From 472b575e2002e86da038938cc42449d081907a56 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Sat, 3 Nov 2018 14:09:00 -0600 Subject: [PATCH] Added option to configure list of `xss_invalid_protocols` in `Security` config #2250 --- CHANGELOG.md | 1 + system/blueprints/config/security.yaml | 8 ++++++++ system/config/security.yaml | 7 +++++++ system/src/Grav/Common/Security.php | 9 ++++----- 4 files changed, 20 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3390eef09..ac1365aa5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ * Make `Data` class to extend `JsonSerializable` * Modified debugger icon to use retina space-dude version * Added missing `Video::preload()` method + * Added option to configure list of `xss_invalid_protocols` in `Security` config [#2250](https://github.com/getgrav/grav/issues/2250) # v1.6.0-beta.4 ## 10/24/2018 diff --git a/system/blueprints/config/security.yaml b/system/blueprints/config/security.yaml index 9f7241657..e0296be28 100644 --- a/system/blueprints/config/security.yaml +++ b/system/blueprints/config/security.yaml @@ -41,6 +41,14 @@ form: validate: type: bool + xss_invalid_protocols: + type: selectize + size: large + label: PLUGIN_ADMIN.XSS_INVALID_PROTOCOLS_LIST + classes: fancy + validate: + type: commalist + xss_enabled.moz_binding: type: toggle label: PLUGIN_ADMIN.XSS_MOZ_BINDINGS diff --git a/system/config/security.yaml b/system/config/security.yaml index 77e5de0d8..964e6821e 100644 --- a/system/config/security.yaml +++ b/system/config/security.yaml @@ -5,6 +5,13 @@ xss_enabled: moz_binding: true html_inline_styles: true dangerous_tags: true +xss_invalid_protocols: + - javascript + - livescript + - vbscript + - mocha + - feed + - data xss_dangerous_tags: - applet - meta diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php index 4f1862226..0a73a6777 100644 --- a/system/src/Grav/Common/Security.php +++ b/system/src/Grav/Common/Security.php @@ -123,9 +123,8 @@ class Security $config = Grav::instance()['config']; - $dangerous_tags = $config->get('security.xss_dangerous_tags'); - $dangerous_tags = array_map('preg_quote', array_map("trim", $dangerous_tags)); - + $dangerous_tags = array_map('preg_quote', array_map("trim", $config->get('security.xss_dangerous_tags'))); + $invalid_protocols = array_map('preg_quote', array_map("trim", $config->get('security.xss_invalid_protocols'))); $enabled_rules = $config->get('security.xss_enabled'); // Set the patterns we'll test against @@ -134,7 +133,7 @@ class Security 'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])(\son|\sxmlns)[a-z].*=>?#iUu', // Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols - 'invalid_protocols' => '#((java|live|vb)script|mocha|feed|data):.*?#iUu', + 'invalid_protocols' => '#(' . implode('|', $invalid_protocols) . '):.*?#iUu', // Match -moz-bindings 'moz_binding' => '#-moz-binding[a-z\x00-\x20]*:#u', @@ -143,7 +142,7 @@ class Security 'html_inline_styles' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(style=[^>]*(url\:|x\:expression).*)>?#iUu', // Match potentially dangerous tags - 'dangerous_tags' => '#]*>?#ui' + 'dangerous_tags' => '#]*>?#ui' ];