Content Filtering: Covered new config options and filters with tests

Author: ssddanbrown

app/Config/app.php

@@ -42,17 +42,17 @@
     // Even when overridden the WYSIWYG editor may still escape script content.
     'allow_content_scripts' => env('ALLOW_CONTENT_SCRIPTS', false),
 
-    // Control the behaviour of page content filtering.
+    // Control the behaviour of content filtering, primarily used for page content.
     // This setting is a collection of characters which represent different available filters:
-    // - j - Filter out JavaScript based content
-    // - h - Filter out unexpected, potentially dangerous, HTML elements
+    // - j - Filter out JavaScript and unknown binary data based content
+    // - h - Filter out unexpected, and potentially dangerous, HTML elements
     // - f - Filter out unexpected form elements
     // - a - Run content through a more complex allow-list filter
     // This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
     // Note: These filters are a best attempt, and may not be 100% effective. They are typically a layer used in addition to other security measures.
     // TODO - Add to example env
     // TODO - Remove allow_content_scripts option above
-    'content_filtering' => env('CONTENT_FILTERING', env('ALLOW_CONTENT_SCRIPTS', false) === true ? '' : 'jfha'),
+    'content_filtering' => env('APP_CONTENT_FILTERING', env('ALLOW_CONTENT_SCRIPTS', false) === true ? '' : 'jhfa'),
 
     // Allow server-side fetches to be performed to potentially unknown
     // and user-provided locations. Primarily used in exports when loading

app/Entities/Tools/PageContent.php

@@ -341,7 +341,8 @@ protected function getContentCacheKey(string $html): string
         $contentId = $this->page->id;
         $contentTime = $this->page->updated_at?->timestamp ?? time();
         $appVersion = AppVersion::get();
-        return "page-content-cache::{$appVersion}::{$contentId}::{$contentTime}::{$contentHash}";
+        $filterConfig = config('app.content_filtering') ?? '';
+        return "page-content-cache::{$filterConfig}::{$appVersion}::{$contentId}::{$contentTime}::{$contentHash}";
     }
 
     /**

phpunit.xml

@@ -34,6 +34,7 @@
     <server name="AUTH_AUTO_INITIATE" value="false"/>
     <server name="DISABLE_EXTERNAL_SERVICES" value="true"/>
     <server name="ALLOW_UNTRUSTED_SERVER_FETCHING" value="false"/>
+    <server name="CONTENT_FILTERING" value="jhfa"/>
     <server name="ALLOW_CONTENT_SCRIPTS" value="false"/>
     <server name="AVATAR_URL" value=""/>
     <server name="LDAP_START_TLS" value="false"/>

tests/Entity/PageContentFilteringTest.php

@@ -22,6 +22,8 @@ public function test_page_content_scripts_removed_by_default()
 
     public function test_more_complex_content_script_escaping_scenarios()
     {
+        config()->set('app.content_filtering', 'j');
+
         $checks = [
             "<p>Some script</p><script>alert('cat')</script>",
             "<div><div><div><div><p>Some script</p><script>alert('cat')</script></div></div></div></div>",
@@ -47,6 +49,8 @@ public function test_more_complex_content_script_escaping_scenarios()
 
     public function test_js_and_base64_src_urls_are_removed()
     {
+        config()->set('app.content_filtering', 'j');
+
         $checks = [
             '<iframe src="javascript:alert(document.cookie)"></iframe>',
             '<iframe src="JavAScRipT:alert(document.cookie)"></iframe>',
@@ -89,6 +93,8 @@ public function test_js_and_base64_src_urls_are_removed()
 
     public function test_javascript_uri_links_are_removed()
     {
+        config()->set('app.content_filtering', 'j');
+
         $checks = [
             '<a id="xss" href="javascript:alert(document.cookie)>Click me</a>',
             '<a id="xss" href="javascript: alert(document.cookie)>Click me</a>',
@@ -110,8 +116,23 @@ public function test_javascript_uri_links_are_removed()
         }
     }
 
+    public function test_form_filtering_is_controlled_by_config()
+    {
+        config()->set('app.content_filtering', '');
+        $page = $this->entities->page();
+        $page->html = '<form><input type="text" id="dont-see-this" value="test"></form>';
+        $page->save();
+
+        $this->asEditor()->get($page->getUrl())->assertSee('dont-see-this', false);
+
+        config()->set('app.content_filtering', 'f');
+        $this->get($page->getUrl())->assertDontSee('dont-see-this', false);
+    }
+
     public function test_form_actions_with_javascript_are_removed()
     {
+        config()->set('app.content_filtering', 'j');
+
         $checks = [
             '<customform><custominput id="xss" type=submit formaction=javascript:alert(document.domain) value=Submit><custominput></customform>',
             '<customform ><custombutton id="xss" formaction="JaVaScRiPt:alert(document.domain)">Click me</custombutton></customform>',
@@ -139,6 +160,8 @@ public function test_form_actions_with_javascript_are_removed()
 
     public function test_form_elements_are_removed()
     {
+        config()->set('app.content_filtering', 'f');
+
         $checks = [
             '<p>thisisacattofind</p><form>thisdogshouldnotbefound</form>',
             '<p>thisisacattofind</p><input type="text" value="thisdogshouldnotbefound">',
@@ -182,6 +205,8 @@ public function test_form_elements_are_removed()
 
     public function test_form_attributes_are_removed()
     {
+        config()->set('app.content_filtering', 'f');
+
         $withinSvgSample = <<<'TESTCASE'
 <svg width="200" height="100" xmlns="http://www.w3.org/2000/svg">
   <foreignObject width="100%" height="100%">
@@ -229,6 +254,8 @@ public function test_form_attributes_are_removed()
 
     public function test_metadata_redirects_are_removed()
     {
+        config()->set('app.content_filtering', 'h');
+
         $checks = [
             '<meta http-equiv="refresh" content="0; url=//external_url">',
             '<meta http-equiv="refresh" ConTeNt="0; url=//external_url">',
@@ -253,6 +280,8 @@ public function test_metadata_redirects_are_removed()
 
     public function test_page_inline_on_attributes_removed_by_default()
     {
+        config()->set('app.content_filtering', 'j');
+
         $this->asEditor();
         $page = $this->entities->page();
         $script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
@@ -267,6 +296,8 @@ public function test_page_inline_on_attributes_removed_by_default()
 
     public function test_more_complex_inline_on_attributes_escaping_scenarios()
     {
+        config()->set('app.content_filtering', 'j');
+
         $checks = [
             '<p onclick="console.log(\'test\')">Hello</p>',
             '<p OnCliCk="console.log(\'test\')">Hello</p>',
@@ -308,6 +339,8 @@ public function test_page_content_scripts_show_with_filters_disabled()
 
     public function test_svg_script_usage_is_removed()
     {
+        config()->set('app.content_filtering', 'j');
+
         $checks = [
             '<svg id="test" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100"><a xlink:href="javascript:alert(document.domain)"><rect x="0" y="0" width="100" height="100" /></a></svg>',
             '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><use xlink:href="data:application/xml;base64 ,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9IjAiIGN4PSIwIiBjeT0iMCIgc3R5bGU9ImZpbGw6ICNGMDAiPgo8c2V0IGF0dHJpYnV0ZU5hbWU9ImZpbGwiIGF0dHJpYnV0ZVR5cGU9IkNTUyIgb25iZWdpbj0nYWxlcnQoZG9jdW1lbnQuZG9tYWluKScKb25lbmQ9J2FsZXJ0KCJvbmVuZCIpJyB0bz0iIzAwRiIgYmVnaW49IjBzIiBkdXI9Ijk5OXMiIC8+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/></svg>',
@@ -350,4 +383,46 @@ public function test_page_inline_on_attributes_show_with_filters_disabled()
         $pageView->assertSee($script, false);
         $pageView->assertDontSee('<p>Hello</p>', false);
     }
+
+    public function test_non_content_filtering_is_controlled_by_config()
+    {
+        config()->set('app.content_filtering', 'h');
+        $page = $this->entities->page();
+        $html = <<<'HTML'
+<style>superbeans!</style>
+<p>inbetweenpsection</p>
+<link rel="stylesheet" href="https://example.com/superbeans.css">
+<meta name="description" content="superbeans!">
+<title>superbeans!</title>
+<template id="template">superbeans!</template>
+HTML;
+
+        $page->html = $html;
+        $page->save();
+
+        $resp = $this->asEditor()->get($page->getUrl());
+        $resp->assertDontSee('superbeans', false);
+        $resp->assertSee('inbetweenpsection', false);
+    }
+
+    public function test_non_content_filtering()
+    {
+        config()->set('app.content_filtering', 'h');
+    }
+
+    public function test_allow_list_filtering_is_controlled_by_config()
+    {
+        config()->set('app.content_filtering', '');
+        $page = $this->entities->page();
+        $page->html = '<div style="position: absolute; left: 0;color:#00FFEE;">Hello!</div>';
+        $page->save();
+
+        $resp = $this->asEditor()->get($page->getUrl());
+        $resp->assertSee('style="position: absolute; left: 0;color:#00FFEE;"', false);
+
+        config()->set('app.content_filtering', 'a');
+        $resp = $this->get($page->getUrl());
+        $resp->assertDontSee('style="position: absolute; left: 0;color:#00FFEE;"', false);
+        $resp->assertSee('style="color:#00FFEE;"', false);
+    }
 }

tests/Unit/ConfigTest.php

@@ -170,6 +170,20 @@ public function test_mysql_host_parsed_as_expected()
         }
     }
 
+    public function test_content_filtering_defaults_to_enabled()
+    {
+        $this->runWithEnv(['APP_CONTENT_FILTERING' => null, 'ALLOW_CONTENT_SCRIPTS' => null], function () {
+            $this->assertEquals('jhfa', config('app.content_filtering'));
+        });
+    }
+
+    public function test_allow_content_scripts_disables_content_filtering()
+    {
+        $this->runWithEnv(['APP_CONTENT_FILTERING' => null, 'ALLOW_CONTENT_SCRIPTS' => 'true'], function () {
+            $this->assertEquals('', config('app.content_filtering'));
+        });
+    }
+
     /**
      * Set an environment variable of the given name and value
      * then check the given config key to see if it matches the given result.