Merge branch 'xss_vulnerability_on_ckeditor' into 'master'

Fixes #1220 XSS vulnerability with CKEditor field is addressed See merge request !509

Merge branch 'xss_vulnerability_on_ckeditor' into 'master'
Fixes #1220 XSS vulnerability with CKEditor field is addressed See merge request !509
377511db · Uma · d174925b · 55b20f00 · 377511db · 377511db
Commit 377511db authored 5 years ago by Uma
--- a/include/utils/VtlibUtils.php
+++ b/include/utils/VtlibUtils.php
@@ -712,16 +712,24 @@ function vtlib_purify($input, $ignore=false) {
 * @param <String> $value
 * @return <String>
 */
-function purifyHtmlEventAttributes($value){
+function purifyHtmlEventAttributes($value,$replaceAll = false){
 	$htmlEventAttributes = "onerror|onblur|onchange|oncontextmenu|onfocus|oninput|oninvalid|".
-						"onreset|onsearch|onselect|onsubmit|onkeydown|onkeypress|onkeyup|".
-						"onclick|ondblclick|ondrag|ondragend|ondragenter|ondragleave|ondragover|".
-						"ondragstart|ondrop|onmousedown|onmousemove|onmouseout|onmouseover|".
-						"onmouseup|onmousewheel|onscroll|onwheel|oncopy|oncut|onpaste";
-	if(preg_match("/\s*(".$htmlEventAttributes.")\s*=/i", $value)) {
-		$value = str_replace("=", "&equals;", $value);
-	}
-	return $value;
+                        "onreset|onsearch|onselect|onsubmit|onkeydown|onkeypress|onkeyup|".
+                        "onclick|ondblclick|ondrag|ondragend|ondragenter|ondragleave|ondragover|".
+                        "ondragstart|ondrop|onmousedown|onmousemove|onmouseout|onmouseover|".
+						"onmouseup|onmousewheel|onscroll|onwheel|oncopy|oncut|onpaste|onload|".
+						"onselectionchange|onabort|onselectstart|onstart|onfinish|onloadstart|onshow";
+    
+    // remove malicious html attributes with its value.
+    if ($replaceAll) {
+        $regex = '\s*=\s*(?:"[^"]*"[\'"]*|\'[^\']*\'[\'"]*|[^]*[\s\/>])*/i';
+        $value = preg_replace("/\s*(" . $htmlEventAttributes . ")" . $regex, '', $value);
+    } else {
+        if (preg_match("/\s*(" . $htmlEventAttributes . ")\s*=/i", $value)) {
+            $value = str_replace("=", "&equals;", $value);
+        }
+    }
+    return $value;
 }

 /**

--- a/modules/Emails/models/Mailer.php
+++ b/modules/Emails/models/Mailer.php
@@ -135,6 +135,7 @@ class Emails_Mailer_Model extends Vtiger_Mailer {
 	public static function getProcessedContent($content) {
 		// remove script tags from whole html content
 		$processedContent = preg_replace('#<script(.*?)>(.*?)</script>#is', '', $content);
+        $processedContent = purifyHtmlEventAttributes($processedContent,TRUE);
 		return $processedContent;
 	}


--- a/modules/Emails/views/MassSaveAjax.php
+++ b/modules/Emails/views/MassSaveAjax.php
@@ -134,7 +134,7 @@ class Emails_MassSaveAjax_View extends Vtiger_Footer_View {
 		$content = $request->getRaw('description');
 		$processedContent = Emails_Mailer_Model::getProcessedContent($content); // To remove script tags
 		$mailerInstance = Emails_Mailer_Model::getInstance();
-		$processedContentWithURLS = decode_html($mailerInstance->convertToValidURL($processedContent));
+		$processedContentWithURLS = $mailerInstance->convertToValidURL($processedContent);
 		$recordModel->set('description', $processedContentWithURLS);
 		$recordModel->set('subject', $request->get('subject'));
 		$recordModel->set('toMailNamesList',$request->get('toMailNamesList'));

--- a/modules/Users/actions/Save.php
+++ b/modules/Users/actions/Save.php
@@ -76,6 +76,12 @@ class Users_Save_Action extends Vtiger_Save_Action {
 			if ($fieldName == 'roleid' && !($currentUserModel->isAdminUser())) {
 				$fieldValue = null;
 			}
+            if($fieldName == 'signature' && $fieldValue !== null){
+                $fieldValue = $request->getRaw($fieldName);
+                $purifiedContent = vtlib_purify(decode_html($fieldValue));
+                // Purify malicious html event attributes
+                $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+			}

 			if($fieldValue !== null) {
 				if(!is_array($fieldValue)) {

--- a/modules/Vtiger/actions/Save.php
+++ b/modules/Vtiger/actions/Save.php
@@ -160,6 +160,12 @@ class Vtiger_Save_Action extends Vtiger_Action_Controller {
 			if($fieldDataType == 'time' && $fieldValue !== null){
 				$fieldValue = Vtiger_Time_UIType::getTimeValueWithSeconds($fieldValue);
 			}
+            if($fieldName == 'notecontent' && $fieldValue !== null){
+                $fieldValue = $request->getRaw($fieldName);
+                $purifiedContent = vtlib_purify(decode_html($fieldValue));
+                // Purify malicious html event attributes
+                $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+			}
 			if($fieldValue !== null) {
 				if(!is_array($fieldValue) && $fieldDataType != 'currency') {
 					$fieldValue = trim($fieldValue);