Fixes cleaning up text data for vulnerable code

1c70c7bb · Uma · c874561f · 1c70c7bb · 1c70c7bb · 1c70c7bb
Commit 1c70c7bb authored 4 years ago by Uma
--- a/include/utils/VtlibUtils.php
+++ b/include/utils/VtlibUtils.php
@@ -724,11 +724,19 @@ function purifyHtmlEventAttributes($value,$replaceAll = false){
    
    // remove malicious html attributes with its value.
    if ($replaceAll) {
-        //Handled to address multiple html entity encoding for '=' character
-        $regex = '\s*(=|&#61;|&amp;#61;|&amp;#x26;#61;|&#x26;#61;)\s*(?:"[^"]*"[\'"]*|\'[^\']*\'[\'"]*|[^]*[\s\/>])*/i';
+        $regex = '\s*[=&%#]\s*(?:"[^"]*"[\'"]*|\'[^\']*\'[\'"]*|[^]*[\s\/>])*/i';
        $value = preg_replace("/\s*(" . $htmlEventAttributes . ")" . $regex, '', $value);
+		
+		/**
+		* #131224556::if anchor tag having 'javascript:' string then remove the tag contents.
+		* Right now, we fixed this for anchor tag as we don't see any other such things right now.  
+		* All other event attributes are already handled above. Need to update this if any thing new found
+		*/
+		$javaScriptRegex = '/<a [^>]*(j[\s]?a[\s]?v[\s]?a[\s]?s[\s]?c[\s]?r[\s]?i[\s]?p[\s]?t[\s]*[=&%#:])[^>]*?>/i';
+		$value = preg_replace($javaScriptRegex,'<a>',$value);
+			
    } else {
-        if (preg_match("/\s*(" . $htmlEventAttributes . ")\s*(=|&#61;|&amp;#61;|&amp;#x26;#61;|&#x26;#61;)/i", $value)) {
+        if (preg_match("/\s*(" . $htmlEventAttributes . ")\s*=/i", $value)) {
            $value = str_replace("=", "&equals;", $value);
        }
    }

--- a/layouts/v7/modules/Vtiger/uitypes/Text.tpl
+++ b/layouts/v7/modules/Vtiger/uitypes/Text.tpl
@@ -22,7 +22,8 @@
            data-specific-rules='{ZEND_JSON::encode($FIELD_INFO["validator"])}'
        {/if}
        >
-    {$FIELD_MODEL->get('fieldvalue')}</textarea>
+    {purifyHtmlEventAttributes($FIELD_MODEL->get('fieldvalue'),true)|regex_replace:"/(?!\w)\&nbsp;(?=\w)/":" "}
+    </textarea>
 {else}
    <textarea rows="5" id="{$MODULE}_editView_fieldName_{$FIELD_NAME}" class="inputElement {if $FIELD_MODEL->isNameField()}nameField{/if}" name="{$FIELD_NAME}" {if !empty($SPECIAL_VALIDATOR)}data-validator='{Zend_Json::encode($SPECIAL_VALIDATOR)}'{/if}
        {if $FIELD_INFO["mandatory"] eq true} data-rule-required="true" {/if}
@@ -30,6 +31,7 @@
            data-specific-rules='{ZEND_JSON::encode($FIELD_INFO["validator"])}'
        {/if}
        >
-    {$FIELD_MODEL->get('fieldvalue')}</textarea>
+    {purifyHtmlEventAttributes($FIELD_MODEL->get('fieldvalue'),true)|regex_replace:"/(?!\w)\&nbsp;(?=\w)/":" "}
+    </textarea>
 {/if}
 {/strip}
--- a/modules/Vtiger/uitypes/Text.php
+++ b/modules/Vtiger/uitypes/Text.php
@@ -15,8 +15,15 @@ class Vtiger_Text_UIType extends Vtiger_Base_UIType {
 	 * @param <Object> $value
 	 * @return <Object>
 	 */
-	public function getDisplayValue($value, $record=false, $recordInstance=false) {
-		return nl2br($value);
+	public function getDisplayValue($value, $record=false, $recordInstance = false,$removeTags = false) {
+		//This API replaces newlines to html br tags, and spaces with &nbsp;
+		// It should not replace spaces within html tags
+		$value = decode_html(preg_replace('/\r\n|\r|\n|&NewLine;|&amp;NewLine;/','<br>',$value));
+		if($removeTags){
+            $value = strip_tags($value,'<br>');
+        }
+		$value = purifyHtmlEventAttributes($value, true);
+		return $value;
 	}
    
    /**