Fixes #1220 XSS vulnerability with CKEditor field is addressed

55b20f00 · Uma · 3e31cb61 · 55b20f00 · 55b20f00
Commit 55b20f00 authored 5 years ago by Uma
--- a/modules/Users/actions/Save.php
+++ b/modules/Users/actions/Save.php
@@ -78,8 +78,9 @@ class Users_Save_Action extends Vtiger_Save_Action {
 			}
            if($fieldName == 'signature' && $fieldValue !== null){
                $fieldValue = $request->getRaw($fieldName);
-                $processedContent = preg_replace('#<script(.*?)>(.*?)</script>#is', '', $fieldValue);
+                $purifiedContent = vtlib_purify(decode_html($fieldValue));
-                $fieldValue = to_html(purifyHtmlEventAttributes($processedContent,TRUE));
+                // Purify malicious html event attributes
+                $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
 			}
 			if($fieldValue !== null) {

--- a/modules/Vtiger/actions/Save.php
+++ b/modules/Vtiger/actions/Save.php
@@ -162,8 +162,9 @@ class Vtiger_Save_Action extends Vtiger_Action_Controller {
 			}
            if($fieldName == 'notecontent' && $fieldValue !== null){
                $fieldValue = $request->getRaw($fieldName);
-                $processedContent = preg_replace('#<script(.*?)>(.*?)</script>#is', '', $fieldValue);
+                $purifiedContent = vtlib_purify(decode_html($fieldValue));
-                $fieldValue = to_html(purifyHtmlEventAttributes($processedContent,TRUE));
+                // Purify malicious html event attributes
+                $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
 			}
 			if($fieldValue !== null) {
 				if(!is_array($fieldValue) && $fieldDataType != 'currency') {