlobalsIn new \Twig_SimpleFunction('nicenumber', [$this, 'niceNumberFunc']), new \Twig_SimpleFunction('nicefilesize', [$this, 'niceFilesizeFunc']), new \Twig_SimpleFunction('nicetime', [$this, 'nicetimeFunc']), + new \Twig_SimpleFunction('xss', [$this, 'xssFunc']), // Translations new \Twig_simpleFunction('t', [$this, 'translate']), @@ -530,6 +532,27 @@ class TwigExtension extends \Twig_Extension implements \Twig_Extension_GlobalsIn return "$difference $periods[$j] {$tense}"; } + /** + * Allow quick check of a string for XSS Vulnerabilities + * + * @param $string + * @return bool|string|array + */ + public function xssFunc($data) + { + if (is_array($data)) { + $results = Security::detectXssFromArray($data); + } else { + return Security::detectXss($data); + } + + $results_parts = array_map(function($value, $key) { + return $key.': \''.$value . '\''; + }, array_values($results), array_keys($results)); + + return implode(', ', $results_parts); + } + /** * @param $string *