mirror of
https://github.com/getgrav/grav.git
synced 2026-07-06 17:48:32 +02:00
Added option to configure list of xss_invalid_protocols in Security config #2250
This commit is contained in:
@@ -12,6 +12,7 @@
|
||||
* Make `Data` class to extend `JsonSerializable`
|
||||
* Modified debugger icon to use retina space-dude version
|
||||
* Added missing `Video::preload()` method
|
||||
* Added option to configure list of `xss_invalid_protocols` in `Security` config [#2250](https://github.com/getgrav/grav/issues/2250)
|
||||
|
||||
# v1.6.0-beta.4
|
||||
## 10/24/2018
|
||||
|
||||
@@ -41,6 +41,14 @@ form:
|
||||
validate:
|
||||
type: bool
|
||||
|
||||
xss_invalid_protocols:
|
||||
type: selectize
|
||||
size: large
|
||||
label: PLUGIN_ADMIN.XSS_INVALID_PROTOCOLS_LIST
|
||||
classes: fancy
|
||||
validate:
|
||||
type: commalist
|
||||
|
||||
xss_enabled.moz_binding:
|
||||
type: toggle
|
||||
label: PLUGIN_ADMIN.XSS_MOZ_BINDINGS
|
||||
|
||||
@@ -5,6 +5,13 @@ xss_enabled:
|
||||
moz_binding: true
|
||||
html_inline_styles: true
|
||||
dangerous_tags: true
|
||||
xss_invalid_protocols:
|
||||
- javascript
|
||||
- livescript
|
||||
- vbscript
|
||||
- mocha
|
||||
- feed
|
||||
- data
|
||||
xss_dangerous_tags:
|
||||
- applet
|
||||
- meta
|
||||
|
||||
@@ -123,9 +123,8 @@ class Security
|
||||
|
||||
$config = Grav::instance()['config'];
|
||||
|
||||
$dangerous_tags = $config->get('security.xss_dangerous_tags');
|
||||
$dangerous_tags = array_map('preg_quote', array_map("trim", $dangerous_tags));
|
||||
|
||||
$dangerous_tags = array_map('preg_quote', array_map("trim", $config->get('security.xss_dangerous_tags')));
|
||||
$invalid_protocols = array_map('preg_quote', array_map("trim", $config->get('security.xss_invalid_protocols')));
|
||||
$enabled_rules = $config->get('security.xss_enabled');
|
||||
|
||||
// Set the patterns we'll test against
|
||||
@@ -134,7 +133,7 @@ class Security
|
||||
'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])(\son|\sxmlns)[a-z].*=>?#iUu',
|
||||
|
||||
// Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols
|
||||
'invalid_protocols' => '#((java|live|vb)script|mocha|feed|data):.*?#iUu',
|
||||
'invalid_protocols' => '#(' . implode('|', $invalid_protocols) . '):.*?#iUu',
|
||||
|
||||
// Match -moz-bindings
|
||||
'moz_binding' => '#-moz-binding[a-z\x00-\x20]*:#u',
|
||||
@@ -143,7 +142,7 @@ class Security
|
||||
'html_inline_styles' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(style=[^>]*(url\:|x\:expression).*)>?#iUu',
|
||||
|
||||
// Match potentially dangerous tags
|
||||
'dangerous_tags' => '#</*(' . implode('|', $dangerous_tags ) . ')[^>]*>?#ui'
|
||||
'dangerous_tags' => '#</*(' . implode('|', $dangerous_tags) . ')[^>]*>?#ui'
|
||||
];
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user