Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[3.x] Restrict tag usage and ensure proper escaping of element name, caption, and description fields #15936

Open
wants to merge 9 commits into
base: 3.x
Choose a base branch
from

Conversation

smg6511
Copy link
Collaborator

@smg6511 smg6511 commented Dec 8, 2021

What does it do?

Strips tags and html encodes the name, caption/label, and description fields for elements—both in the back end (processors) and front end (js forms, grids, and windows). Made separate commits for processors and js in case that makes testing easier.

Why is it needed?

There should be more appropriate limitations on HTML tag usage within certain fields. The initial submission of this PR is highly restrictive, which I realize may need to be loosened depending on reviewer feedback.

How to test

  1. Note, There are three areas covered that should be tested:
    • The main element create/edit form pages
    • The quick create/edit windows
    • The form customization grid (you'll need to create a new profile and set to test)
  2. From your terminal app, run grunt build from within the _build/templates/default folder and clear your browser cache.
  3. Cherry pick just the processors commit to verify tags can not be saved to the database for the name/templatename, and only select tags and attributes can be saved for caption (TVs only) and description fields for all elements (set with the 4 new system settings elements_caption_allowedtags, elements_caption_allowedattr, elements_description_allowedtags, and elements_description_allowedattr).
  4. Add in the javascript commit and verify that tags are prevented in these form fields and special characters are html encoded as well.

Related issue(s)/PR(s)

Resolves #15925

@cla-bot cla-bot bot added the cla-signed CLA confirmed for contributors to this PR. label Dec 8, 2021
@smg6511
Copy link
Collaborator Author

smg6511 commented Dec 8, 2021

That was for rendering in the resource TV panel, as in-context help/guidance. As an example, consider a "hero type" TV with a narrow height image in the description to show what the 3 options in a select/radio tv would look like.

For the caption (again, rendering in the resource tv panel) I can also imagine adding just a help link to the caption.

I don't think I have an immediate example at hand as the few sites I'm actively managing these days are not set up for non-technical clients, but I just want my objection that this should not be classified as a XSS vulnerability but a feature noted, before #15936 is considered. #15936 does go beyond just what is reported here and from a cursory review some of that would certainly be good to resolve, but I don't want to be the one to tell people the help text they set up for their clients is no longer possible in 3.

(Just to make this reference to this PR easier to get to, the above is from @Mark-H re this PR.)

One quick question on the matter of XSS, and this is just to get a better understanding: Is it because of the context of these input forms being only accessible via a backend interface that XSS would not be applicable?

Regardless, it seems I should consider opening it up a bit in the following ways:

  1. Allow the TV captions to have links (perhaps without scripting access?)
  2. Allow the TV descriptions to use either a limited set of specified tags, or all tags other than <script>

@smg6511 smg6511 changed the title [3.x] Prevent XSS in element fields [3.x] Restrict tag usage and ensure proper escaping of element name, caption, and description fields Dec 9, 2021
@Jako
Copy link
Collaborator

Jako commented Dec 9, 2021

Disallowing script tags is not enough. Each element can have several on attributes that can execute javascript.

@smg6511
Copy link
Collaborator Author

smg6511 commented Dec 9, 2021

@Jako - Yes, it goes without saying that virtually all attributes should be discarded, especially event-based ones. ;-)

@Jako
Copy link
Collaborator

Jako commented Dec 10, 2021

MODx.util.safeHtml does this and should be quite safe.

@Mark-H Mark-H added this to the v3.0.0-rc2 milestone Jan 19, 2022
@smg6511
Copy link
Collaborator Author

smg6511 commented Jan 20, 2022

OK all, I've made several updates in the latest commit to address the concerns raised above, as well as to make the processing more complete (on the php side) and flexible by making the tag and attribute restrictions customizable via new system settings.

@JoshuaLuckers JoshuaLuckers added the pr/review-needed Pull request requires review and testing. label Feb 1, 2022
@Mark-H Mark-H modified the milestones: v3.0.0-rc2, v3.1.0 Feb 2, 2022
@smg6511 smg6511 force-pushed the 3.x-issue-15925 branch from 1b0230b to 87dcce4 Compare May 6, 2022 05:01
Jim Graham added 7 commits January 21, 2023 00:26
Prevents saving of tags in fields that will be displayed in the interface (name, caption, description)
Cleans name, caption, and description fields on the front end (js) side before they are submitted to processors.
Allow tags and attributes as defined in new system settings. Also, created a new stripHtml method on the php side to coordinate the rules when javascript is not applicable (e.g., when elements are created or updated programmatically).
@codecov-commenter
Copy link

codecov-commenter commented Jan 21, 2023

Codecov Report

Attention: 95 lines in your changes are missing coverage. Please review.

Comparison is base (32aba73) 17.95% compared to head (c6812e4) 18.03%.
Report is 59 commits behind head on 3.x.

Files Patch % Lines
core/src/Revolution/modTemplateVar.php 5.55% 34 Missing ⚠️
core/src/Revolution/Processors/Element/Update.php 38.46% 24 Missing ⚠️
core/src/Revolution/modX.php 53.48% 20 Missing ⚠️
...evolution/Processors/Security/Forms/Set/Update.php 0.00% 11 Missing ⚠️
core/src/Revolution/Processors/Element/Create.php 86.48% 5 Missing ⚠️
core/src/Revolution/modParser.php 66.66% 1 Missing ⚠️
Additional details and impacted files
@@             Coverage Diff              @@
##                3.x   #15936      +/-   ##
============================================
+ Coverage     17.95%   18.03%   +0.08%     
- Complexity    10442    10468      +26     
============================================
  Files           561      561              
  Lines         39051    39161     +110     
============================================
+ Hits           7010     7062      +52     
- Misses        32041    32099      +58     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

core/lexicon/en/setting.inc.php Outdated Show resolved Hide resolved
core/src/Revolution/Processors/Element/Create.php Outdated Show resolved Hide resolved
* @param string|array $allowedTags An array or comma-separated list of tag names to allow
* @param string|array $allowedAttr An array or comma-separated list of tag attribute names to allow
*/
public function stripHTML(string $htmlSource, $allowedTags = '', $allowedAttr = ''): string
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be possible to add a Unit Test for this with various test cases?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I will likely need a little guidance creating the tests (at least initially) as it'll be my first time doing so. I've been wanting to get some experience with UTs so I definitely don't want to pass it off ;-) I'll throw some questions to you on Slack via DM...

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Jim Graham and others added 2 commits January 21, 2023 15:31
Change made by request for better maintainability.
@Mark-H
Copy link
Collaborator

Mark-H commented Jan 30, 2023

I'm kinda worried this will impact existing sites and we'll get a bunch of issues reported that users suddenly can't use whatever fancy captions and descriptions they've used in the past, but as long as the safeHtml gets covered by sufficient tests and these new restrictions get added to the documentation I don't see a technical reason to reject it.

@Mark-H Mark-H added blocked Active participation around the pull request or issue required. Consensus is not reached. and removed pr/review-needed Pull request requires review and testing. labels Feb 10, 2024
@opengeek opengeek modified the milestones: v3.1.0, v3.1.1 Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocked Active participation around the pull request or issue required. Consensus is not reached. cla-signed CLA confirmed for contributors to this PR.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Incomplete escaping of characters in TV (XSS)
7 participants