Added option to configure list of xss_invalid_protocols in Security config #2250

This commit is contained in:
Andy Miller
2018-11-03 14:09:00 -06:00
parent d70d0b889e
commit 472b575e20
4 changed files with 20 additions and 5 deletions

View File

@@ -12,6 +12,7 @@
* Make `Data` class to extend `JsonSerializable`
* Modified debugger icon to use retina space-dude version
* Added missing `Video::preload()` method
* Added option to configure list of `xss_invalid_protocols` in `Security` config [#2250](https://github.com/getgrav/grav/issues/2250)
# v1.6.0-beta.4
## 10/24/2018

View File

@@ -41,6 +41,14 @@ form:
validate:
type: bool
xss_invalid_protocols:
type: selectize
size: large
label: PLUGIN_ADMIN.XSS_INVALID_PROTOCOLS_LIST
classes: fancy
validate:
type: commalist
xss_enabled.moz_binding:
type: toggle
label: PLUGIN_ADMIN.XSS_MOZ_BINDINGS

View File

@@ -5,6 +5,13 @@ xss_enabled:
moz_binding: true
html_inline_styles: true
dangerous_tags: true
xss_invalid_protocols:
- javascript
- livescript
- vbscript
- mocha
- feed
- data
xss_dangerous_tags:
- applet
- meta

View File

@@ -123,9 +123,8 @@ class Security
$config = Grav::instance()['config'];
$dangerous_tags = $config->get('security.xss_dangerous_tags');
$dangerous_tags = array_map('preg_quote', array_map("trim", $dangerous_tags));
$dangerous_tags = array_map('preg_quote', array_map("trim", $config->get('security.xss_dangerous_tags')));
$invalid_protocols = array_map('preg_quote', array_map("trim", $config->get('security.xss_invalid_protocols')));
$enabled_rules = $config->get('security.xss_enabled');
// Set the patterns we'll test against
@@ -134,7 +133,7 @@ class Security
'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])(\son|\sxmlns)[a-z].*=>?#iUu',
// Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols
'invalid_protocols' => '#((java|live|vb)script|mocha|feed|data):.*?#iUu',
'invalid_protocols' => '#(' . implode('|', $invalid_protocols) . '):.*?#iUu',
// Match -moz-bindings
'moz_binding' => '#-moz-binding[a-z\x00-\x20]*:#u',
@@ -143,7 +142,7 @@ class Security
'html_inline_styles' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(style=[^>]*(url\:|x\:expression).*)>?#iUu',
// Match potentially dangerous tags
'dangerous_tags' => '#</*(' . implode('|', $dangerous_tags ) . ')[^>]*>?#ui'
'dangerous_tags' => '#</*(' . implode('|', $dangerous_tags) . ')[^>]*>?#ui'
];