diff --git a/CHANGELOG.md b/CHANGELOG.md index 76aa66d3c..a8d6d3ef4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,13 @@ # v1.7.0-beta.8 ## mm/dd/2019 +1. [](#new) + * Added new `Security::sanitizeSVG()` function +1. [](#improved) + * Several FlexObject loading improvements 1. [](#bugfix) * Regression: Fixed language fallback + * Regression: Allow SVG avatar images for users # v1.7.0-beta.7 ## 08/30/2019 diff --git a/composer.json b/composer.json index 1030e5aa2..67214653e 100644 --- a/composer.json +++ b/composer.json @@ -51,7 +51,8 @@ "dragonmantank/cron-expression": "^1.2", "phive/twig-extensions-deferred": "^1.0", "willdurand/negotiation": "^2.3", - "itsgoingd/clockwork": "~4.0" + "itsgoingd/clockwork": "~4.0", + "enshrined/svg-sanitize": "^0.10.0" }, "require-dev": { "codeception/codeception": "^2.4", diff --git a/composer.lock b/composer.lock index ed0a3b1cd..c6537c0db 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "fe6ec382807a811a027202be339f8384", + "content-hash": "651a29a09418144e8b0d47bade1e807f", "packages": [ { "name": "antoligy/dom-string-iterators", @@ -346,6 +346,43 @@ ], "time": "2017-01-23T04:29:33+00:00" }, + { + "name": "enshrined/svg-sanitize", + "version": "0.10.0", + "source": { + "type": "git", + "url": "https://github.com/darylldoyle/svg-sanitizer.git", + "reference": "5344d8511e494adf160f71f4b34024d3a3c66c82" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/5344d8511e494adf160f71f4b34024d3a3c66c82", + "reference": "5344d8511e494adf160f71f4b34024d3a3c66c82", + "shasum": "" + }, + "require-dev": { + "codeclimate/php-test-reporter": "^0.1.2", + "phpunit/phpunit": "^6" + }, + "type": "library", + "autoload": { + "psr-4": { + "enshrined\\svgSanitize\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "GPL-2.0+" + ], + "authors": [ + { + "name": "Daryll Doyle", + "email": "daryll@enshrined.co.uk" + } + ], + "description": "An SVG sanitizer for PHP", + "time": "2019-01-11T12:31:32+00:00" + }, { "name": "erusev/parsedown", "version": "1.6.4", diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php index 0f6109795..a58d5a1b5 100644 --- a/system/src/Grav/Common/Security.php +++ b/system/src/Grav/Common/Security.php @@ -9,11 +9,33 @@ namespace Grav\Common; +use enshrined\svgSanitize\Sanitizer; use Grav\Common\Page\Pages; class Security { + /** + * Sanitize SVG for XSS code + * + * @param $file + */ + public static function sanitizeSVG($file) + { + $sanitizer = new Sanitizer(); + $original_svg = file_get_contents($file); + $clean_svg = $sanitizer->sanitize($original_svg); + file_put_contents($file, $clean_svg); + } + + /** + * Detect XSS code in Grav pages + * + * @param Pages $pages + * @param bool $route + * @param callable|null $status + * @return array + */ public static function detectXssFromPages(Pages $pages, $route = true, callable $status = null) { $routes = $pages->routes(); @@ -51,7 +73,6 @@ class Security } else { $list[$page->filePathClean()] = $results; } - } } catch (\Exception $e) { @@ -63,6 +84,8 @@ class Security } /** + * Detect XSS in an array or strings such as $_POST or $_GET + * * @param array $array Array such as $_POST or $_GET * @param string $prefix Prefix for returned values. * @return array Returns flatten list of potentially dangerous input values, such as 'data.content'. @@ -89,6 +112,7 @@ class Security /** * Determine if string potentially has a XSS attack. This simple function does not catch all XSS and it is likely to + * * return false positives because of it tags all potentially dangerous HTML tags and attributes without looking into * their content. *