Merge branch 'purifying_text_Data' into 'master'

Fixes cleaning up text data for vulnerable code See merge request !649

Merge branch 'purifying_text_Data' into 'master'
Fixes cleaning up text data for vulnerable code See merge request !649
d5a29f16 · Uma · c874561f · 2bdfaf8d · d5a29f16 · d5a29f16
Commit d5a29f16 authored 4 years ago by Uma
--- a/include/utils/VtlibUtils.php
+++ b/include/utils/VtlibUtils.php
@@ -715,20 +715,32 @@ function vtlib_purify($input, $ignore=false) {
 * @return <String>
 */
 function purifyHtmlEventAttributes($value,$replaceAll = false){
-	$htmlEventAttributes = "onerror|onblur|onchange|oncontextmenu|onfocus|oninput|oninvalid|".
-                        "onreset|onsearch|onselect|onsubmit|onkeydown|onkeypress|onkeyup|".
-                        "onclick|ondblclick|ondrag|ondragend|ondragenter|ondragleave|ondragover|".
-                        "ondragstart|ondrop|onmousedown|onmousemove|onmouseout|onmouseover|".
-						"onmouseup|onmousewheel|onscroll|onwheel|oncopy|oncut|onpaste|onload|".
-						"onselectionchange|onabort|onselectstart|onstart|onfinish|onloadstart|onshow";
+	$htmlEventAttributes = "onerror|onblur|onchange|oncontextmenu|onfocus|oninput|oninvalid|onresize|onauxclick|oncancel|oncanplay|oncanplaythrough|".
+                        "onreset|onsearch|onselect|onsubmit|onkeydown|onkeypress|onkeyup|onclose|oncuechange|ondurationchange|onemptied|onended|".
+                        "onclick|ondblclick|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragexit|onformdata|onloadeddata|onloadedmetadata|".
+                        "ondragstart|ondrop|onmousedown|onmousemove|onmouseout|onmouseover|onmouseenter|onmouseleave|onpause|onplay|onplaying|".
+						"onmouseup|onmousewheel|onscroll|onwheel|oncopy|oncut|onpaste|onload|onprogress|onratechange|onsecuritypolicyviolation|".
+						"onselectionchange|onabort|onselectstart|onstart|onfinish|onloadstart|onshow|onreadystatechange|onseeked|onslotchange|".
+						"onseeking|onstalled|onsubmit|onsuspend|ontimeupdate|ontoggle|onvolumechange|onwaiting|onwebkitanimationend|onstorage|".
+						"onwebkitanimationiteration|onwebkitanimationstart|onwebkittransitionend|onafterprint|onbeforeprint|onbeforeunload|".
+						"onhashchange|onlanguagechange|onmessage|onmessageerror|onoffline|ononline|onpagehide|onpageshow|onpopstate|onunload".
+						"onrejectionhandled|onunhandledrejection|onloadend";
    
    // remove malicious html attributes with its value.
    if ($replaceAll) {
-        //Handled to address multiple html entity encoding for '=' character
-        $regex = '\s*(=|&#61;|&amp;#61;|&amp;#x26;#61;|&#x26;#61;)\s*(?:"[^"]*"[\'"]*|\'[^\']*\'[\'"]*|[^]*[\s\/>])*/i';
+        $regex = '\s*[=&%#]\s*(?:"[^"]*"[\'"]*|\'[^\']*\'[\'"]*|[^]*[\s\/>])*/i';
        $value = preg_replace("/\s*(" . $htmlEventAttributes . ")" . $regex, '', $value);
+		
+		/**
+		* If anchor tag having 'javascript:' string then remove the tag contents.
+		* Right now, we fixed this for anchor tag as we don't see any other such things right now.  
+		* All other event attributes are already handled above. Need to update this if any thing new found
+		*/
+		$javaScriptRegex = '/<a [^>]*(j[\s]?a[\s]?v[\s]?a[\s]?s[\s]?c[\s]?r[\s]?i[\s]?p[\s]?t[\s]*[=&%#:])[^>]*?>/i';
+		$value = preg_replace($javaScriptRegex,'<a>',$value);
+			
    } else {
-        if (preg_match("/\s*(" . $htmlEventAttributes . ")\s*(=|&#61;|&amp;#61;|&amp;#x26;#61;|&#x26;#61;)/i", $value)) {
+        if (preg_match("/\s*(" . $htmlEventAttributes . ")\s*=/i", $value)) {
            $value = str_replace("=", "&equals;", $value);
        }
    }

--- a/layouts/v7/modules/Vtiger/uitypes/Text.tpl
+++ b/layouts/v7/modules/Vtiger/uitypes/Text.tpl
@@ -22,7 +22,8 @@
            data-specific-rules='{ZEND_JSON::encode($FIELD_INFO["validator"])}'
        {/if}
        >
-    {$FIELD_MODEL->get('fieldvalue')}</textarea>
+    {purifyHtmlEventAttributes($FIELD_MODEL->get('fieldvalue'),true)|regex_replace:"/(?!\w)\&nbsp;(?=\w)/":" "}
+    </textarea>
 {else}
    <textarea rows="5" id="{$MODULE}_editView_fieldName_{$FIELD_NAME}" class="inputElement {if $FIELD_MODEL->isNameField()}nameField{/if}" name="{$FIELD_NAME}" {if !empty($SPECIAL_VALIDATOR)}data-validator='{Zend_Json::encode($SPECIAL_VALIDATOR)}'{/if}
        {if $FIELD_INFO["mandatory"] eq true} data-rule-required="true" {/if}
@@ -30,6 +31,7 @@
            data-specific-rules='{ZEND_JSON::encode($FIELD_INFO["validator"])}'
        {/if}
        >
-    {$FIELD_MODEL->get('fieldvalue')}</textarea>
+    {purifyHtmlEventAttributes($FIELD_MODEL->get('fieldvalue'),true)|regex_replace:"/(?!\w)\&nbsp;(?=\w)/":" "}
+    </textarea>
 {/if}
 {/strip}
--- a/modules/Vtiger/uitypes/Text.php
+++ b/modules/Vtiger/uitypes/Text.php
@@ -15,8 +15,15 @@ class Vtiger_Text_UIType extends Vtiger_Base_UIType {
 	 * @param <Object> $value
 	 * @return <Object>
 	 */
-	public function getDisplayValue($value, $record=false, $recordInstance=false) {
-		return nl2br($value);
+	public function getDisplayValue($value, $record=false, $recordInstance = false,$removeTags = false) {
+		//This API replaces newlines to html br tags, and spaces with &nbsp;
+		// It should not replace spaces within html tags
+		$value = decode_html(preg_replace('/\r\n|\r|\n|&NewLine;|&amp;NewLine;/','<br>',$value));
+		if($removeTags){
+            $value = strip_tags($value,'<br>');
+        }
+		$value = purifyHtmlEventAttributes($value, true);
+		return $value;
 	}
    
    /**