Fix XSS vulnerability #128

Coderberg · Coderberg · commit cbf5ee00d801 · 2024-06-20T13:51:03.000+03:00
diff --git a/src/Service/User/PropertyService.php b/src/Service/User/PropertyService.php
@@ -68,6 +68,8 @@ public function sanitizeHtml(Property $property, bool $isHtmlAllowed): Property
         if (!$isHtmlAllowed) {
             $property = $this->propertyTransformer->contentToPlainText($property);
             $property = $this->propertyTransformer->contentToHtml($property);
+        } else {
+            $property = $this->propertyTransformer->removeScriptsFromHtml($property);
         }
 
         return $property;
diff --git a/src/Transformer/PropertyTransformer.php b/src/Transformer/PropertyTransformer.php
@@ -11,20 +11,25 @@ final class PropertyTransformer
 {
     public function contentToHtml(Property $property): Property
     {
-        $htmlContent = HtmlHelper::text2Html($property->getPropertyDescription()->getContent());
-        $property->setPropertyDescription(
-            $property->getPropertyDescription()->setContent($htmlContent)
-        );
-
-        return $property;
+        return $this->transformContent($property, HtmlHelper::text2Html(...));
     }
 
     public function contentToPlainText(Property $property): Property
     {
-        $htmlContent = $property->getPropertyDescription()->getContent();
-        $textContent = HtmlHelper::html2Text($htmlContent);
+        return $this->transformContent($property, HtmlHelper::html2Text(...));
+    }
+
+    public function removeScriptsFromHtml(Property $property): Property
+    {
+        return $this->transformContent($property, HtmlHelper::removeScriptsFromHtml(...));
+    }
+
+    private function transformContent(Property $property, callable $transformFunction): Property
+    {
+        $content = $property->getPropertyDescription()->getContent();
+        $transformedContent = \call_user_func($transformFunction, $content);
         $property->setPropertyDescription(
-            $property->getPropertyDescription()->setContent($textContent)
+            $property->getPropertyDescription()->setContent($transformedContent)
         );
 
         return $property;
diff --git a/src/Utils/HtmlHelper.php b/src/Utils/HtmlHelper.php
@@ -17,4 +17,12 @@ public static function text2Html(string $text): string
     {
         return preg_replace("/\r\n|\r|\n/", '<br>', $text);
     }
+
+    public static function removeScriptsFromHtml(string $html): string
+    {
+        $sanitizedHtml = preg_replace('#<script(.*?)>(.*?)</script>#is', '', $html);
+        $sanitizedHtml = preg_replace('# on\w+="[^"]*"#i', '', (string) $sanitizedHtml);
+
+        return preg_replace("# on\w+='[^']*'#i", '', (string) $sanitizedHtml);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -68,6 +68,8 @@ public function sanitizeHtml(Property $property, bool $isHtmlAllowed): Property`
`68`	`68`	`if (!$isHtmlAllowed) {`
`69`	`69`	`$property = $this->propertyTransformer->contentToPlainText($property);`
`70`	`70`	`$property = $this->propertyTransformer->contentToHtml($property);`
	`71`	`+ } else {`
	`72`	`+ $property = $this->propertyTransformer->removeScriptsFromHtml($property);`
`71`	`73`	`}`
`72`	`74`
`73`	`75`	`return $property;`
Original file line number	Diff line number	Diff line change
`@@ -17,4 +17,12 @@ public static function text2Html(string $text): string`
`17`	`17`	`{`
`18`	`18`	`return preg_replace("/\r\n\|\r\|\n/", '<br>', $text);`
`19`	`19`	`}`
	`20`	`+`
	`21`	`+ public static function removeScriptsFromHtml(string $html): string`
	`22`	`+ {`
	`23`	`+ $sanitizedHtml = preg_replace('#<script(.?)>(.?)</script>#is', '', $html);`
	`24`	`+ $sanitizedHtml = preg_replace('# on\w+="[^"]*"#i', '', (string) $sanitizedHtml);`
	`25`	`+`
	`26`	`+ return preg_replace("# on\w+='[^']*'#i", '', (string) $sanitizedHtml);`
	`27`	`+ }`
`20`	`28`	`}`