-
-
Notifications
You must be signed in to change notification settings - Fork 529
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[3.x] Restrict tag usage and ensure proper escaping of element name, caption, and description fields #15936
base: 3.x
Are you sure you want to change the base?
Conversation
(Just to make this reference to this PR easier to get to, the above is from @Mark-H re this PR.) One quick question on the matter of XSS, and this is just to get a better understanding: Is it because of the context of these input forms being only accessible via a backend interface that XSS would not be applicable? Regardless, it seems I should consider opening it up a bit in the following ways:
|
Disallowing script tags is not enough. Each element can have several |
@Jako - Yes, it goes without saying that virtually all attributes should be discarded, especially event-based ones. ;-) |
MODx.util.safeHtml does this and should be quite safe. |
OK all, I've made several updates in the latest commit to address the concerns raised above, as well as to make the processing more complete (on the php side) and flexible by making the tag and attribute restrictions customizable via new system settings. |
027c21d
to
fadf49e
Compare
fadf49e
to
754a6c7
Compare
Prevents saving of tags in fields that will be displayed in the interface (name, caption, description)
Cleans name, caption, and description fields on the front end (js) side before they are submitted to processors.
Allow tags and attributes as defined in new system settings. Also, created a new stripHtml method on the php side to coordinate the rules when javascript is not applicable (e.g., when elements are created or updated programmatically).
754a6c7
to
bcd2f11
Compare
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## 3.x #15936 +/- ##
============================================
+ Coverage 17.95% 18.03% +0.08%
- Complexity 10442 10468 +26
============================================
Files 561 561
Lines 39051 39161 +110
============================================
+ Hits 7010 7062 +52
- Misses 32041 32099 +58 ☔ View full report in Codecov by Sentry. |
* @param string|array $allowedTags An array or comma-separated list of tag names to allow | ||
* @param string|array $allowedAttr An array or comma-separated list of tag attribute names to allow | ||
*/ | ||
public function stripHTML(string $htmlSource, $allowedTags = '', $allowedAttr = ''): string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be possible to add a Unit Test for this with various test cases?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I will likely need a little guidance creating the tests (at least initially) as it'll be my first time doing so. I've been wanting to get some experience with UTs so I definitely don't want to pass it off ;-) I'll throw some questions to you on Slack via DM...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Co-authored-by: Joshua Lückers <[email protected]>
Change made by request for better maintainability.
I'm kinda worried this will impact existing sites and we'll get a bunch of issues reported that users suddenly can't use whatever fancy captions and descriptions they've used in the past, but as long as the safeHtml gets covered by sufficient tests and these new restrictions get added to the documentation I don't see a technical reason to reject it. |
What does it do?
Strips tags and html encodes the name, caption/label, and description fields for elements—both in the back end (processors) and front end (js forms, grids, and windows). Made separate commits for processors and js in case that makes testing easier.
Why is it needed?
There should be more appropriate limitations on HTML tag usage within certain fields. The initial submission of this PR is highly restrictive, which I realize may need to be loosened depending on reviewer feedback.
How to test
grunt build
from within the_build/templates/default
folder and clear your browser cache.elements_caption_allowedtags
,elements_caption_allowedattr
,elements_description_allowedtags
, andelements_description_allowedattr
).Related issue(s)/PR(s)
Resolves #15925