From ec8c2ca122dea6b533f1f4e8be03319508393f84 Mon Sep 17 00:00:00 2001 From: acognet Date: Tue, 19 Oct 2021 16:28:10 +0200 Subject: [PATCH] =?UTF-8?q?N=C2=B04374=20-=20Add=20sanitizer=20helper=20fo?= =?UTF-8?q?r=20front=20end=20(JS)=20-=20Rollback?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- js/components/breadcrumbs.js | 7 +++---- js/utils.js | 23 +++++++++++++++-------- test/VisualTest/sanitize_test.php | 2 ++ 3 files changed, 20 insertions(+), 12 deletions(-) diff --git a/js/components/breadcrumbs.js b/js/components/breadcrumbs.js index 82237c30f..38c64f30c 100644 --- a/js/components/breadcrumbs.js +++ b/js/components/breadcrumbs.js @@ -103,8 +103,7 @@ $(function() if (oEntry['icon_type'] === 'css_classes') { sIconSpec = ''; - } - else if (oEntry['icon'].length > 0) { + } else if (oEntry['icon'].length > 0) { // Mind the empty "alt" attribute https://www.w3.org/WAI/tutorials/images/decorative/ sIconSpec = ''; } @@ -114,8 +113,8 @@ $(function() if (sTitle.length === 0) { sTitle = sLabel; } - sTitle = CombodoSanitizer.EscapeHtml(sTitle, true); - sLabel = CombodoSanitizer.EscapeHtml(sLabel, true); + sTitle = CombodoSanitizer.EscapeHtml(sTitle, false); + sLabel = CombodoSanitizer.EscapeHtml(sLabel, false); if ((this.options.new_entry !== null) && (iEntry === aBreadCrumb.length-1)) { // Last entry is the current page diff --git a/js/utils.js b/js/utils.js index d298e2136..65dfbf8ce 100644 --- a/js/utils.js +++ b/js/utils.js @@ -1046,22 +1046,29 @@ const CombodoSanitizer = { /** * @param sValue value to escape - * @param bOutputInHtml if true return html ("<" become "<") - * if false return text ("<" stay "<") + * @param bReplaceAmp if false don't replace "&" (can be useful when sValue contains html entities we want to keep) + * * @returns {string} escaped value, ready to insert in the DOM without XSS risk * * @since 2.6.5, 2.7.2, 3.0.0 N°3332 - * @since 3.0.0 N°4367 deprecate EncodeHtml and replace by this new method (CombodoSanitizer.EscapeHtml) - params and script are not exactly the same + * @since 3.0.0 N°4367 deprecate EncodeHtml and copy the method here (CombodoSanitizer.EscapeHtml) * * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-1-html-encode-before-inserting-untrusted-data-into-html-element-content * @see https://stackoverflow.com/questions/295566/sanitize-rewrite-html-on-the-client-side/430240#430240 why inserting in the DOM (for * example the text() JQuery way) isn't safe */ - EscapeHtml: function (sValue, bOutputInHtml = true) { - if (bOutputInHtml) { - return $('
').text(sValue).html(); + EscapeHtml: function (sValue, bReplaceAmp) { + if (bReplaceAmp) { + return $('
').text(sValue).html(); } - return $('
').text(sValue).text(); - // return sValue; + + let sEncodedValue = (sValue+'') + .replace(//g, '>') + .replace(/"/g, '"') + .replace(/'/g, ''') + .replace(/\//g, '/'); + + return sEncodedValue; } } diff --git a/test/VisualTest/sanitize_test.php b/test/VisualTest/sanitize_test.php index 40164da79..88e23aa4c 100644 --- a/test/VisualTest/sanitize_test.php +++ b/test/VisualTest/sanitize_test.php @@ -47,6 +47,8 @@ $aValues = array( "", "()=°²€", "éèç", + "q
è
=hcb test", +// "q
è
=hcb test", ); $aTypes = array(