mirror/UNIT3D-Community-Edition
1
0
Fork 0
mirror of https://github.com/HDInnovations/UNIT3D-Community-Edition.git synced 2026-04-22 01:38:49 -05:00
Code Issues Packages Projects Releases Wiki Activity

update: remove XSS cleaner and remove XSS vulnerabilities

Browse Source 
We've been mostly relying on the 3rd party xss cleaner to make sure user submitted content is clean. This PR fixes up any leftover holes in the bbcode parser that allow xss vulnerabilities, and as a result, the 3rd party library isn't needed anymore. It cleans responsibly by first, running `htmlspecialchars()` over the content, followed by sanitizing the untrusted urls and whitelisting their protocol.
This commit is contained in:
Roardom
2023-11-04 10:20:35 +00:00
parent 849b7510cd
commit ad716d7cc3
18 changed files with 152 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Http/Livewire/BbcodeInput.php
+2 -3
View File
@@ -18,7 +18,6 @@ namespace App\Http\Livewire;
use App\Helpers\Bbcode;
use Livewire\Component;
use voku\helper\AntiXSS;
class BbcodeInput extends Component
{
@@ -39,13 +38,13 @@ class BbcodeInput extends Component
$this->name = $name;
$this->label = $label;
$this->isRequired = $required;
$this->contentBbcode = $content === null ? (old($name) ?? '') : htmlspecialchars_decode($content);
$this->contentBbcode = $content ?? old($name) ?? '';
}
final public function updatedIsPreviewEnabled(): void
{
if ($this->isPreviewEnabled) {
$this->contentHtml = (new Bbcode())->parse(htmlspecialchars((new AntiXSS())->xss_clean($this->contentBbcode), ENT_NOQUOTES));
$this->contentHtml = (new Bbcode())->parse($this->contentBbcode);
}
}