Content Filter: Added extra object filtering

Was blocked by CSP anyway, but best to have an extra layer.

Author: ssddanbrown

app/Util/HtmlContentFilter.php

@@ -61,13 +61,17 @@ protected function filterOutScriptsFromDocument(HtmlDocument $doc): void
         $badForms = $doc->queryXPath('//*[' . static::xpathContains('@action', 'javascript:') . '] | //*[' . static::xpathContains('@formaction', 'javascript:') . ']');
         static::removeNodes($badForms);
 
-        // Remove data or JavaScript iFrames
+        // Remove data or JavaScript iFrames & embeds
         $badIframes = $doc->queryXPath('//*[' . static::xpathContains('@src', 'data:') . '] | //*[' . static::xpathContains('@src', 'javascript:') . '] | //*[@srcdoc]');
         static::removeNodes($badIframes);
 
+        // Remove data or JavaScript objects
+        $badObjects = $doc->queryXPath('//*[' . static::xpathContains('@data', 'data:') . '] | //*[' . static::xpathContains('@data', 'javascript:') . ']');
+        static::removeNodes($badObjects);
+
         // Remove attributes, within svg children, hiding JavaScript or data uris.
         // A bunch of svg element and attribute combinations expose xss possibilities.
-        // For example, SVG animate tag can exploit javascript in values.
+        // For example, SVG animate tag can exploit JavaScript in values.
         $badValuesAttrs = $doc->queryXPath('//svg//@*[' . static::xpathContains('.', 'data:') . '] | //svg//@*[' . static::xpathContains('.', 'javascript:') . ']');
         static::removeAttributes($badValuesAttrs);
 

tests/Entity/PageContentFilteringTest.php

@@ -69,6 +69,20 @@ public function test_js_and_base64_src_urls_are_removed()
             '<iframe srcdoc="<script>window.alert(document.cookie)</script>"></iframe>',
             '<iframe SRCdoc="<script>window.alert(document.cookie)</script>"></iframe>',
             '<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>',
+            '<object data="javascript:alert(document.cookie)"></object>',
+            '<object data="JavAScRipT:alert(document.cookie)"></object>',
+            '<object data="JavAScRipT:alert(document.cookie)"></object>',
+            '<object SRC=" javascript: alert(document.cookie)"></object>',
+            '<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></object>',
+            '<object data="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></object>',
+            '<object data=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></object>',
+            '<embed src="javascript:alert(document.cookie)"/>',
+            '<embed src="JavAScRipT:alert(document.cookie)"/>',
+            '<embed src="JavAScRipT:alert(document.cookie)"/>',
+            '<embed SRC=" javascript: alert(document.cookie)"/>',
+            '<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
+            '<embed src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
+            '<embed src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
         ];
 
         $this->asEditor();
@@ -81,6 +95,8 @@ public function test_js_and_base64_src_urls_are_removed()
             $pageView = $this->get($page->getUrl());
             $pageView->assertStatus(200);
             $html = $this->withHtml($pageView);
+            $html->assertElementNotContains('.page-content', '<object');
+            $html->assertElementNotContains('.page-content', 'data=');
             $html->assertElementNotContains('.page-content', '<iframe>');
             $html->assertElementNotContains('.page-content', '<img');
             $html->assertElementNotContains('.page-content', '</iframe>');
@@ -425,4 +441,25 @@ public function test_allow_list_filtering_is_controlled_by_config()
         $resp->assertDontSee('style="position: absolute; left: 0;color:#00FFEE;"', false);
         $resp->assertSee('style="color:#00FFEE;"', false);
     }
+
+    public function test_allow_list_style_filtering()
+    {
+        $testCasesExpectedByInput = [
+            '<div style="position:absolute;left:0;color:#00FFEE;">Hello!</div>' => '<div style="color:#00FFEE;">Hello!</div>',
+            '<div style="background:#FF0000;left:0;color:#00FFEE;">Hello!</div>' => '<div style="background:#FF0000;color:#00FFEE;">Hello!</div>',
+            '<div style="color:#00FFEE;">Hello!<style>testinghello!</style></div>' => '<div style="color:#00FFEE;">Hello!</div>',
+        ];
+
+        config()->set('app.content_filtering', 'a');
+        $page = $this->entities->page();
+        $this->asEditor();
+
+        foreach ($testCasesExpectedByInput as $input => $expected) {
+            $page->html = $input;
+            $page->save();
+            $resp = $this->get($page->getUrl());
+
+            $resp->assertSee($expected, false);
+        }
+    }
 }