mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-02-18 19:06:51 +03:00
Compare commits
17 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
ad540a015f | ||
|
|
f54f507854 | ||
|
|
e1de1f0583 | ||
|
|
a2017ffa55 | ||
|
|
f484fbc110 | ||
|
|
299d3b3149 | ||
|
|
9646339933 | ||
|
|
e4383765e1 | ||
|
|
5d547fcf4c | ||
|
|
826b36c985 | ||
|
|
3fa1174e7a | ||
|
|
50e8501027 | ||
|
|
8a221f64e4 | ||
|
|
035be66ebc | ||
|
|
227027fc45 | ||
|
|
0f040fe8b1 | ||
|
|
10ebe53bd9 |
@@ -351,10 +351,25 @@ EXPORT_PDF_COMMAND_TIMEOUT=15
|
||||
# Only used if 'ALLOW_UNTRUSTED_SERVER_FETCHING=true' which disables security protections.
|
||||
WKHTMLTOPDF=false
|
||||
|
||||
# Allow <script> tags in page content
|
||||
# Allow JavaScript, and other potentiall dangerous content in page content.
|
||||
# This also removes CSP-level JavaScript control.
|
||||
# Note, if set to 'true' the page editor may still escape scripts.
|
||||
# DEPRECATED: Use 'APP_CONTENT_FILTERING' instead as detailed below. Activiting this option
|
||||
# effectively sets APP_CONTENT_FILTERING='' (No filtering)
|
||||
ALLOW_CONTENT_SCRIPTS=false
|
||||
|
||||
# Control the behaviour of content filtering, primarily used for page content.
|
||||
# This setting is a string of characters which represent different available filters:
|
||||
# - j - Filter out JavaScript and unknown binary data based content
|
||||
# - h - Filter out unexpected, and potentially dangerous, HTML elements
|
||||
# - f - Filter out unexpected form elements
|
||||
# - a - Run content through a more complex allowlist filter
|
||||
# This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
|
||||
# Note: These filters are a best-attempt and may not be 100% effective. They are typically a layer used in addition to other security measures.
|
||||
# Note: The default value will always be the most-strict, so it's advised to leave this unset in your own configuration
|
||||
# to ensure you are always using the full range of filters.
|
||||
APP_CONTENT_FILTERING="jfha"
|
||||
|
||||
# Indicate if robots/crawlers should crawl your instance.
|
||||
# Can be 'true', 'false' or 'null'.
|
||||
# The behaviour of the default 'null' option will depend on the 'app-public' admin setting.
|
||||
|
||||
@@ -8,6 +8,7 @@ use BookStack\Permissions\PermissionApplicator;
|
||||
use BookStack\Users\Models\HasCreatorAndUpdater;
|
||||
use BookStack\Users\Models\OwnableInterface;
|
||||
use BookStack\Util\HtmlContentFilter;
|
||||
use BookStack\Util\HtmlContentFilterConfig;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Illuminate\Database\Eloquent\Factories\HasFactory;
|
||||
use Illuminate\Database\Eloquent\Relations\BelongsTo;
|
||||
@@ -82,7 +83,8 @@ class Comment extends Model implements Loggable, OwnableInterface
|
||||
|
||||
public function safeHtml(): string
|
||||
{
|
||||
return HtmlContentFilter::removeActiveContentFromHtmlString($this->html ?? '');
|
||||
$filter = new HtmlContentFilter(new HtmlContentFilterConfig());
|
||||
return $filter->filterString($this->html ?? '');
|
||||
}
|
||||
|
||||
public function jointPermissions(): HasMany
|
||||
|
||||
@@ -37,10 +37,15 @@ return [
|
||||
// The limit for all uploaded files, including images and attachments in MB.
|
||||
'upload_limit' => env('FILE_UPLOAD_SIZE_LIMIT', 50),
|
||||
|
||||
// Allow <script> tags to entered within page content.
|
||||
// <script> tags are escaped by default.
|
||||
// Even when overridden the WYSIWYG editor may still escape script content.
|
||||
'allow_content_scripts' => env('ALLOW_CONTENT_SCRIPTS', false),
|
||||
// Control the behaviour of content filtering, primarily used for page content.
|
||||
// This setting is a string of characters which represent different available filters:
|
||||
// - j - Filter out JavaScript and unknown binary data based content
|
||||
// - h - Filter out unexpected, and potentially dangerous, HTML elements
|
||||
// - f - Filter out unexpected form elements
|
||||
// - a - Run content through a more complex allowlist filter
|
||||
// This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
|
||||
// Note: These filters are a best-attempt and may not be 100% effective. They are typically a layer used in addition to other security measures.
|
||||
'content_filtering' => env('APP_CONTENT_FILTERING', env('ALLOW_CONTENT_SCRIPTS', false) === true ? '' : 'jhfa'),
|
||||
|
||||
// Allow server-side fetches to be performed to potentially unknown
|
||||
// and user-provided locations. Primarily used in exports when loading
|
||||
@@ -48,8 +53,8 @@ return [
|
||||
'allow_untrusted_server_fetching' => env('ALLOW_UNTRUSTED_SERVER_FETCHING', false),
|
||||
|
||||
// Override the default behaviour for allowing crawlers to crawl the instance.
|
||||
// May be ignored if view has be overridden or modified.
|
||||
// Defaults to null since, if not set, 'app-public' status used instead.
|
||||
// May be ignored if the underlying view has been overridden or modified.
|
||||
// Defaults to null in which case the 'app-public' status is used instead.
|
||||
'allow_robots' => env('ALLOW_ROBOTS', null),
|
||||
|
||||
// Application Base URL, Used by laravel in development commands
|
||||
|
||||
@@ -21,6 +21,8 @@ use BookStack\Exceptions\PermissionsException;
|
||||
use BookStack\Http\Controller;
|
||||
use BookStack\Permissions\Permission;
|
||||
use BookStack\References\ReferenceFetcher;
|
||||
use BookStack\Util\HtmlContentFilter;
|
||||
use BookStack\Util\HtmlContentFilterConfig;
|
||||
use Exception;
|
||||
use Illuminate\Database\Eloquent\Relations\BelongsTo;
|
||||
use Illuminate\Http\Request;
|
||||
@@ -173,7 +175,7 @@ class PageController extends Controller
|
||||
}
|
||||
|
||||
/**
|
||||
* Get page from an ajax request.
|
||||
* Get a page from an ajax request.
|
||||
*
|
||||
* @throws NotFoundException
|
||||
*/
|
||||
@@ -183,6 +185,10 @@ class PageController extends Controller
|
||||
$page->setHidden(array_diff($page->getHidden(), ['html', 'markdown']));
|
||||
$page->makeHidden(['book']);
|
||||
|
||||
$filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
|
||||
$filter = new HtmlContentFilter($filterConfig);
|
||||
$page->html = $filter->filterString($page->html);
|
||||
|
||||
return response()->json($page);
|
||||
}
|
||||
|
||||
|
||||
@@ -6,6 +6,7 @@ use BookStack\Entities\Models\Book;
|
||||
use BookStack\Entities\Models\Bookshelf;
|
||||
use BookStack\Entities\Models\Chapter;
|
||||
use BookStack\Util\HtmlContentFilter;
|
||||
use BookStack\Util\HtmlContentFilterConfig;
|
||||
|
||||
class EntityHtmlDescription
|
||||
{
|
||||
@@ -50,7 +51,8 @@ class EntityHtmlDescription
|
||||
return $html;
|
||||
}
|
||||
|
||||
return HtmlContentFilter::removeActiveContentFromHtmlString($html);
|
||||
$filter = new HtmlContentFilter(new HtmlContentFilterConfig());
|
||||
return $filter->filterString($html);
|
||||
}
|
||||
|
||||
public function getPlain(): string
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
|
||||
namespace BookStack\Entities\Tools;
|
||||
|
||||
use BookStack\App\AppVersion;
|
||||
use BookStack\Entities\Models\Page;
|
||||
use BookStack\Entities\Queries\PageQueries;
|
||||
use BookStack\Entities\Tools\Markdown\MarkdownToHtml;
|
||||
@@ -13,6 +14,7 @@ use BookStack\Uploads\ImageRepo;
|
||||
use BookStack\Uploads\ImageService;
|
||||
use BookStack\Users\Models\User;
|
||||
use BookStack\Util\HtmlContentFilter;
|
||||
use BookStack\Util\HtmlContentFilterConfig;
|
||||
use BookStack\Util\HtmlDocument;
|
||||
use BookStack\Util\WebSafeMimeSniffer;
|
||||
use Closure;
|
||||
@@ -317,11 +319,30 @@ class PageContent
|
||||
$this->updateIdsRecursively($doc->getBody(), 0, $idMap, $changeMap);
|
||||
}
|
||||
|
||||
if (!config('app.allow_content_scripts')) {
|
||||
HtmlContentFilter::removeActiveContentFromDocument($doc);
|
||||
$cacheKey = $this->getContentCacheKey($doc->getBodyInnerHtml());
|
||||
$cached = cache()->get($cacheKey, null);
|
||||
if ($cached !== null) {
|
||||
return $cached;
|
||||
}
|
||||
|
||||
return $doc->getBodyInnerHtml();
|
||||
$filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
|
||||
$filter = new HtmlContentFilter($filterConfig);
|
||||
$filtered = $filter->filterDocument($doc);
|
||||
|
||||
$cacheTime = 86400 * 7; // 1 week
|
||||
cache()->put($cacheKey, $filtered, $cacheTime);
|
||||
|
||||
return $filtered;
|
||||
}
|
||||
|
||||
protected function getContentCacheKey(string $html): string
|
||||
{
|
||||
$contentHash = md5($html);
|
||||
$contentId = $this->page->id;
|
||||
$contentTime = $this->page->updated_at?->timestamp ?? time();
|
||||
$appVersion = AppVersion::get();
|
||||
$filterConfig = config('app.content_filtering') ?? '';
|
||||
return "page-content-cache::{$filterConfig}::{$appVersion}::{$contentId}::{$contentTime}::{$contentHash}";
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -8,6 +8,8 @@ use BookStack\Entities\Queries\EntityQueries;
|
||||
use BookStack\Entities\Tools\Markdown\HtmlToMarkdown;
|
||||
use BookStack\Entities\Tools\Markdown\MarkdownToHtml;
|
||||
use BookStack\Permissions\Permission;
|
||||
use BookStack\Util\HtmlContentFilter;
|
||||
use BookStack\Util\HtmlContentFilterConfig;
|
||||
|
||||
class PageEditorData
|
||||
{
|
||||
@@ -47,6 +49,7 @@ class PageEditorData
|
||||
$isDraftRevision = false;
|
||||
$this->warnings = [];
|
||||
$editActivity = new PageEditActivity($page);
|
||||
$lastEditorId = $page->updated_by ?? user()->id;
|
||||
|
||||
if ($editActivity->hasActiveEditing()) {
|
||||
$this->warnings[] = $editActivity->activeEditingMessage();
|
||||
@@ -58,11 +61,20 @@ class PageEditorData
|
||||
$page->forceFill($userDraft->only(['name', 'html', 'markdown']));
|
||||
$isDraftRevision = true;
|
||||
$this->warnings[] = $editActivity->getEditingActiveDraftMessage($userDraft);
|
||||
$lastEditorId = $userDraft->created_by;
|
||||
}
|
||||
|
||||
// Get editor type and handle changes
|
||||
$editorType = $this->getEditorType($page);
|
||||
$this->updateContentForEditor($page, $editorType);
|
||||
|
||||
// Filter HTML content if required
|
||||
if ($editorType->isHtmlBased() && !old('html') && $lastEditorId !== user()->id) {
|
||||
$filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
|
||||
$filter = new HtmlContentFilter($filterConfig);
|
||||
$page->html = $filter->filterString($page->html);
|
||||
}
|
||||
|
||||
return [
|
||||
'page' => $page,
|
||||
'book' => $page->book,
|
||||
|
||||
@@ -4,25 +4,16 @@ namespace BookStack\Theming;
|
||||
|
||||
use BookStack\Util\CspService;
|
||||
use BookStack\Util\HtmlContentFilter;
|
||||
use BookStack\Util\HtmlContentFilterConfig;
|
||||
use BookStack\Util\HtmlNonceApplicator;
|
||||
use Illuminate\Contracts\Cache\Repository as Cache;
|
||||
|
||||
class CustomHtmlHeadContentProvider
|
||||
{
|
||||
/**
|
||||
* @var CspService
|
||||
*/
|
||||
protected $cspService;
|
||||
|
||||
/**
|
||||
* @var Cache
|
||||
*/
|
||||
protected $cache;
|
||||
|
||||
public function __construct(CspService $cspService, Cache $cache)
|
||||
{
|
||||
$this->cspService = $cspService;
|
||||
$this->cache = $cache;
|
||||
public function __construct(
|
||||
protected CspService $cspService,
|
||||
protected Cache $cache
|
||||
) {
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -50,7 +41,8 @@ class CustomHtmlHeadContentProvider
|
||||
$hash = md5($content);
|
||||
|
||||
return $this->cache->remember('custom-head-export:' . $hash, 86400, function () use ($content) {
|
||||
return HtmlContentFilter::removeActiveContentFromHtmlString($content);
|
||||
$config = new HtmlContentFilterConfig(filterOutNonContentElements: false, useAllowListFilter: false);
|
||||
return (new HtmlContentFilter($config))->filterString($content);
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
143
app/Util/ConfiguredHtmlPurifier.php
Normal file
143
app/Util/ConfiguredHtmlPurifier.php
Normal file
@@ -0,0 +1,143 @@
|
||||
<?php
|
||||
|
||||
namespace BookStack\Util;
|
||||
|
||||
use BookStack\App\AppVersion;
|
||||
use HTMLPurifier;
|
||||
use HTMLPurifier_Config;
|
||||
use HTMLPurifier_DefinitionCache_Serializer;
|
||||
use HTMLPurifier_HTML5Config;
|
||||
use HTMLPurifier_HTMLDefinition;
|
||||
|
||||
/**
|
||||
* Provides a configured HTML Purifier instance.
|
||||
* https://github.com/ezyang/htmlpurifier
|
||||
* Also uses this to extend support to HTML5 elements:
|
||||
* https://github.com/xemlock/htmlpurifier-html5
|
||||
*/
|
||||
class ConfiguredHtmlPurifier
|
||||
{
|
||||
protected HTMLPurifier $purifier;
|
||||
protected static bool $cachedChecked = false;
|
||||
|
||||
public function __construct()
|
||||
{
|
||||
// This is done by the web-server at run-time, with the existing
|
||||
// storage/framework/cache folder to ensure we're using a server-writable folder.
|
||||
$cachePath = storage_path('framework/cache/purifier');
|
||||
$this->createCacheFolderIfNeeded($cachePath);
|
||||
|
||||
$config = HTMLPurifier_HTML5Config::createDefault();
|
||||
$this->setConfig($config, $cachePath);
|
||||
$this->resetCacheIfNeeded($config);
|
||||
|
||||
$htmlDef = $config->getDefinition('HTML', true, true);
|
||||
if ($htmlDef instanceof HTMLPurifier_HTMLDefinition) {
|
||||
$this->configureDefinition($htmlDef);
|
||||
}
|
||||
|
||||
$this->purifier = new HTMLPurifier($config);
|
||||
}
|
||||
|
||||
protected function createCacheFolderIfNeeded(string $cachePath): void
|
||||
{
|
||||
if (!file_exists($cachePath)) {
|
||||
mkdir($cachePath, 0777, true);
|
||||
}
|
||||
}
|
||||
|
||||
protected function resetCacheIfNeeded(HTMLPurifier_Config $config): void
|
||||
{
|
||||
if (self::$cachedChecked) {
|
||||
return;
|
||||
}
|
||||
|
||||
$cachedForVersion = cache('htmlpurifier::cache-version');
|
||||
$appVersion = AppVersion::get();
|
||||
if ($cachedForVersion !== $appVersion) {
|
||||
foreach (['HTML', 'CSS', 'URI'] as $name) {
|
||||
$cache = new HTMLPurifier_DefinitionCache_Serializer($name);
|
||||
$cache->flush($config);
|
||||
}
|
||||
cache()->set('htmlpurifier::cache-version', $appVersion);
|
||||
}
|
||||
|
||||
self::$cachedChecked = true;
|
||||
}
|
||||
|
||||
protected function setConfig(HTMLPurifier_Config $config, string $cachePath): void
|
||||
{
|
||||
$config->set('Cache.SerializerPath', $cachePath);
|
||||
$config->set('Core.AllowHostnameUnderscore', true);
|
||||
$config->set('CSS.AllowTricky', true);
|
||||
$config->set('HTML.SafeIframe', true);
|
||||
$config->set('Attr.EnableID', true);
|
||||
$config->set('Attr.ID.HTML5', true);
|
||||
$config->set('Output.FixInnerHTML', false);
|
||||
$config->set('URI.SafeIframeRegexp', '%^(http://|https://|//)%');
|
||||
$config->set('URI.AllowedSchemes', [
|
||||
'http' => true,
|
||||
'https' => true,
|
||||
'mailto' => true,
|
||||
'ftp' => true,
|
||||
'nntp' => true,
|
||||
'news' => true,
|
||||
'tel' => true,
|
||||
'file' => true,
|
||||
]);
|
||||
|
||||
// $config->set('Cache.DefinitionImpl', null); // Disable cache during testing
|
||||
}
|
||||
|
||||
public function configureDefinition(HTMLPurifier_HTMLDefinition $definition): void
|
||||
{
|
||||
// Allow the object element
|
||||
$definition->addElement(
|
||||
'object',
|
||||
'Inline',
|
||||
'Flow',
|
||||
'Common',
|
||||
[
|
||||
'data' => 'URI',
|
||||
'type' => 'Text',
|
||||
'width' => 'Length',
|
||||
'height' => 'Length',
|
||||
]
|
||||
);
|
||||
|
||||
// Allow the embed element
|
||||
$definition->addElement(
|
||||
'embed',
|
||||
'Inline',
|
||||
'Empty',
|
||||
'Common',
|
||||
[
|
||||
'src' => 'URI',
|
||||
'type' => 'Text',
|
||||
'width' => 'Length',
|
||||
'height' => 'Length',
|
||||
]
|
||||
);
|
||||
|
||||
// Allow checkbox inputs
|
||||
$definition->addElement(
|
||||
'input',
|
||||
'Formctrl',
|
||||
'Empty',
|
||||
'Common',
|
||||
[
|
||||
'checked' => 'Bool#checked',
|
||||
'disabled' => 'Bool#disabled',
|
||||
'name' => 'Text',
|
||||
'readonly' => 'Bool#readonly',
|
||||
'type' => 'Enum#checkbox',
|
||||
'value' => 'Text',
|
||||
]
|
||||
);
|
||||
}
|
||||
|
||||
public function purify(string $html): string
|
||||
{
|
||||
return $this->purifier->purify($html);
|
||||
}
|
||||
}
|
||||
@@ -65,7 +65,7 @@ class CspService
|
||||
*/
|
||||
protected function getScriptSrc(): string
|
||||
{
|
||||
if (config('app.allow_content_scripts')) {
|
||||
if ($this->scriptFilteringDisabled()) {
|
||||
return '';
|
||||
}
|
||||
|
||||
@@ -108,7 +108,7 @@ class CspService
|
||||
*/
|
||||
protected function getObjectSrc(): string
|
||||
{
|
||||
if (config('app.allow_content_scripts')) {
|
||||
if ($this->scriptFilteringDisabled()) {
|
||||
return '';
|
||||
}
|
||||
|
||||
@@ -124,6 +124,11 @@ class CspService
|
||||
return "base-uri 'self'";
|
||||
}
|
||||
|
||||
protected function scriptFilteringDisabled(): bool
|
||||
{
|
||||
return !HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'))->filterOutJavaScript;
|
||||
}
|
||||
|
||||
protected function getAllowedIframeHosts(): array
|
||||
{
|
||||
$hosts = config('app.iframe_hosts') ?? '';
|
||||
|
||||
@@ -8,12 +8,46 @@ use DOMNodeList;
|
||||
|
||||
class HtmlContentFilter
|
||||
{
|
||||
/**
|
||||
* Remove all active content from the given HTML document.
|
||||
* This aims to cover anything which can dynamically deal with, or send, data
|
||||
* like any JavaScript actions or form content.
|
||||
*/
|
||||
public static function removeActiveContentFromDocument(HtmlDocument $doc): void
|
||||
public function __construct(
|
||||
protected HtmlContentFilterConfig $config
|
||||
) {
|
||||
}
|
||||
|
||||
public function filterDocument(HtmlDocument $doc): string
|
||||
{
|
||||
if ($this->config->filterOutJavaScript) {
|
||||
$this->filterOutScriptsFromDocument($doc);
|
||||
}
|
||||
if ($this->config->filterOutFormElements) {
|
||||
$this->filterOutFormElementsFromDocument($doc);
|
||||
}
|
||||
if ($this->config->filterOutBadHtmlElements) {
|
||||
$this->filterOutBadHtmlElementsFromDocument($doc);
|
||||
}
|
||||
if ($this->config->filterOutNonContentElements) {
|
||||
$this->filterOutNonContentElementsFromDocument($doc);
|
||||
}
|
||||
|
||||
$filtered = $doc->getBodyInnerHtml();
|
||||
if ($this->config->useAllowListFilter) {
|
||||
$filtered = $this->applyAllowListFiltering($filtered);
|
||||
}
|
||||
|
||||
return $filtered;
|
||||
}
|
||||
|
||||
public function filterString(string $html): string
|
||||
{
|
||||
return $this->filterDocument(new HtmlDocument($html));
|
||||
}
|
||||
|
||||
protected function applyAllowListFiltering(string $html): string
|
||||
{
|
||||
$purifier = new ConfiguredHtmlPurifier();
|
||||
return $purifier->purify($html);
|
||||
}
|
||||
|
||||
protected function filterOutScriptsFromDocument(HtmlDocument $doc): void
|
||||
{
|
||||
// Remove standard script tags
|
||||
$scriptElems = $doc->queryXPath('//script');
|
||||
@@ -27,17 +61,17 @@ class HtmlContentFilter
|
||||
$badForms = $doc->queryXPath('//*[' . static::xpathContains('@action', 'javascript:') . '] | //*[' . static::xpathContains('@formaction', 'javascript:') . ']');
|
||||
static::removeNodes($badForms);
|
||||
|
||||
// Remove meta tag to prevent external redirects
|
||||
$metaTags = $doc->queryXPath('//meta[' . static::xpathContains('@content', 'url') . ']');
|
||||
static::removeNodes($metaTags);
|
||||
|
||||
// Remove data or JavaScript iFrames
|
||||
// Remove data or JavaScript iFrames & embeds
|
||||
$badIframes = $doc->queryXPath('//*[' . static::xpathContains('@src', 'data:') . '] | //*[' . static::xpathContains('@src', 'javascript:') . '] | //*[@srcdoc]');
|
||||
static::removeNodes($badIframes);
|
||||
|
||||
// Remove data or JavaScript objects
|
||||
$badObjects = $doc->queryXPath('//*[' . static::xpathContains('@data', 'data:') . '] | //*[' . static::xpathContains('@data', 'javascript:') . ']');
|
||||
static::removeNodes($badObjects);
|
||||
|
||||
// Remove attributes, within svg children, hiding JavaScript or data uris.
|
||||
// A bunch of svg element and attribute combinations expose xss possibilities.
|
||||
// For example, SVG animate tag can exploit javascript in values.
|
||||
// For example, SVG animate tag can exploit JavaScript in values.
|
||||
$badValuesAttrs = $doc->queryXPath('//svg//@*[' . static::xpathContains('.', 'data:') . '] | //svg//@*[' . static::xpathContains('.', 'javascript:') . ']');
|
||||
static::removeAttributes($badValuesAttrs);
|
||||
|
||||
@@ -49,7 +83,10 @@ class HtmlContentFilter
|
||||
// Remove 'on*' attributes
|
||||
$onAttributes = $doc->queryXPath('//@*[starts-with(name(), \'on\')]');
|
||||
static::removeAttributes($onAttributes);
|
||||
}
|
||||
|
||||
protected function filterOutFormElementsFromDocument(HtmlDocument $doc): void
|
||||
{
|
||||
// Remove form elements
|
||||
$formElements = ['form', 'fieldset', 'button', 'textarea', 'select'];
|
||||
foreach ($formElements as $formElement) {
|
||||
@@ -75,41 +112,21 @@ class HtmlContentFilter
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Remove active content from the given HTML string.
|
||||
* This aims to cover anything which can dynamically deal with, or send, data
|
||||
* like any JavaScript actions or form content.
|
||||
*/
|
||||
public static function removeActiveContentFromHtmlString(string $html): string
|
||||
protected function filterOutBadHtmlElementsFromDocument(HtmlDocument $doc): void
|
||||
{
|
||||
if (empty($html)) {
|
||||
return $html;
|
||||
// Remove meta tag to prevent external redirects
|
||||
$metaTags = $doc->queryXPath('//meta[' . static::xpathContains('@content', 'url') . ']');
|
||||
static::removeNodes($metaTags);
|
||||
}
|
||||
|
||||
protected function filterOutNonContentElementsFromDocument(HtmlDocument $doc): void
|
||||
{
|
||||
// Remove non-content elements
|
||||
$formElements = ['link', 'style', 'meta', 'title', 'template'];
|
||||
foreach ($formElements as $formElement) {
|
||||
$matchingFormElements = $doc->queryXPath('//' . $formElement);
|
||||
static::removeNodes($matchingFormElements);
|
||||
}
|
||||
|
||||
$doc = new HtmlDocument($html);
|
||||
static::removeActiveContentFromDocument($doc);
|
||||
|
||||
return $doc->getBodyInnerHtml();
|
||||
}
|
||||
|
||||
/**
|
||||
* Alias using the old method name to avoid potential compatibility breaks during patch release.
|
||||
* To remove in future feature release.
|
||||
* @deprecated Use removeActiveContentFromDocument instead.
|
||||
*/
|
||||
public static function removeScriptsFromDocument(HtmlDocument $doc): void
|
||||
{
|
||||
static::removeActiveContentFromDocument($doc);
|
||||
}
|
||||
|
||||
/**
|
||||
* Alias using the old method name to avoid potential compatibility breaks during patch release.
|
||||
* To remove in future feature release.
|
||||
* @deprecated Use removeActiveContentFromHtmlString instead.
|
||||
*/
|
||||
public static function removeScriptsFromHtmlString(string $html): string
|
||||
{
|
||||
return static::removeActiveContentFromHtmlString($html);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -147,4 +164,34 @@ class HtmlContentFilter
|
||||
$parentNode->removeAttribute($attrName);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Alias using the old method name to avoid potential compatibility breaks during patch release.
|
||||
* To remove in future feature release.
|
||||
* @deprecated Use filterDocument instead.
|
||||
*/
|
||||
public static function removeScriptsFromDocument(HtmlDocument $doc): void
|
||||
{
|
||||
$config = new HtmlContentFilterConfig(
|
||||
filterOutNonContentElements: false,
|
||||
useAllowListFilter: false,
|
||||
);
|
||||
$filter = new self($config);
|
||||
$filter->filterDocument($doc);
|
||||
}
|
||||
|
||||
/**
|
||||
* Alias using the old method name to avoid potential compatibility breaks during patch release.
|
||||
* To remove in future feature release.
|
||||
* @deprecated Use filterString instead.
|
||||
*/
|
||||
public static function removeScriptsFromHtmlString(string $html): string
|
||||
{
|
||||
$config = new HtmlContentFilterConfig(
|
||||
filterOutNonContentElements: false,
|
||||
useAllowListFilter: false,
|
||||
);
|
||||
$filter = new self($config);
|
||||
return $filter->filterString($html);
|
||||
}
|
||||
}
|
||||
|
||||
31
app/Util/HtmlContentFilterConfig.php
Normal file
31
app/Util/HtmlContentFilterConfig.php
Normal file
@@ -0,0 +1,31 @@
|
||||
<?php
|
||||
|
||||
namespace BookStack\Util;
|
||||
|
||||
readonly class HtmlContentFilterConfig
|
||||
{
|
||||
public function __construct(
|
||||
public bool $filterOutJavaScript = true,
|
||||
public bool $filterOutBadHtmlElements = true,
|
||||
public bool $filterOutFormElements = true,
|
||||
public bool $filterOutNonContentElements = true,
|
||||
public bool $useAllowListFilter = true,
|
||||
) {
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an instance from a config string, where the string
|
||||
* is a combination of characters to enable filters.
|
||||
*/
|
||||
public static function fromConfigString(string $config): self
|
||||
{
|
||||
$config = strtolower($config);
|
||||
return new self(
|
||||
filterOutJavaScript: str_contains($config, 'j'),
|
||||
filterOutBadHtmlElements: str_contains($config, 'h'),
|
||||
filterOutFormElements: str_contains($config, 'f'),
|
||||
filterOutNonContentElements: str_contains($config, 'h'),
|
||||
useAllowListFilter: str_contains($config, 'a'),
|
||||
);
|
||||
}
|
||||
}
|
||||
@@ -19,6 +19,7 @@
|
||||
"ext-zip": "*",
|
||||
"bacon/bacon-qr-code": "^3.0",
|
||||
"dompdf/dompdf": "^3.1",
|
||||
"ezyang/htmlpurifier": "^4.19",
|
||||
"guzzlehttp/guzzle": "^7.4",
|
||||
"intervention/image": "^3.5",
|
||||
"knplabs/knp-snappy": "^1.5",
|
||||
@@ -38,7 +39,8 @@
|
||||
"socialiteproviders/microsoft-azure": "^5.1",
|
||||
"socialiteproviders/okta": "^4.2",
|
||||
"socialiteproviders/twitch": "^5.3",
|
||||
"ssddanbrown/htmldiff": "^2.0.0"
|
||||
"ssddanbrown/htmldiff": "^2.0.0",
|
||||
"xemlock/htmlpurifier-html5": "^0.1.12"
|
||||
},
|
||||
"require-dev": {
|
||||
"fakerphp/faker": "^1.21",
|
||||
|
||||
425
composer.lock
generated
425
composer.lock
generated
@@ -4,7 +4,7 @@
|
||||
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
|
||||
"This file is @generated automatically"
|
||||
],
|
||||
"content-hash": "556613432c8fb7d8f96bcf637c8c07a9",
|
||||
"content-hash": "8dc695e5ecb6cea01e282394da136713",
|
||||
"packages": [
|
||||
{
|
||||
"name": "aws/aws-crt-php",
|
||||
@@ -62,16 +62,16 @@
|
||||
},
|
||||
{
|
||||
"name": "aws/aws-sdk-php",
|
||||
"version": "3.369.22",
|
||||
"version": "3.369.35",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/aws/aws-sdk-php.git",
|
||||
"reference": "fe83cbc3adb5ed384179ac6d63531aadde0198e3"
|
||||
"reference": "0f3e296342fe965271b5dd0bded4a18bdab8aba5"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/aws/aws-sdk-php/zipball/fe83cbc3adb5ed384179ac6d63531aadde0198e3",
|
||||
"reference": "fe83cbc3adb5ed384179ac6d63531aadde0198e3",
|
||||
"url": "https://api.github.com/repos/aws/aws-sdk-php/zipball/0f3e296342fe965271b5dd0bded4a18bdab8aba5",
|
||||
"reference": "0f3e296342fe965271b5dd0bded4a18bdab8aba5",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
@@ -153,9 +153,9 @@
|
||||
"support": {
|
||||
"forum": "https://github.com/aws/aws-sdk-php/discussions",
|
||||
"issues": "https://github.com/aws/aws-sdk-php/issues",
|
||||
"source": "https://github.com/aws/aws-sdk-php/tree/3.369.22"
|
||||
"source": "https://github.com/aws/aws-sdk-php/tree/3.369.35"
|
||||
},
|
||||
"time": "2026-01-28T19:19:00+00:00"
|
||||
"time": "2026-02-16T19:15:41+00:00"
|
||||
},
|
||||
{
|
||||
"name": "bacon/bacon-qr-code",
|
||||
@@ -214,16 +214,16 @@
|
||||
},
|
||||
{
|
||||
"name": "brick/math",
|
||||
"version": "0.14.1",
|
||||
"version": "0.14.8",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/brick/math.git",
|
||||
"reference": "f05858549e5f9d7bb45875a75583240a38a281d0"
|
||||
"reference": "63422359a44b7f06cae63c3b429b59e8efcc0629"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/brick/math/zipball/f05858549e5f9d7bb45875a75583240a38a281d0",
|
||||
"reference": "f05858549e5f9d7bb45875a75583240a38a281d0",
|
||||
"url": "https://api.github.com/repos/brick/math/zipball/63422359a44b7f06cae63c3b429b59e8efcc0629",
|
||||
"reference": "63422359a44b7f06cae63c3b429b59e8efcc0629",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
@@ -262,7 +262,7 @@
|
||||
],
|
||||
"support": {
|
||||
"issues": "https://github.com/brick/math/issues",
|
||||
"source": "https://github.com/brick/math/tree/0.14.1"
|
||||
"source": "https://github.com/brick/math/tree/0.14.8"
|
||||
},
|
||||
"funding": [
|
||||
{
|
||||
@@ -270,7 +270,7 @@
|
||||
"type": "github"
|
||||
}
|
||||
],
|
||||
"time": "2025-11-24T14:40:29+00:00"
|
||||
"time": "2026-02-10T14:33:43+00:00"
|
||||
},
|
||||
{
|
||||
"name": "carbonphp/carbon-doctrine-types",
|
||||
@@ -919,6 +919,67 @@
|
||||
],
|
||||
"time": "2025-03-06T22:45:56+00:00"
|
||||
},
|
||||
{
|
||||
"name": "ezyang/htmlpurifier",
|
||||
"version": "v4.19.0",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/ezyang/htmlpurifier.git",
|
||||
"reference": "b287d2a16aceffbf6e0295559b39662612b77fcf"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/b287d2a16aceffbf6e0295559b39662612b77fcf",
|
||||
"reference": "b287d2a16aceffbf6e0295559b39662612b77fcf",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"php": "~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0 || ~8.4.0 || ~8.5.0"
|
||||
},
|
||||
"require-dev": {
|
||||
"cerdic/css-tidy": "^1.7 || ^2.0",
|
||||
"simpletest/simpletest": "dev-master"
|
||||
},
|
||||
"suggest": {
|
||||
"cerdic/css-tidy": "If you want to use the filter 'Filter.ExtractStyleBlocks'.",
|
||||
"ext-bcmath": "Used for unit conversion and imagecrash protection",
|
||||
"ext-iconv": "Converts text to and from non-UTF-8 encodings",
|
||||
"ext-tidy": "Used for pretty-printing HTML"
|
||||
},
|
||||
"type": "library",
|
||||
"autoload": {
|
||||
"files": [
|
||||
"library/HTMLPurifier.composer.php"
|
||||
],
|
||||
"psr-0": {
|
||||
"HTMLPurifier": "library/"
|
||||
},
|
||||
"exclude-from-classmap": [
|
||||
"/library/HTMLPurifier/Language/"
|
||||
]
|
||||
},
|
||||
"notification-url": "https://packagist.org/downloads/",
|
||||
"license": [
|
||||
"LGPL-2.1-or-later"
|
||||
],
|
||||
"authors": [
|
||||
{
|
||||
"name": "Edward Z. Yang",
|
||||
"email": "admin@htmlpurifier.org",
|
||||
"homepage": "http://ezyang.com"
|
||||
}
|
||||
],
|
||||
"description": "Standards compliant HTML filter written in PHP",
|
||||
"homepage": "http://htmlpurifier.org/",
|
||||
"keywords": [
|
||||
"html"
|
||||
],
|
||||
"support": {
|
||||
"issues": "https://github.com/ezyang/htmlpurifier/issues",
|
||||
"source": "https://github.com/ezyang/htmlpurifier/tree/v4.19.0"
|
||||
},
|
||||
"time": "2025-10-17T16:34:55+00:00"
|
||||
},
|
||||
{
|
||||
"name": "firebase/php-jwt",
|
||||
"version": "v7.0.2",
|
||||
@@ -1672,29 +1733,29 @@
|
||||
},
|
||||
{
|
||||
"name": "knplabs/knp-snappy",
|
||||
"version": "v1.5.1",
|
||||
"version": "v1.6.0",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/KnpLabs/snappy.git",
|
||||
"reference": "3dd138e9e47de91cd2e056c5e6e1a0dd72547ee7"
|
||||
"reference": "af73003db677563fa982b50c1aec4d1e2b2f30b2"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/KnpLabs/snappy/zipball/3dd138e9e47de91cd2e056c5e6e1a0dd72547ee7",
|
||||
"reference": "3dd138e9e47de91cd2e056c5e6e1a0dd72547ee7",
|
||||
"url": "https://api.github.com/repos/KnpLabs/snappy/zipball/af73003db677563fa982b50c1aec4d1e2b2f30b2",
|
||||
"reference": "af73003db677563fa982b50c1aec4d1e2b2f30b2",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"php": ">=8.1",
|
||||
"psr/log": "^2.0||^3.0",
|
||||
"symfony/process": "^5.0||^6.0||^7.0"
|
||||
"symfony/process": "^5.0||^6.0||^7.0||^8.0"
|
||||
},
|
||||
"require-dev": {
|
||||
"friendsofphp/php-cs-fixer": "^3.0",
|
||||
"pedrotroller/php-cs-custom-fixer": "^2.19",
|
||||
"phpstan/phpstan": "^1.0.0",
|
||||
"phpstan/phpstan-phpunit": "^1.0.0",
|
||||
"phpunit/phpunit": "^8.5"
|
||||
"phpunit/phpunit": "^9.6.29"
|
||||
},
|
||||
"type": "library",
|
||||
"extra": {
|
||||
@@ -1733,22 +1794,22 @@
|
||||
],
|
||||
"support": {
|
||||
"issues": "https://github.com/KnpLabs/snappy/issues",
|
||||
"source": "https://github.com/KnpLabs/snappy/tree/v1.5.1"
|
||||
"source": "https://github.com/KnpLabs/snappy/tree/v1.6.0"
|
||||
},
|
||||
"time": "2025-01-06T16:53:26+00:00"
|
||||
"time": "2026-02-13T12:50:40+00:00"
|
||||
},
|
||||
{
|
||||
"name": "laravel/framework",
|
||||
"version": "v12.49.0",
|
||||
"version": "v12.51.0",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/laravel/framework.git",
|
||||
"reference": "4bde4530545111d8bdd1de6f545fa8824039fcb5"
|
||||
"reference": "ce4de3feb211e47c4f959d309ccf8a2733b1bc16"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/laravel/framework/zipball/4bde4530545111d8bdd1de6f545fa8824039fcb5",
|
||||
"reference": "4bde4530545111d8bdd1de6f545fa8824039fcb5",
|
||||
"url": "https://api.github.com/repos/laravel/framework/zipball/ce4de3feb211e47c4f959d309ccf8a2733b1bc16",
|
||||
"reference": "ce4de3feb211e47c4f959d309ccf8a2733b1bc16",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
@@ -1957,34 +2018,34 @@
|
||||
"issues": "https://github.com/laravel/framework/issues",
|
||||
"source": "https://github.com/laravel/framework"
|
||||
},
|
||||
"time": "2026-01-28T03:40:49+00:00"
|
||||
"time": "2026-02-10T18:20:19+00:00"
|
||||
},
|
||||
{
|
||||
"name": "laravel/prompts",
|
||||
"version": "v0.3.11",
|
||||
"version": "v0.3.13",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/laravel/prompts.git",
|
||||
"reference": "dd2a2ed95acacbcccd32fd98dee4c946ae7a7217"
|
||||
"reference": "ed8c466571b37e977532fb2fd3c272c784d7050d"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/laravel/prompts/zipball/dd2a2ed95acacbcccd32fd98dee4c946ae7a7217",
|
||||
"reference": "dd2a2ed95acacbcccd32fd98dee4c946ae7a7217",
|
||||
"url": "https://api.github.com/repos/laravel/prompts/zipball/ed8c466571b37e977532fb2fd3c272c784d7050d",
|
||||
"reference": "ed8c466571b37e977532fb2fd3c272c784d7050d",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"composer-runtime-api": "^2.2",
|
||||
"ext-mbstring": "*",
|
||||
"php": "^8.1",
|
||||
"symfony/console": "^6.2|^7.0"
|
||||
"symfony/console": "^6.2|^7.0|^8.0"
|
||||
},
|
||||
"conflict": {
|
||||
"illuminate/console": ">=10.17.0 <10.25.0",
|
||||
"laravel/framework": ">=10.17.0 <10.25.0"
|
||||
},
|
||||
"require-dev": {
|
||||
"illuminate/collections": "^10.0|^11.0|^12.0",
|
||||
"illuminate/collections": "^10.0|^11.0|^12.0|^13.0",
|
||||
"mockery/mockery": "^1.5",
|
||||
"pestphp/pest": "^2.3|^3.4|^4.0",
|
||||
"phpstan/phpstan": "^1.12.28",
|
||||
@@ -2014,33 +2075,33 @@
|
||||
"description": "Add beautiful and user-friendly forms to your command-line applications.",
|
||||
"support": {
|
||||
"issues": "https://github.com/laravel/prompts/issues",
|
||||
"source": "https://github.com/laravel/prompts/tree/v0.3.11"
|
||||
"source": "https://github.com/laravel/prompts/tree/v0.3.13"
|
||||
},
|
||||
"time": "2026-01-27T02:55:06+00:00"
|
||||
"time": "2026-02-06T12:17:10+00:00"
|
||||
},
|
||||
{
|
||||
"name": "laravel/serializable-closure",
|
||||
"version": "v2.0.8",
|
||||
"version": "v2.0.9",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/laravel/serializable-closure.git",
|
||||
"reference": "7581a4407012f5f53365e11bafc520fd7f36bc9b"
|
||||
"reference": "8f631589ab07b7b52fead814965f5a800459cb3e"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/laravel/serializable-closure/zipball/7581a4407012f5f53365e11bafc520fd7f36bc9b",
|
||||
"reference": "7581a4407012f5f53365e11bafc520fd7f36bc9b",
|
||||
"url": "https://api.github.com/repos/laravel/serializable-closure/zipball/8f631589ab07b7b52fead814965f5a800459cb3e",
|
||||
"reference": "8f631589ab07b7b52fead814965f5a800459cb3e",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"php": "^8.1"
|
||||
},
|
||||
"require-dev": {
|
||||
"illuminate/support": "^10.0|^11.0|^12.0",
|
||||
"illuminate/support": "^10.0|^11.0|^12.0|^13.0",
|
||||
"nesbot/carbon": "^2.67|^3.0",
|
||||
"pestphp/pest": "^2.36|^3.0|^4.0",
|
||||
"phpstan/phpstan": "^2.0",
|
||||
"symfony/var-dumper": "^6.2.0|^7.0.0"
|
||||
"symfony/var-dumper": "^6.2.0|^7.0.0|^8.0.0"
|
||||
},
|
||||
"type": "library",
|
||||
"extra": {
|
||||
@@ -2077,7 +2138,7 @@
|
||||
"issues": "https://github.com/laravel/serializable-closure/issues",
|
||||
"source": "https://github.com/laravel/serializable-closure"
|
||||
},
|
||||
"time": "2026-01-08T16:22:46+00:00"
|
||||
"time": "2026-02-03T06:55:34+00:00"
|
||||
},
|
||||
{
|
||||
"name": "laravel/socialite",
|
||||
@@ -2153,16 +2214,16 @@
|
||||
},
|
||||
{
|
||||
"name": "laravel/tinker",
|
||||
"version": "v2.11.0",
|
||||
"version": "v2.11.1",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/laravel/tinker.git",
|
||||
"reference": "3d34b97c9a1747a81a3fde90482c092bd8b66468"
|
||||
"reference": "c9f80cc835649b5c1842898fb043f8cc098dd741"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/laravel/tinker/zipball/3d34b97c9a1747a81a3fde90482c092bd8b66468",
|
||||
"reference": "3d34b97c9a1747a81a3fde90482c092bd8b66468",
|
||||
"url": "https://api.github.com/repos/laravel/tinker/zipball/c9f80cc835649b5c1842898fb043f8cc098dd741",
|
||||
"reference": "c9f80cc835649b5c1842898fb043f8cc098dd741",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
@@ -2213,9 +2274,9 @@
|
||||
],
|
||||
"support": {
|
||||
"issues": "https://github.com/laravel/tinker/issues",
|
||||
"source": "https://github.com/laravel/tinker/tree/v2.11.0"
|
||||
"source": "https://github.com/laravel/tinker/tree/v2.11.1"
|
||||
},
|
||||
"time": "2025-12-19T19:16:45+00:00"
|
||||
"time": "2026-02-06T14:12:35+00:00"
|
||||
},
|
||||
{
|
||||
"name": "league/commonmark",
|
||||
@@ -3404,16 +3465,16 @@
|
||||
},
|
||||
{
|
||||
"name": "nette/schema",
|
||||
"version": "v1.3.3",
|
||||
"version": "v1.3.4",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/nette/schema.git",
|
||||
"reference": "2befc2f42d7c715fd9d95efc31b1081e5d765004"
|
||||
"reference": "086497a2f34b82fede9b5a41cc8e131d087cd8f7"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/nette/schema/zipball/2befc2f42d7c715fd9d95efc31b1081e5d765004",
|
||||
"reference": "2befc2f42d7c715fd9d95efc31b1081e5d765004",
|
||||
"url": "https://api.github.com/repos/nette/schema/zipball/086497a2f34b82fede9b5a41cc8e131d087cd8f7",
|
||||
"reference": "086497a2f34b82fede9b5a41cc8e131d087cd8f7",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
@@ -3421,8 +3482,8 @@
|
||||
"php": "8.1 - 8.5"
|
||||
},
|
||||
"require-dev": {
|
||||
"nette/tester": "^2.5.2",
|
||||
"phpstan/phpstan-nette": "^2.0@stable",
|
||||
"nette/tester": "^2.6",
|
||||
"phpstan/phpstan": "^2.0@stable",
|
||||
"tracy/tracy": "^2.8"
|
||||
},
|
||||
"type": "library",
|
||||
@@ -3463,22 +3524,22 @@
|
||||
],
|
||||
"support": {
|
||||
"issues": "https://github.com/nette/schema/issues",
|
||||
"source": "https://github.com/nette/schema/tree/v1.3.3"
|
||||
"source": "https://github.com/nette/schema/tree/v1.3.4"
|
||||
},
|
||||
"time": "2025-10-30T22:57:59+00:00"
|
||||
"time": "2026-02-08T02:54:00+00:00"
|
||||
},
|
||||
{
|
||||
"name": "nette/utils",
|
||||
"version": "v4.1.1",
|
||||
"version": "v4.1.3",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/nette/utils.git",
|
||||
"reference": "c99059c0315591f1a0db7ad6002000288ab8dc72"
|
||||
"reference": "bb3ea637e3d131d72acc033cfc2746ee893349fe"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/nette/utils/zipball/c99059c0315591f1a0db7ad6002000288ab8dc72",
|
||||
"reference": "c99059c0315591f1a0db7ad6002000288ab8dc72",
|
||||
"url": "https://api.github.com/repos/nette/utils/zipball/bb3ea637e3d131d72acc033cfc2746ee893349fe",
|
||||
"reference": "bb3ea637e3d131d72acc033cfc2746ee893349fe",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
@@ -3490,8 +3551,10 @@
|
||||
},
|
||||
"require-dev": {
|
||||
"jetbrains/phpstorm-attributes": "^1.2",
|
||||
"nette/phpstan-rules": "^1.0",
|
||||
"nette/tester": "^2.5",
|
||||
"phpstan/phpstan-nette": "^2.0@stable",
|
||||
"phpstan/extension-installer": "^1.4@stable",
|
||||
"phpstan/phpstan": "^2.1@stable",
|
||||
"tracy/tracy": "^2.9"
|
||||
},
|
||||
"suggest": {
|
||||
@@ -3552,9 +3615,9 @@
|
||||
],
|
||||
"support": {
|
||||
"issues": "https://github.com/nette/utils/issues",
|
||||
"source": "https://github.com/nette/utils/tree/v4.1.1"
|
||||
"source": "https://github.com/nette/utils/tree/v4.1.3"
|
||||
},
|
||||
"time": "2025-12-22T12:14:32+00:00"
|
||||
"time": "2026-02-13T03:05:33+00:00"
|
||||
},
|
||||
{
|
||||
"name": "nikic/php-parser",
|
||||
@@ -3616,31 +3679,31 @@
|
||||
},
|
||||
{
|
||||
"name": "nunomaduro/termwind",
|
||||
"version": "v2.3.3",
|
||||
"version": "v2.4.0",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/nunomaduro/termwind.git",
|
||||
"reference": "6fb2a640ff502caace8e05fd7be3b503a7e1c017"
|
||||
"reference": "712a31b768f5daea284c2169a7d227031001b9a8"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/nunomaduro/termwind/zipball/6fb2a640ff502caace8e05fd7be3b503a7e1c017",
|
||||
"reference": "6fb2a640ff502caace8e05fd7be3b503a7e1c017",
|
||||
"url": "https://api.github.com/repos/nunomaduro/termwind/zipball/712a31b768f5daea284c2169a7d227031001b9a8",
|
||||
"reference": "712a31b768f5daea284c2169a7d227031001b9a8",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"ext-mbstring": "*",
|
||||
"php": "^8.2",
|
||||
"symfony/console": "^7.3.6"
|
||||
"symfony/console": "^7.4.4 || ^8.0.4"
|
||||
},
|
||||
"require-dev": {
|
||||
"illuminate/console": "^11.46.1",
|
||||
"laravel/pint": "^1.25.1",
|
||||
"illuminate/console": "^11.47.0",
|
||||
"laravel/pint": "^1.27.1",
|
||||
"mockery/mockery": "^1.6.12",
|
||||
"pestphp/pest": "^2.36.0 || ^3.8.4 || ^4.1.3",
|
||||
"pestphp/pest": "^2.36.0 || ^3.8.4 || ^4.3.2",
|
||||
"phpstan/phpstan": "^1.12.32",
|
||||
"phpstan/phpstan-strict-rules": "^1.6.2",
|
||||
"symfony/var-dumper": "^7.3.5",
|
||||
"symfony/var-dumper": "^7.3.5 || ^8.0.4",
|
||||
"thecodingmachine/phpstan-strict-rules": "^1.0.0"
|
||||
},
|
||||
"type": "library",
|
||||
@@ -3672,7 +3735,7 @@
|
||||
"email": "enunomaduro@gmail.com"
|
||||
}
|
||||
],
|
||||
"description": "Its like Tailwind CSS, but for the console.",
|
||||
"description": "It's like Tailwind CSS, but for the console.",
|
||||
"keywords": [
|
||||
"cli",
|
||||
"console",
|
||||
@@ -3683,7 +3746,7 @@
|
||||
],
|
||||
"support": {
|
||||
"issues": "https://github.com/nunomaduro/termwind/issues",
|
||||
"source": "https://github.com/nunomaduro/termwind/tree/v2.3.3"
|
||||
"source": "https://github.com/nunomaduro/termwind/tree/v2.4.0"
|
||||
},
|
||||
"funding": [
|
||||
{
|
||||
@@ -3699,7 +3762,7 @@
|
||||
"type": "github"
|
||||
}
|
||||
],
|
||||
"time": "2025-11-20T02:34:59+00:00"
|
||||
"time": "2026-02-16T23:10:27+00:00"
|
||||
},
|
||||
{
|
||||
"name": "onelogin/php-saml",
|
||||
@@ -4123,16 +4186,16 @@
|
||||
},
|
||||
{
|
||||
"name": "predis/predis",
|
||||
"version": "v3.3.0",
|
||||
"version": "v3.4.0",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/predis/predis.git",
|
||||
"reference": "153097374b39a2f737fe700ebcd725642526cdec"
|
||||
"reference": "1183f5732e6b10efd33f64984a96726eaecb59aa"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/predis/predis/zipball/153097374b39a2f737fe700ebcd725642526cdec",
|
||||
"reference": "153097374b39a2f737fe700ebcd725642526cdec",
|
||||
"url": "https://api.github.com/repos/predis/predis/zipball/1183f5732e6b10efd33f64984a96726eaecb59aa",
|
||||
"reference": "1183f5732e6b10efd33f64984a96726eaecb59aa",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
@@ -4174,7 +4237,7 @@
|
||||
],
|
||||
"support": {
|
||||
"issues": "https://github.com/predis/predis/issues",
|
||||
"source": "https://github.com/predis/predis/tree/v3.3.0"
|
||||
"source": "https://github.com/predis/predis/tree/v3.4.0"
|
||||
},
|
||||
"funding": [
|
||||
{
|
||||
@@ -4182,7 +4245,7 @@
|
||||
"type": "github"
|
||||
}
|
||||
],
|
||||
"time": "2025-11-24T17:48:50+00:00"
|
||||
"time": "2026-02-11T17:30:28+00:00"
|
||||
},
|
||||
{
|
||||
"name": "psr/clock",
|
||||
@@ -4598,16 +4661,16 @@
|
||||
},
|
||||
{
|
||||
"name": "psy/psysh",
|
||||
"version": "v0.12.18",
|
||||
"version": "v0.12.20",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/bobthecow/psysh.git",
|
||||
"reference": "ddff0ac01beddc251786fe70367cd8bbdb258196"
|
||||
"reference": "19678eb6b952a03b8a1d96ecee9edba518bb0373"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/bobthecow/psysh/zipball/ddff0ac01beddc251786fe70367cd8bbdb258196",
|
||||
"reference": "ddff0ac01beddc251786fe70367cd8bbdb258196",
|
||||
"url": "https://api.github.com/repos/bobthecow/psysh/zipball/19678eb6b952a03b8a1d96ecee9edba518bb0373",
|
||||
"reference": "19678eb6b952a03b8a1d96ecee9edba518bb0373",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
@@ -4671,9 +4734,9 @@
|
||||
],
|
||||
"support": {
|
||||
"issues": "https://github.com/bobthecow/psysh/issues",
|
||||
"source": "https://github.com/bobthecow/psysh/tree/v0.12.18"
|
||||
"source": "https://github.com/bobthecow/psysh/tree/v0.12.20"
|
||||
},
|
||||
"time": "2025-12-17T14:35:46+00:00"
|
||||
"time": "2026-02-11T15:05:28+00:00"
|
||||
},
|
||||
{
|
||||
"name": "ralouphie/getallheaders",
|
||||
@@ -7930,16 +7993,16 @@
|
||||
},
|
||||
{
|
||||
"name": "thecodingmachine/safe",
|
||||
"version": "v3.3.0",
|
||||
"version": "v3.4.0",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/thecodingmachine/safe.git",
|
||||
"reference": "2cdd579eeaa2e78e51c7509b50cc9fb89a956236"
|
||||
"reference": "705683a25bacf0d4860c7dea4d7947bfd09eea19"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/thecodingmachine/safe/zipball/2cdd579eeaa2e78e51c7509b50cc9fb89a956236",
|
||||
"reference": "2cdd579eeaa2e78e51c7509b50cc9fb89a956236",
|
||||
"url": "https://api.github.com/repos/thecodingmachine/safe/zipball/705683a25bacf0d4860c7dea4d7947bfd09eea19",
|
||||
"reference": "705683a25bacf0d4860c7dea4d7947bfd09eea19",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
@@ -8049,7 +8112,7 @@
|
||||
"description": "PHP core functions that throw exceptions instead of returning FALSE on error",
|
||||
"support": {
|
||||
"issues": "https://github.com/thecodingmachine/safe/issues",
|
||||
"source": "https://github.com/thecodingmachine/safe/tree/v3.3.0"
|
||||
"source": "https://github.com/thecodingmachine/safe/tree/v3.4.0"
|
||||
},
|
||||
"funding": [
|
||||
{
|
||||
@@ -8060,12 +8123,16 @@
|
||||
"url": "https://github.com/shish",
|
||||
"type": "github"
|
||||
},
|
||||
{
|
||||
"url": "https://github.com/silasjoisten",
|
||||
"type": "github"
|
||||
},
|
||||
{
|
||||
"url": "https://github.com/staabm",
|
||||
"type": "github"
|
||||
}
|
||||
],
|
||||
"time": "2025-05-14T06:15:44+00:00"
|
||||
"time": "2026-02-04T18:08:13+00:00"
|
||||
},
|
||||
{
|
||||
"name": "tijsverkoyen/css-to-inline-styles",
|
||||
@@ -8279,6 +8346,66 @@
|
||||
}
|
||||
],
|
||||
"time": "2024-11-21T01:49:47+00:00"
|
||||
},
|
||||
{
|
||||
"name": "xemlock/htmlpurifier-html5",
|
||||
"version": "v0.1.12",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/xemlock/htmlpurifier-html5.git",
|
||||
"reference": "535349cb160bf79752920e1e83c4a94c3e7d2b21"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/xemlock/htmlpurifier-html5/zipball/535349cb160bf79752920e1e83c4a94c3e7d2b21",
|
||||
"reference": "535349cb160bf79752920e1e83c4a94c3e7d2b21",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"ezyang/htmlpurifier": "^4.8",
|
||||
"php": ">=5.3"
|
||||
},
|
||||
"require-dev": {
|
||||
"masterminds/html5": "^2.7",
|
||||
"php-coveralls/php-coveralls": "^1.1|^2.1",
|
||||
"phpunit/phpunit": ">=4.7 <10.0"
|
||||
},
|
||||
"suggest": {
|
||||
"masterminds/html5": "Required to use HTMLPurifier_Lexer_HTML5"
|
||||
},
|
||||
"type": "library",
|
||||
"autoload": {
|
||||
"classmap": [
|
||||
"library/HTMLPurifier/"
|
||||
]
|
||||
},
|
||||
"notification-url": "https://packagist.org/downloads/",
|
||||
"license": [
|
||||
"MIT"
|
||||
],
|
||||
"authors": [
|
||||
{
|
||||
"name": "xemlock",
|
||||
"email": "xemlock@gmail.com"
|
||||
}
|
||||
],
|
||||
"description": "HTML5 support for HTML Purifier",
|
||||
"homepage": "https://github.com/xemlock/htmlpurifier-html5",
|
||||
"keywords": [
|
||||
"HTML5",
|
||||
"Purifier",
|
||||
"html",
|
||||
"htmlpurifier",
|
||||
"security",
|
||||
"tidy",
|
||||
"validator",
|
||||
"xss"
|
||||
],
|
||||
"support": {
|
||||
"issues": "https://github.com/xemlock/htmlpurifier-html5/issues",
|
||||
"source": "https://github.com/xemlock/htmlpurifier-html5/tree/v0.1.12"
|
||||
},
|
||||
"time": "2026-02-09T21:03:14+00:00"
|
||||
}
|
||||
],
|
||||
"packages-dev": [
|
||||
@@ -8469,16 +8596,16 @@
|
||||
},
|
||||
{
|
||||
"name": "iamcal/sql-parser",
|
||||
"version": "v0.6",
|
||||
"version": "v0.7",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/iamcal/SQLParser.git",
|
||||
"reference": "947083e2dca211a6f12fb1beb67a01e387de9b62"
|
||||
"reference": "610392f38de49a44dab08dc1659960a29874c4b8"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/iamcal/SQLParser/zipball/947083e2dca211a6f12fb1beb67a01e387de9b62",
|
||||
"reference": "947083e2dca211a6f12fb1beb67a01e387de9b62",
|
||||
"url": "https://api.github.com/repos/iamcal/SQLParser/zipball/610392f38de49a44dab08dc1659960a29874c4b8",
|
||||
"reference": "610392f38de49a44dab08dc1659960a29874c4b8",
|
||||
"shasum": ""
|
||||
},
|
||||
"require-dev": {
|
||||
@@ -8504,9 +8631,9 @@
|
||||
"description": "MySQL schema parser",
|
||||
"support": {
|
||||
"issues": "https://github.com/iamcal/SQLParser/issues",
|
||||
"source": "https://github.com/iamcal/SQLParser/tree/v0.6"
|
||||
"source": "https://github.com/iamcal/SQLParser/tree/v0.7"
|
||||
},
|
||||
"time": "2025-03-17T16:59:46+00:00"
|
||||
"time": "2026-01-28T22:20:33+00:00"
|
||||
},
|
||||
{
|
||||
"name": "itsgoingd/clockwork",
|
||||
@@ -8586,21 +8713,21 @@
|
||||
},
|
||||
{
|
||||
"name": "larastan/larastan",
|
||||
"version": "v3.9.1",
|
||||
"version": "v3.9.2",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/larastan/larastan.git",
|
||||
"reference": "4b92d9627f779fd32bdc16f53f8ce88c50446ff5"
|
||||
"reference": "2e9ed291bdc1969e7f270fb33c9cdf3c912daeb2"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/larastan/larastan/zipball/4b92d9627f779fd32bdc16f53f8ce88c50446ff5",
|
||||
"reference": "4b92d9627f779fd32bdc16f53f8ce88c50446ff5",
|
||||
"url": "https://api.github.com/repos/larastan/larastan/zipball/2e9ed291bdc1969e7f270fb33c9cdf3c912daeb2",
|
||||
"reference": "2e9ed291bdc1969e7f270fb33c9cdf3c912daeb2",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"ext-json": "*",
|
||||
"iamcal/sql-parser": "^0.6.0",
|
||||
"iamcal/sql-parser": "^0.7.0",
|
||||
"illuminate/console": "^11.44.2 || ^12.4.1",
|
||||
"illuminate/container": "^11.44.2 || ^12.4.1",
|
||||
"illuminate/contracts": "^11.44.2 || ^12.4.1",
|
||||
@@ -8664,7 +8791,7 @@
|
||||
],
|
||||
"support": {
|
||||
"issues": "https://github.com/larastan/larastan/issues",
|
||||
"source": "https://github.com/larastan/larastan/tree/v3.9.1"
|
||||
"source": "https://github.com/larastan/larastan/tree/v3.9.2"
|
||||
},
|
||||
"funding": [
|
||||
{
|
||||
@@ -8672,7 +8799,7 @@
|
||||
"type": "github"
|
||||
}
|
||||
],
|
||||
"time": "2026-01-21T09:15:17+00:00"
|
||||
"time": "2026-01-30T15:16:32+00:00"
|
||||
},
|
||||
{
|
||||
"name": "mockery/mockery",
|
||||
@@ -8819,39 +8946,36 @@
|
||||
},
|
||||
{
|
||||
"name": "nunomaduro/collision",
|
||||
"version": "v8.8.3",
|
||||
"version": "v8.9.0",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/nunomaduro/collision.git",
|
||||
"reference": "1dc9e88d105699d0fee8bb18890f41b274f6b4c4"
|
||||
"reference": "f52cab234f37641bd759c0ad56de17f632851419"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/nunomaduro/collision/zipball/1dc9e88d105699d0fee8bb18890f41b274f6b4c4",
|
||||
"reference": "1dc9e88d105699d0fee8bb18890f41b274f6b4c4",
|
||||
"url": "https://api.github.com/repos/nunomaduro/collision/zipball/f52cab234f37641bd759c0ad56de17f632851419",
|
||||
"reference": "f52cab234f37641bd759c0ad56de17f632851419",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"filp/whoops": "^2.18.1",
|
||||
"nunomaduro/termwind": "^2.3.1",
|
||||
"filp/whoops": "^2.18.4",
|
||||
"nunomaduro/termwind": "^2.3.3",
|
||||
"php": "^8.2.0",
|
||||
"symfony/console": "^7.3.0"
|
||||
"symfony/console": "^7.4.4 || ^8.0.4"
|
||||
},
|
||||
"conflict": {
|
||||
"laravel/framework": "<11.44.2 || >=13.0.0",
|
||||
"phpunit/phpunit": "<11.5.15 || >=13.0.0"
|
||||
"laravel/framework": "<11.48.0 || >=14.0.0",
|
||||
"phpunit/phpunit": "<11.5.50 || >=13.0.0"
|
||||
},
|
||||
"require-dev": {
|
||||
"brianium/paratest": "^7.8.3",
|
||||
"larastan/larastan": "^3.4.2",
|
||||
"laravel/framework": "^11.44.2 || ^12.18",
|
||||
"laravel/pint": "^1.22.1",
|
||||
"laravel/sail": "^1.43.1",
|
||||
"laravel/sanctum": "^4.1.1",
|
||||
"laravel/tinker": "^2.10.1",
|
||||
"orchestra/testbench-core": "^9.12.0 || ^10.4",
|
||||
"pestphp/pest": "^3.8.2 || ^4.0.0",
|
||||
"sebastian/environment": "^7.2.1 || ^8.0"
|
||||
"brianium/paratest": "^7.8.5",
|
||||
"larastan/larastan": "^3.9.2",
|
||||
"laravel/framework": "^11.48.0 || ^12.51.0",
|
||||
"laravel/pint": "^1.27.1",
|
||||
"orchestra/testbench-core": "^9.12.0 || ^10.9.0",
|
||||
"pestphp/pest": "^3.8.5 || ^4.3.2",
|
||||
"sebastian/environment": "^7.2.1 || ^8.0.3"
|
||||
},
|
||||
"type": "library",
|
||||
"extra": {
|
||||
@@ -8914,7 +9038,7 @@
|
||||
"type": "patreon"
|
||||
}
|
||||
],
|
||||
"time": "2025-11-20T02:55:25+00:00"
|
||||
"time": "2026-02-16T23:05:52+00:00"
|
||||
},
|
||||
{
|
||||
"name": "phar-io/manifest",
|
||||
@@ -9036,11 +9160,11 @@
|
||||
},
|
||||
{
|
||||
"name": "phpstan/phpstan",
|
||||
"version": "2.1.37",
|
||||
"version": "2.1.39",
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/phpstan/phpstan/zipball/28cd424c5ea984128c95cfa7ea658808e8954e49",
|
||||
"reference": "28cd424c5ea984128c95cfa7ea658808e8954e49",
|
||||
"url": "https://api.github.com/repos/phpstan/phpstan/zipball/c6f73a2af4cbcd99c931d0fb8f08548cc0fa8224",
|
||||
"reference": "c6f73a2af4cbcd99c931d0fb8f08548cc0fa8224",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
@@ -9085,7 +9209,7 @@
|
||||
"type": "github"
|
||||
}
|
||||
],
|
||||
"time": "2026-01-24T08:21:55+00:00"
|
||||
"time": "2026-02-11T14:48:56+00:00"
|
||||
},
|
||||
{
|
||||
"name": "phpunit/php-code-coverage",
|
||||
@@ -9179,28 +9303,28 @@
|
||||
},
|
||||
{
|
||||
"name": "phpunit/php-file-iterator",
|
||||
"version": "5.1.0",
|
||||
"version": "5.1.1",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/sebastianbergmann/php-file-iterator.git",
|
||||
"reference": "118cfaaa8bc5aef3287bf315b6060b1174754af6"
|
||||
"reference": "2f3a64888c814fc235386b7387dd5b5ed92ad903"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/sebastianbergmann/php-file-iterator/zipball/118cfaaa8bc5aef3287bf315b6060b1174754af6",
|
||||
"reference": "118cfaaa8bc5aef3287bf315b6060b1174754af6",
|
||||
"url": "https://api.github.com/repos/sebastianbergmann/php-file-iterator/zipball/2f3a64888c814fc235386b7387dd5b5ed92ad903",
|
||||
"reference": "2f3a64888c814fc235386b7387dd5b5ed92ad903",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"php": ">=8.2"
|
||||
},
|
||||
"require-dev": {
|
||||
"phpunit/phpunit": "^11.0"
|
||||
"phpunit/phpunit": "^11.3"
|
||||
},
|
||||
"type": "library",
|
||||
"extra": {
|
||||
"branch-alias": {
|
||||
"dev-main": "5.0-dev"
|
||||
"dev-main": "5.1-dev"
|
||||
}
|
||||
},
|
||||
"autoload": {
|
||||
@@ -9228,15 +9352,27 @@
|
||||
"support": {
|
||||
"issues": "https://github.com/sebastianbergmann/php-file-iterator/issues",
|
||||
"security": "https://github.com/sebastianbergmann/php-file-iterator/security/policy",
|
||||
"source": "https://github.com/sebastianbergmann/php-file-iterator/tree/5.1.0"
|
||||
"source": "https://github.com/sebastianbergmann/php-file-iterator/tree/5.1.1"
|
||||
},
|
||||
"funding": [
|
||||
{
|
||||
"url": "https://github.com/sebastianbergmann",
|
||||
"type": "github"
|
||||
},
|
||||
{
|
||||
"url": "https://liberapay.com/sebastianbergmann",
|
||||
"type": "liberapay"
|
||||
},
|
||||
{
|
||||
"url": "https://thanks.dev/u/gh/sebastianbergmann",
|
||||
"type": "thanks_dev"
|
||||
},
|
||||
{
|
||||
"url": "https://tidelift.com/funding/github/packagist/phpunit/php-file-iterator",
|
||||
"type": "tidelift"
|
||||
}
|
||||
],
|
||||
"time": "2024-08-27T05:02:59+00:00"
|
||||
"time": "2026-02-02T13:52:54+00:00"
|
||||
},
|
||||
{
|
||||
"name": "phpunit/php-invoker",
|
||||
@@ -9424,16 +9560,16 @@
|
||||
},
|
||||
{
|
||||
"name": "phpunit/phpunit",
|
||||
"version": "11.5.50",
|
||||
"version": "11.5.53",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/sebastianbergmann/phpunit.git",
|
||||
"reference": "fdfc727f0fcacfeb8fcb30c7e5da173125b58be3"
|
||||
"reference": "a997a653a82845f1240d73ee73a8a4e97e4b0607"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/fdfc727f0fcacfeb8fcb30c7e5da173125b58be3",
|
||||
"reference": "fdfc727f0fcacfeb8fcb30c7e5da173125b58be3",
|
||||
"url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/a997a653a82845f1240d73ee73a8a4e97e4b0607",
|
||||
"reference": "a997a653a82845f1240d73ee73a8a4e97e4b0607",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
@@ -9448,7 +9584,7 @@
|
||||
"phar-io/version": "^3.2.1",
|
||||
"php": ">=8.2",
|
||||
"phpunit/php-code-coverage": "^11.0.12",
|
||||
"phpunit/php-file-iterator": "^5.1.0",
|
||||
"phpunit/php-file-iterator": "^5.1.1",
|
||||
"phpunit/php-invoker": "^5.0.1",
|
||||
"phpunit/php-text-template": "^4.0.1",
|
||||
"phpunit/php-timer": "^7.0.1",
|
||||
@@ -9460,6 +9596,7 @@
|
||||
"sebastian/exporter": "^6.3.2",
|
||||
"sebastian/global-state": "^7.0.2",
|
||||
"sebastian/object-enumerator": "^6.0.1",
|
||||
"sebastian/recursion-context": "^6.0.3",
|
||||
"sebastian/type": "^5.1.3",
|
||||
"sebastian/version": "^5.0.2",
|
||||
"staabm/side-effects-detector": "^1.0.5"
|
||||
@@ -9505,7 +9642,7 @@
|
||||
"support": {
|
||||
"issues": "https://github.com/sebastianbergmann/phpunit/issues",
|
||||
"security": "https://github.com/sebastianbergmann/phpunit/security/policy",
|
||||
"source": "https://github.com/sebastianbergmann/phpunit/tree/11.5.50"
|
||||
"source": "https://github.com/sebastianbergmann/phpunit/tree/11.5.53"
|
||||
},
|
||||
"funding": [
|
||||
{
|
||||
@@ -9529,7 +9666,7 @@
|
||||
"type": "tidelift"
|
||||
}
|
||||
],
|
||||
"time": "2026-01-27T05:59:18+00:00"
|
||||
"time": "2026-02-10T12:28:25+00:00"
|
||||
},
|
||||
{
|
||||
"name": "sebastian/cli-parser",
|
||||
|
||||
@@ -1 +1 @@
|
||||
62a5824a1a12ba387aefe5d1e09cb90afd20d61cb84c7ac78b62de729e8baf2a
|
||||
52295e0eb95cb07da14e4d794b8b44371e37052ffed98362341a686a02c10389
|
||||
@@ -98,6 +98,13 @@ Copyright: Copyright (c) 2013-2023 Eduardo Gulias Davis
|
||||
Source: https://github.com/egulias/EmailValidator.git
|
||||
Link: https://github.com/egulias/EmailValidator
|
||||
-----------
|
||||
ezyang/htmlpurifier
|
||||
License: LGPL-2.1-or-later
|
||||
License File: vendor/ezyang/htmlpurifier/LICENSE
|
||||
Copyright: Copyright (C) 1991, 1999 Free Software Foundation, Inc.
|
||||
Source: https://github.com/ezyang/htmlpurifier.git
|
||||
Link: http://htmlpurifier.org/
|
||||
-----------
|
||||
firebase/php-jwt
|
||||
License: BSD-3-Clause
|
||||
License File: vendor/firebase/php-jwt/LICENSE
|
||||
@@ -465,7 +472,7 @@ Link: https://github.com/php-fig/simple-cache.git
|
||||
psy/psysh
|
||||
License: MIT
|
||||
License File: vendor/psy/psysh/LICENSE
|
||||
Copyright: Copyright (c) 2012-2025 Justin Hileman
|
||||
Copyright: Copyright (c) 2012-2026 Justin Hileman
|
||||
Source: https://github.com/bobthecow/psysh.git
|
||||
Link: https://psysh.org
|
||||
-----------
|
||||
@@ -787,3 +794,10 @@ License File: vendor/voku/portable-ascii/LICENSE.txt
|
||||
Copyright: Copyright (C) 2019 Lars Moelleken
|
||||
Source: https://github.com/voku/portable-ascii.git
|
||||
Link: https://github.com/voku/portable-ascii
|
||||
-----------
|
||||
xemlock/htmlpurifier-html5
|
||||
License: MIT
|
||||
License File: vendor/xemlock/htmlpurifier-html5/LICENSE
|
||||
Copyright: Copyright (c) 2015 Xemlock
|
||||
Source: https://github.com/xemlock/htmlpurifier-html5.git
|
||||
Link: https://github.com/xemlock/htmlpurifier-html5
|
||||
|
||||
@@ -34,6 +34,7 @@
|
||||
<server name="AUTH_AUTO_INITIATE" value="false"/>
|
||||
<server name="DISABLE_EXTERNAL_SERVICES" value="true"/>
|
||||
<server name="ALLOW_UNTRUSTED_SERVER_FETCHING" value="false"/>
|
||||
<server name="CONTENT_FILTERING" value="jhfa"/>
|
||||
<server name="ALLOW_CONTENT_SCRIPTS" value="false"/>
|
||||
<server name="AVATAR_URL" value=""/>
|
||||
<server name="LDAP_START_TLS" value="false"/>
|
||||
|
||||
@@ -155,7 +155,7 @@ The website which contains the project docs & blog can be found in the [BookStac
|
||||
The BookStack source is provided under the [MIT License](https://github.com/BookStackApp/BookStack/blob/development/LICENSE).
|
||||
|
||||
The libraries used by, and included with, BookStack are provided under their own licenses and copyright.
|
||||
The licenses for many of our core dependencies can be found in the attribution list below but this is not an exhaustive list of all projects used within BookStack.
|
||||
The licenses for many of our core dependencies can be found in the attribution list below, but this is not an exhaustive list of all projects used within BookStack.
|
||||
|
||||
## 👪 Attribution
|
||||
|
||||
@@ -187,5 +187,6 @@ Note: This is not an exhaustive list of all libraries and projects that would be
|
||||
* [PHPStan](https://phpstan.org/) & [Larastan](https://github.com/nunomaduro/larastan) - _[MIT](https://github.com/phpstan/phpstan/blob/master/LICENSE) and [MIT](https://github.com/nunomaduro/larastan/blob/master/LICENSE.md)_
|
||||
* [PHP_CodeSniffer](https://github.com/squizlabs/PHP_CodeSniffer) - _[BSD 3-Clause](https://github.com/squizlabs/PHP_CodeSniffer/blob/master/licence.txt)_
|
||||
* [JakeArchibald/IDB-Keyval](https://github.com/jakearchibald/idb-keyval) - _[Apache-2.0](https://github.com/jakearchibald/idb-keyval/blob/main/LICENCE)_
|
||||
* [HTML Purifier](https://github.com/ezyang/htmlpurifier) and [htmlpurifier-html5](https://github.com/xemlock/htmlpurifier-html5) - _[LGPL-2.1](https://github.com/ezyang/htmlpurifier/blob/master/LICENSE) and [MIT](https://github.com/xemlock/htmlpurifier-html5/blob/master/LICENSE)_
|
||||
|
||||
For a detailed breakdown of the JavaScript & PHP projects imported & used via NPM & composer package managers, along with their licenses, please see the [dev/licensing/js-library-licenses.txt](dev/licensing/js-library-licenses.txt) and [dev/licensing/php-library-licenses.txt](dev/licensing/php-library-licenses.txt) files.
|
||||
For a detailed breakdown of the JavaScript & PHP projects imported and used via NPM & composer package managers, along with their licenses, please see the [dev/licensing/js-library-licenses.txt](dev/licensing/js-library-licenses.txt) and [dev/licensing/php-library-licenses.txt](dev/licensing/php-library-licenses.txt) files.
|
||||
1
storage/framework/.gitignore
vendored
1
storage/framework/.gitignore
vendored
@@ -7,3 +7,4 @@ routes.php
|
||||
routes.scanned.php
|
||||
schedule-*
|
||||
services.json
|
||||
purifier/
|
||||
|
||||
480
tests/Entity/PageContentFilteringTest.php
Normal file
480
tests/Entity/PageContentFilteringTest.php
Normal file
@@ -0,0 +1,480 @@
|
||||
<?php
|
||||
|
||||
namespace Tests\Entity;
|
||||
|
||||
use Tests\TestCase;
|
||||
|
||||
class PageContentFilteringTest extends TestCase
|
||||
{
|
||||
public function test_page_content_scripts_removed_by_default()
|
||||
{
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
$script = 'abc123<script>console.log("hello-test")</script>abc123';
|
||||
$page->html = "escape {$script}";
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$pageView->assertDontSee($script, false);
|
||||
$pageView->assertSee('abc123abc123');
|
||||
}
|
||||
|
||||
public function test_more_complex_content_script_escaping_scenarios()
|
||||
{
|
||||
config()->set('app.content_filtering', 'j');
|
||||
|
||||
$checks = [
|
||||
"<p>Some script</p><script>alert('cat')</script>",
|
||||
"<div><div><div><div><p>Some script</p><script>alert('cat')</script></div></div></div></div>",
|
||||
"<p>Some script<script>alert('cat')</script></p>",
|
||||
"<p>Some script <div><script>alert('cat')</script></div></p>",
|
||||
"<p>Some script <script><div>alert('cat')</script></div></p>",
|
||||
"<p>Some script <script><div>alert('cat')</script><script><div>alert('cat')</script></p><script><div>alert('cat')</script>",
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', '<script>');
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', '</script>');
|
||||
}
|
||||
}
|
||||
|
||||
public function test_js_and_base64_src_urls_are_removed()
|
||||
{
|
||||
config()->set('app.content_filtering', 'j');
|
||||
|
||||
$checks = [
|
||||
'<iframe src="javascript:alert(document.cookie)"></iframe>',
|
||||
'<iframe src="JavAScRipT:alert(document.cookie)"></iframe>',
|
||||
'<iframe src="JavAScRipT:alert(document.cookie)"></iframe>',
|
||||
'<iframe SRC=" javascript: alert(document.cookie)"></iframe>',
|
||||
'<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
|
||||
'<iframe src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
|
||||
'<iframe src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
|
||||
'<img src="javascript:alert(document.cookie)"/>',
|
||||
'<img src="JavAScRipT:alert(document.cookie)"/>',
|
||||
'<img src="JavAScRipT:alert(document.cookie)"/>',
|
||||
'<img SRC=" javascript: alert(document.cookie)"/>',
|
||||
'<img src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
|
||||
'<img src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
|
||||
'<img src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
|
||||
'<iframe srcdoc="<script>window.alert(document.cookie)</script>"></iframe>',
|
||||
'<iframe SRCdoc="<script>window.alert(document.cookie)</script>"></iframe>',
|
||||
'<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>',
|
||||
'<object data="javascript:alert(document.cookie)"></object>',
|
||||
'<object data="JavAScRipT:alert(document.cookie)"></object>',
|
||||
'<object data="JavAScRipT:alert(document.cookie)"></object>',
|
||||
'<object SRC=" javascript: alert(document.cookie)"></object>',
|
||||
'<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></object>',
|
||||
'<object data="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></object>',
|
||||
'<object data=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></object>',
|
||||
'<embed src="javascript:alert(document.cookie)"/>',
|
||||
'<embed src="JavAScRipT:alert(document.cookie)"/>',
|
||||
'<embed src="JavAScRipT:alert(document.cookie)"/>',
|
||||
'<embed SRC=" javascript: alert(document.cookie)"/>',
|
||||
'<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
|
||||
'<embed src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
|
||||
'<embed src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$html = $this->withHtml($pageView);
|
||||
$html->assertElementNotContains('.page-content', '<object');
|
||||
$html->assertElementNotContains('.page-content', 'data=');
|
||||
$html->assertElementNotContains('.page-content', '<iframe>');
|
||||
$html->assertElementNotContains('.page-content', '<img');
|
||||
$html->assertElementNotContains('.page-content', '</iframe>');
|
||||
$html->assertElementNotContains('.page-content', 'src=');
|
||||
$html->assertElementNotContains('.page-content', 'javascript:');
|
||||
$html->assertElementNotContains('.page-content', 'data:');
|
||||
$html->assertElementNotContains('.page-content', 'base64');
|
||||
}
|
||||
}
|
||||
|
||||
public function test_javascript_uri_links_are_removed()
|
||||
{
|
||||
config()->set('app.content_filtering', 'j');
|
||||
|
||||
$checks = [
|
||||
'<a id="xss" href="javascript:alert(document.cookie)>Click me</a>',
|
||||
'<a id="xss" href="javascript: alert(document.cookie)>Click me</a>',
|
||||
'<a id="xss" href="JaVaScRiPt: alert(document.cookie)>Click me</a>',
|
||||
'<a id="xss" href=" JaVaScRiPt: alert(document.cookie)>Click me</a>',
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', '<a id="xss"');
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', 'href=javascript:');
|
||||
}
|
||||
}
|
||||
|
||||
public function test_form_filtering_is_controlled_by_config()
|
||||
{
|
||||
config()->set('app.content_filtering', '');
|
||||
$page = $this->entities->page();
|
||||
$page->html = '<form><input type="text" id="dont-see-this" value="test"></form>';
|
||||
$page->save();
|
||||
|
||||
$this->asEditor()->get($page->getUrl())->assertSee('dont-see-this', false);
|
||||
|
||||
config()->set('app.content_filtering', 'f');
|
||||
$this->get($page->getUrl())->assertDontSee('dont-see-this', false);
|
||||
}
|
||||
|
||||
public function test_form_actions_with_javascript_are_removed()
|
||||
{
|
||||
config()->set('app.content_filtering', 'j');
|
||||
|
||||
$checks = [
|
||||
'<customform><custominput id="xss" type=submit formaction=javascript:alert(document.domain) value=Submit><custominput></customform>',
|
||||
'<customform ><custombutton id="xss" formaction="JaVaScRiPt:alert(document.domain)">Click me</custombutton></customform>',
|
||||
'<customform ><custombutton id="xss" formaction=javascript:alert(document.domain)>Click me</custombutton></customform>',
|
||||
'<customform id="xss" action=javascript:alert(document.domain)><input type=submit value=Submit></customform>',
|
||||
'<customform id="xss" action="JaVaScRiPt:alert(document.domain)"><input type=submit value=Submit></customform>',
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$pageView->assertDontSee('id="xss"', false);
|
||||
$pageView->assertDontSee('action=javascript:', false);
|
||||
$pageView->assertDontSee('action=JaVaScRiPt:', false);
|
||||
$pageView->assertDontSee('formaction=javascript:', false);
|
||||
$pageView->assertDontSee('formaction=JaVaScRiPt:', false);
|
||||
}
|
||||
}
|
||||
|
||||
public function test_form_elements_are_removed()
|
||||
{
|
||||
config()->set('app.content_filtering', 'f');
|
||||
|
||||
$checks = [
|
||||
'<p>thisisacattofind</p><form>thisdogshouldnotbefound</form>',
|
||||
'<p>thisisacattofind</p><input type="text" value="thisdogshouldnotbefound">',
|
||||
'<p>thisisacattofind</p><select><option>thisdogshouldnotbefound</option></select>',
|
||||
'<p>thisisacattofind</p><textarea>thisdogshouldnotbefound</textarea>',
|
||||
'<p>thisisacattofind</p><fieldset>thisdogshouldnotbefound</fieldset>',
|
||||
'<p>thisisacattofind</p><button>thisdogshouldnotbefound</button>',
|
||||
'<p>thisisacattofind</p><BUTTON>thisdogshouldnotbefound</BUTTON>',
|
||||
<<<'TESTCASE'
|
||||
<svg width="200" height="100" xmlns="http://www.w3.org/2000/svg">
|
||||
<foreignObject width="100%" height="100%">
|
||||
|
||||
<body xmlns="http://www.w3.org/1999/xhtml">
|
||||
<p>thisisacattofind</p>
|
||||
<form>
|
||||
<p>thisdogshouldnotbefound</p>
|
||||
</form>
|
||||
<input type="text" placeholder="thisdogshouldnotbefound" />
|
||||
<button type="submit">thisdogshouldnotbefound</button>
|
||||
</body>
|
||||
|
||||
</foreignObject>
|
||||
</svg>
|
||||
TESTCASE
|
||||
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$pageView->assertSee('thisisacattofind');
|
||||
$pageView->assertDontSee('thisdogshouldnotbefound');
|
||||
}
|
||||
}
|
||||
|
||||
public function test_form_attributes_are_removed()
|
||||
{
|
||||
config()->set('app.content_filtering', 'f');
|
||||
|
||||
$withinSvgSample = <<<'TESTCASE'
|
||||
<svg width="200" height="100" xmlns="http://www.w3.org/2000/svg">
|
||||
<foreignObject width="100%" height="100%">
|
||||
|
||||
<body xmlns="http://www.w3.org/1999/xhtml">
|
||||
<p formaction="a">thisisacattofind</p>
|
||||
<p formaction="a">thisisacattofind</p>
|
||||
</body>
|
||||
|
||||
</foreignObject>
|
||||
</svg>
|
||||
TESTCASE;
|
||||
|
||||
$checks = [
|
||||
'formaction' => '<p formaction="a">thisisacattofind</p>',
|
||||
'form' => '<p form="a">thisisacattofind</p>',
|
||||
'formmethod' => '<p formmethod="a">thisisacattofind</p>',
|
||||
'formtarget' => '<p formtarget="a">thisisacattofind</p>',
|
||||
'FORMTARGET' => '<p FORMTARGET="a">thisisacattofind</p>',
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $attribute => $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$pageView->assertSee('thisisacattofind');
|
||||
$this->withHtml($pageView)->assertElementNotExists(".page-content [{$attribute}]");
|
||||
}
|
||||
|
||||
$page->html = $withinSvgSample;
|
||||
$page->save();
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$html = $this->withHtml($pageView);
|
||||
foreach ($checks as $attribute => $check) {
|
||||
$pageView->assertSee('thisisacattofind');
|
||||
$html->assertElementNotExists(".page-content [{$attribute}]");
|
||||
}
|
||||
}
|
||||
|
||||
public function test_metadata_redirects_are_removed()
|
||||
{
|
||||
config()->set('app.content_filtering', 'h');
|
||||
|
||||
$checks = [
|
||||
'<meta http-equiv="refresh" content="0; url=//external_url">',
|
||||
'<meta http-equiv="refresh" ConTeNt="0; url=//external_url">',
|
||||
'<meta http-equiv="refresh" content="0; UrL=//external_url">',
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', '<meta>');
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', '</meta>');
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', 'content=');
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', 'external_url');
|
||||
}
|
||||
}
|
||||
|
||||
public function test_page_inline_on_attributes_removed_by_default()
|
||||
{
|
||||
config()->set('app.content_filtering', 'j');
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
$script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
|
||||
$page->html = "escape {$script}";
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$pageView->assertDontSee($script, false);
|
||||
$pageView->assertSee('<p>Hello</p>', false);
|
||||
}
|
||||
|
||||
public function test_more_complex_inline_on_attributes_escaping_scenarios()
|
||||
{
|
||||
config()->set('app.content_filtering', 'j');
|
||||
|
||||
$checks = [
|
||||
'<p onclick="console.log(\'test\')">Hello</p>',
|
||||
'<p OnCliCk="console.log(\'test\')">Hello</p>',
|
||||
'<div>Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p>',
|
||||
'<div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div>',
|
||||
'<div><div><div><div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div></div></div></div>',
|
||||
'<div onclick="console.log(\'test\')">Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p><div></div>',
|
||||
'<a a="<img src=1 onerror=\'alert(1)\'> ',
|
||||
'\<a onclick="alert(document.cookie)"\>xss link\</a\>',
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', 'onclick');
|
||||
}
|
||||
}
|
||||
|
||||
public function test_page_content_scripts_show_with_filters_disabled()
|
||||
{
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
config()->set('app.content_filtering', '');
|
||||
|
||||
$script = 'abc123<script>console.log("hello-test")</script>abc123';
|
||||
$page->html = "no escape {$script}";
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertSee($script, false);
|
||||
$pageView->assertDontSee('abc123abc123');
|
||||
}
|
||||
|
||||
public function test_svg_script_usage_is_removed()
|
||||
{
|
||||
config()->set('app.content_filtering', 'j');
|
||||
|
||||
$checks = [
|
||||
'<svg id="test" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100"><a xlink:href="javascript:alert(document.domain)"><rect x="0" y="0" width="100" height="100" /></a></svg>',
|
||||
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><use xlink:href="data:application/xml;base64 ,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9IjAiIGN4PSIwIiBjeT0iMCIgc3R5bGU9ImZpbGw6ICNGMDAiPgo8c2V0IGF0dHJpYnV0ZU5hbWU9ImZpbGwiIGF0dHJpYnV0ZVR5cGU9IkNTUyIgb25iZWdpbj0nYWxlcnQoZG9jdW1lbnQuZG9tYWluKScKb25lbmQ9J2FsZXJ0KCJvbmVuZCIpJyB0bz0iIzAwRiIgYmVnaW49IjBzIiBkdXI9Ijk5OXMiIC8+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/></svg>',
|
||||
'<svg><animate href=#xss attributeName=href values=javascript:alert(1) /></svg>',
|
||||
'<svg><animate href="#xss" attributeName="href" values="a;javascript:alert(1)" /></svg>',
|
||||
'<svg><animate href="#xss" attributeName="href" values="a;data:alert(1)" /></svg>',
|
||||
'<svg><animate href=#xss attributeName=href from=javascript:alert(1) to=1 /><a id=xss><text x=20 y=20>XSS</text></a>',
|
||||
'<svg><set href=#xss attributeName=href from=? to=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>',
|
||||
'<svg><g><g><g><animate href=#xss attributeName=href values=javascript:alert(1) /></g></g></g></svg>',
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$html = $this->withHtml($pageView);
|
||||
$html->assertElementNotContains('.page-content', 'alert');
|
||||
$html->assertElementNotContains('.page-content', 'xlink:href');
|
||||
$html->assertElementNotContains('.page-content', 'application/xml');
|
||||
$html->assertElementNotContains('.page-content', 'javascript');
|
||||
}
|
||||
}
|
||||
|
||||
public function test_page_inline_on_attributes_show_with_filters_disabled()
|
||||
{
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
config()->set('app.content_filtering', '');
|
||||
|
||||
$script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
|
||||
$page->html = "escape {$script}";
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertSee($script, false);
|
||||
$pageView->assertDontSee('<p>Hello</p>', false);
|
||||
}
|
||||
|
||||
public function test_non_content_filtering_is_controlled_by_config()
|
||||
{
|
||||
config()->set('app.content_filtering', '');
|
||||
$page = $this->entities->page();
|
||||
$html = <<<'HTML'
|
||||
<style>superbeans!</style>
|
||||
<template id="template">superbeans!</template>
|
||||
HTML;
|
||||
$page->html = $html;
|
||||
$page->save();
|
||||
|
||||
$resp = $this->asEditor()->get($page->getUrl());
|
||||
$resp->assertSee('superbeans', false);
|
||||
|
||||
config()->set('app.content_filtering', 'h');
|
||||
|
||||
$resp = $this->asEditor()->get($page->getUrl());
|
||||
$resp->assertDontSee('superbeans', false);
|
||||
}
|
||||
|
||||
public function test_non_content_filtering()
|
||||
{
|
||||
config()->set('app.content_filtering', 'h');
|
||||
$page = $this->entities->page();
|
||||
$html = <<<'HTML'
|
||||
<style>superbeans!</style>
|
||||
<p>inbetweenpsection</p>
|
||||
<link rel="stylesheet" href="https://example.com/superbeans.css">
|
||||
<meta name="description" content="superbeans!">
|
||||
<title>superbeans!</title>
|
||||
<template id="template">superbeans!</template>
|
||||
HTML;
|
||||
|
||||
$page->html = $html;
|
||||
$page->save();
|
||||
|
||||
$resp = $this->asEditor()->get($page->getUrl());
|
||||
$resp->assertDontSee('superbeans', false);
|
||||
$resp->assertSee('inbetweenpsection', false);
|
||||
}
|
||||
|
||||
public function test_allow_list_filtering_is_controlled_by_config()
|
||||
{
|
||||
config()->set('app.content_filtering', '');
|
||||
$page = $this->entities->page();
|
||||
$page->html = '<div style="position: absolute; left: 0;color:#00FFEE;">Hello!</div>';
|
||||
$page->save();
|
||||
|
||||
$resp = $this->asEditor()->get($page->getUrl());
|
||||
$resp->assertSee('style="position: absolute; left: 0;color:#00FFEE;"', false);
|
||||
|
||||
config()->set('app.content_filtering', 'a');
|
||||
$resp = $this->get($page->getUrl());
|
||||
$resp->assertDontSee('style="position: absolute; left: 0;color:#00FFEE;"', false);
|
||||
$resp->assertSee('style="color:#00FFEE;"', false);
|
||||
}
|
||||
|
||||
public function test_allow_list_style_filtering()
|
||||
{
|
||||
$testCasesExpectedByInput = [
|
||||
'<div style="position:absolute;left:0;color:#00FFEE;">Hello!</div>' => '<div style="color:#00FFEE;">Hello!</div>',
|
||||
'<div style="background:#FF0000;left:0;color:#00FFEE;">Hello!</div>' => '<div style="background:#FF0000;color:#00FFEE;">Hello!</div>',
|
||||
'<div style="color:#00FFEE;">Hello!<style>testinghello!</style></div>' => '<div style="color:#00FFEE;">Hello!</div>',
|
||||
];
|
||||
|
||||
config()->set('app.content_filtering', 'a');
|
||||
$page = $this->entities->page();
|
||||
$this->asEditor();
|
||||
|
||||
foreach ($testCasesExpectedByInput as $input => $expected) {
|
||||
$page->html = $input;
|
||||
$page->save();
|
||||
$resp = $this->get($page->getUrl());
|
||||
|
||||
$resp->assertSee($expected, false);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -101,351 +101,6 @@ class PageContentTest extends TestCase
|
||||
$pageResp->assertSee('Hello Barry');
|
||||
}
|
||||
|
||||
public function test_page_content_scripts_removed_by_default()
|
||||
{
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
$script = 'abc123<script>console.log("hello-test")</script>abc123';
|
||||
$page->html = "escape {$script}";
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$pageView->assertDontSee($script, false);
|
||||
$pageView->assertSee('abc123abc123');
|
||||
}
|
||||
|
||||
public function test_more_complex_content_script_escaping_scenarios()
|
||||
{
|
||||
$checks = [
|
||||
"<p>Some script</p><script>alert('cat')</script>",
|
||||
"<div><div><div><div><p>Some script</p><script>alert('cat')</script></div></div></div></div>",
|
||||
"<p>Some script<script>alert('cat')</script></p>",
|
||||
"<p>Some script <div><script>alert('cat')</script></div></p>",
|
||||
"<p>Some script <script><div>alert('cat')</script></div></p>",
|
||||
"<p>Some script <script><div>alert('cat')</script><script><div>alert('cat')</script></p><script><div>alert('cat')</script>",
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', '<script>');
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', '</script>');
|
||||
}
|
||||
}
|
||||
|
||||
public function test_js_and_base64_src_urls_are_removed()
|
||||
{
|
||||
$checks = [
|
||||
'<iframe src="javascript:alert(document.cookie)"></iframe>',
|
||||
'<iframe src="JavAScRipT:alert(document.cookie)"></iframe>',
|
||||
'<iframe src="JavAScRipT:alert(document.cookie)"></iframe>',
|
||||
'<iframe SRC=" javascript: alert(document.cookie)"></iframe>',
|
||||
'<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
|
||||
'<iframe src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
|
||||
'<iframe src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
|
||||
'<img src="javascript:alert(document.cookie)"/>',
|
||||
'<img src="JavAScRipT:alert(document.cookie)"/>',
|
||||
'<img src="JavAScRipT:alert(document.cookie)"/>',
|
||||
'<img SRC=" javascript: alert(document.cookie)"/>',
|
||||
'<img src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
|
||||
'<img src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
|
||||
'<img src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
|
||||
'<iframe srcdoc="<script>window.alert(document.cookie)</script>"></iframe>',
|
||||
'<iframe SRCdoc="<script>window.alert(document.cookie)</script>"></iframe>',
|
||||
'<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>',
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$html = $this->withHtml($pageView);
|
||||
$html->assertElementNotContains('.page-content', '<iframe>');
|
||||
$html->assertElementNotContains('.page-content', '<img');
|
||||
$html->assertElementNotContains('.page-content', '</iframe>');
|
||||
$html->assertElementNotContains('.page-content', 'src=');
|
||||
$html->assertElementNotContains('.page-content', 'javascript:');
|
||||
$html->assertElementNotContains('.page-content', 'data:');
|
||||
$html->assertElementNotContains('.page-content', 'base64');
|
||||
}
|
||||
}
|
||||
|
||||
public function test_javascript_uri_links_are_removed()
|
||||
{
|
||||
$checks = [
|
||||
'<a id="xss" href="javascript:alert(document.cookie)>Click me</a>',
|
||||
'<a id="xss" href="javascript: alert(document.cookie)>Click me</a>',
|
||||
'<a id="xss" href="JaVaScRiPt: alert(document.cookie)>Click me</a>',
|
||||
'<a id="xss" href=" JaVaScRiPt: alert(document.cookie)>Click me</a>',
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', '<a id="xss"');
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', 'href=javascript:');
|
||||
}
|
||||
}
|
||||
|
||||
public function test_form_actions_with_javascript_are_removed()
|
||||
{
|
||||
$checks = [
|
||||
'<customform><custominput id="xss" type=submit formaction=javascript:alert(document.domain) value=Submit><custominput></customform>',
|
||||
'<customform ><custombutton id="xss" formaction="JaVaScRiPt:alert(document.domain)">Click me</custombutton></customform>',
|
||||
'<customform ><custombutton id="xss" formaction=javascript:alert(document.domain)>Click me</custombutton></customform>',
|
||||
'<customform id="xss" action=javascript:alert(document.domain)><input type=submit value=Submit></customform>',
|
||||
'<customform id="xss" action="JaVaScRiPt:alert(document.domain)"><input type=submit value=Submit></customform>',
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$pageView->assertDontSee('id="xss"', false);
|
||||
$pageView->assertDontSee('action=javascript:', false);
|
||||
$pageView->assertDontSee('action=JaVaScRiPt:', false);
|
||||
$pageView->assertDontSee('formaction=javascript:', false);
|
||||
$pageView->assertDontSee('formaction=JaVaScRiPt:', false);
|
||||
}
|
||||
}
|
||||
|
||||
public function test_form_elements_are_removed()
|
||||
{
|
||||
$checks = [
|
||||
'<p>thisisacattofind</p><form>thisdogshouldnotbefound</form>',
|
||||
'<p>thisisacattofind</p><input type="text" value="thisdogshouldnotbefound">',
|
||||
'<p>thisisacattofind</p><select><option>thisdogshouldnotbefound</option></select>',
|
||||
'<p>thisisacattofind</p><textarea>thisdogshouldnotbefound</textarea>',
|
||||
'<p>thisisacattofind</p><fieldset>thisdogshouldnotbefound</fieldset>',
|
||||
'<p>thisisacattofind</p><button>thisdogshouldnotbefound</button>',
|
||||
'<p>thisisacattofind</p><BUTTON>thisdogshouldnotbefound</BUTTON>',
|
||||
<<<'TESTCASE'
|
||||
<svg width="200" height="100" xmlns="http://www.w3.org/2000/svg">
|
||||
<foreignObject width="100%" height="100%">
|
||||
|
||||
<body xmlns="http://www.w3.org/1999/xhtml">
|
||||
<p>thisisacattofind</p>
|
||||
<form>
|
||||
<p>thisdogshouldnotbefound</p>
|
||||
</form>
|
||||
<input type="text" placeholder="thisdogshouldnotbefound" />
|
||||
<button type="submit">thisdogshouldnotbefound</button>
|
||||
</body>
|
||||
|
||||
</foreignObject>
|
||||
</svg>
|
||||
TESTCASE
|
||||
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$pageView->assertSee('thisisacattofind');
|
||||
$pageView->assertDontSee('thisdogshouldnotbefound');
|
||||
}
|
||||
}
|
||||
|
||||
public function test_form_attributes_are_removed()
|
||||
{
|
||||
$withinSvgSample = <<<'TESTCASE'
|
||||
<svg width="200" height="100" xmlns="http://www.w3.org/2000/svg">
|
||||
<foreignObject width="100%" height="100%">
|
||||
|
||||
<body xmlns="http://www.w3.org/1999/xhtml">
|
||||
<p formaction="a">thisisacattofind</p>
|
||||
<p formaction="a">thisisacattofind</p>
|
||||
</body>
|
||||
|
||||
</foreignObject>
|
||||
</svg>
|
||||
TESTCASE;
|
||||
|
||||
$checks = [
|
||||
'formaction' => '<p formaction="a">thisisacattofind</p>',
|
||||
'form' => '<p form="a">thisisacattofind</p>',
|
||||
'formmethod' => '<p formmethod="a">thisisacattofind</p>',
|
||||
'formtarget' => '<p formtarget="a">thisisacattofind</p>',
|
||||
'FORMTARGET' => '<p FORMTARGET="a">thisisacattofind</p>',
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $attribute => $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$pageView->assertSee('thisisacattofind');
|
||||
$this->withHtml($pageView)->assertElementNotExists(".page-content [{$attribute}]");
|
||||
}
|
||||
|
||||
$page->html = $withinSvgSample;
|
||||
$page->save();
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$html = $this->withHtml($pageView);
|
||||
foreach ($checks as $attribute => $check) {
|
||||
$pageView->assertSee('thisisacattofind');
|
||||
$html->assertElementNotExists(".page-content [{$attribute}]");
|
||||
}
|
||||
}
|
||||
|
||||
public function test_metadata_redirects_are_removed()
|
||||
{
|
||||
$checks = [
|
||||
'<meta http-equiv="refresh" content="0; url=//external_url">',
|
||||
'<meta http-equiv="refresh" ConTeNt="0; url=//external_url">',
|
||||
'<meta http-equiv="refresh" content="0; UrL=//external_url">',
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', '<meta>');
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', '</meta>');
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', 'content=');
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', 'external_url');
|
||||
}
|
||||
}
|
||||
|
||||
public function test_page_inline_on_attributes_removed_by_default()
|
||||
{
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
$script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
|
||||
$page->html = "escape {$script}";
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$pageView->assertDontSee($script, false);
|
||||
$pageView->assertSee('<p>Hello</p>', false);
|
||||
}
|
||||
|
||||
public function test_more_complex_inline_on_attributes_escaping_scenarios()
|
||||
{
|
||||
$checks = [
|
||||
'<p onclick="console.log(\'test\')">Hello</p>',
|
||||
'<p OnCliCk="console.log(\'test\')">Hello</p>',
|
||||
'<div>Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p>',
|
||||
'<div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div>',
|
||||
'<div><div><div><div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div></div></div></div>',
|
||||
'<div onclick="console.log(\'test\')">Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p><div></div>',
|
||||
'<a a="<img src=1 onerror=\'alert(1)\'> ',
|
||||
'\<a onclick="alert(document.cookie)"\>xss link\</a\>',
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', 'onclick');
|
||||
}
|
||||
}
|
||||
|
||||
public function test_page_content_scripts_show_when_configured()
|
||||
{
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
config()->set('app.allow_content_scripts', 'true');
|
||||
|
||||
$script = 'abc123<script>console.log("hello-test")</script>abc123';
|
||||
$page->html = "no escape {$script}";
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertSee($script, false);
|
||||
$pageView->assertDontSee('abc123abc123');
|
||||
}
|
||||
|
||||
public function test_svg_script_usage_is_removed()
|
||||
{
|
||||
$checks = [
|
||||
'<svg id="test" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100"><a xlink:href="javascript:alert(document.domain)"><rect x="0" y="0" width="100" height="100" /></a></svg>',
|
||||
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><use xlink:href="data:application/xml;base64 ,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9IjAiIGN4PSIwIiBjeT0iMCIgc3R5bGU9ImZpbGw6ICNGMDAiPgo8c2V0IGF0dHJpYnV0ZU5hbWU9ImZpbGwiIGF0dHJpYnV0ZVR5cGU9IkNTUyIgb25iZWdpbj0nYWxlcnQoZG9jdW1lbnQuZG9tYWluKScKb25lbmQ9J2FsZXJ0KCJvbmVuZCIpJyB0bz0iIzAwRiIgYmVnaW49IjBzIiBkdXI9Ijk5OXMiIC8+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/></svg>',
|
||||
'<svg><animate href=#xss attributeName=href values=javascript:alert(1) /></svg>',
|
||||
'<svg><animate href="#xss" attributeName="href" values="a;javascript:alert(1)" /></svg>',
|
||||
'<svg><animate href="#xss" attributeName="href" values="a;data:alert(1)" /></svg>',
|
||||
'<svg><animate href=#xss attributeName=href from=javascript:alert(1) to=1 /><a id=xss><text x=20 y=20>XSS</text></a>',
|
||||
'<svg><set href=#xss attributeName=href from=? to=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>',
|
||||
'<svg><g><g><g><animate href=#xss attributeName=href values=javascript:alert(1) /></g></g></g></svg>',
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$html = $this->withHtml($pageView);
|
||||
$html->assertElementNotContains('.page-content', 'alert');
|
||||
$html->assertElementNotContains('.page-content', 'xlink:href');
|
||||
$html->assertElementNotContains('.page-content', 'application/xml');
|
||||
$html->assertElementNotContains('.page-content', 'javascript');
|
||||
}
|
||||
}
|
||||
|
||||
public function test_page_inline_on_attributes_show_if_configured()
|
||||
{
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
config()->set('app.allow_content_scripts', 'true');
|
||||
|
||||
$script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
|
||||
$page->html = "escape {$script}";
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertSee($script, false);
|
||||
$pageView->assertDontSee('<p>Hello</p>', false);
|
||||
}
|
||||
|
||||
public function test_duplicate_ids_does_not_break_page_render()
|
||||
{
|
||||
$this->asEditor();
|
||||
@@ -649,6 +304,7 @@ TESTCASE;
|
||||
|
||||
public function test_page_markdown_single_html_comment_saving()
|
||||
{
|
||||
config()->set('app.content_filtering', 'jfh');
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
@@ -656,7 +312,7 @@ TESTCASE;
|
||||
$this->put($page->getUrl(), [
|
||||
'name' => $page->name, 'markdown' => $content,
|
||||
'html' => '', 'summary' => '',
|
||||
]);
|
||||
])->assertRedirect();
|
||||
|
||||
$page->refresh();
|
||||
$this->assertStringMatchesFormat($content, $page->html);
|
||||
|
||||
@@ -160,9 +160,11 @@ class PageDraftTest extends TestCase
|
||||
{
|
||||
$this->asAdmin();
|
||||
$page = $this->entities->page();
|
||||
$page->html = '<p>test content<script>hellotherekitty</script></p>';
|
||||
$page->save();
|
||||
|
||||
$this->getJson('/ajax/page/' . $page->id)->assertJson([
|
||||
'html' => $page->html,
|
||||
'html' => '<p>test content</p>',
|
||||
]);
|
||||
}
|
||||
|
||||
|
||||
@@ -265,4 +265,21 @@ class PageEditorTest extends TestCase
|
||||
$this->assertEquals($test['expected'], $page->refresh()->editor, "Failed asserting global editor {$test['setting']} with request editor {$test['request']} results in {$test['expected']} set for the page");
|
||||
}
|
||||
}
|
||||
|
||||
public function test_editor_html_content_is_filtered_if_loaded_by_a_different_user()
|
||||
{
|
||||
$editor = $this->users->editor();
|
||||
$page = $this->entities->page();
|
||||
$page->html = '<style>hellotherethisisaturtlemonster</style>';
|
||||
$page->updated_by = $editor->id;
|
||||
$page->save();
|
||||
|
||||
$resp = $this->asAdmin()->get($page->getUrl('edit'));
|
||||
$resp->assertOk();
|
||||
$resp->assertDontSee('hellotherethisisaturtlemonster', false);
|
||||
|
||||
$resp = $this->asAdmin()->get("/ajax/page/{$page->id}");
|
||||
$resp->assertOk();
|
||||
$resp->assertDontSee('hellotherethisisaturtlemonster', false);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -93,14 +93,14 @@ class SecurityHeaderTest extends TestCase
|
||||
$this->assertNotEquals($firstHeader, $secondHeader);
|
||||
}
|
||||
|
||||
public function test_allow_content_scripts_settings_controls_csp_script_headers()
|
||||
public function test_content_filtering_config_controls_csp_script_headers()
|
||||
{
|
||||
config()->set('app.allow_content_scripts', true);
|
||||
config()->set('app.content_filtering', '');
|
||||
$resp = $this->get('/');
|
||||
$scriptHeader = $this->getCspHeader($resp, 'script-src');
|
||||
$this->assertEmpty($scriptHeader);
|
||||
|
||||
config()->set('app.allow_content_scripts', false);
|
||||
config()->set('app.content_filtering', 'j');
|
||||
$resp = $this->get('/');
|
||||
$scriptHeader = $this->getCspHeader($resp, 'script-src');
|
||||
$this->assertNotEmpty($scriptHeader);
|
||||
|
||||
@@ -170,6 +170,27 @@ class ConfigTest extends TestCase
|
||||
}
|
||||
}
|
||||
|
||||
public function test_content_filtering_defaults_to_enabled()
|
||||
{
|
||||
$this->runWithEnv(['APP_CONTENT_FILTERING' => null, 'ALLOW_CONTENT_SCRIPTS' => null], function () {
|
||||
$this->assertEquals('jhfa', config('app.content_filtering'));
|
||||
});
|
||||
}
|
||||
|
||||
public function test_content_filtering_can_be_disabled()
|
||||
{
|
||||
$this->runWithEnv(['APP_CONTENT_FILTERING' => "", 'ALLOW_CONTENT_SCRIPTS' => null], function () {
|
||||
$this->assertEquals('', config('app.content_filtering'));
|
||||
});
|
||||
}
|
||||
|
||||
public function test_allow_content_scripts_disables_content_filtering()
|
||||
{
|
||||
$this->runWithEnv(['APP_CONTENT_FILTERING' => null, 'ALLOW_CONTENT_SCRIPTS' => 'true'], function () {
|
||||
$this->assertEquals('', config('app.content_filtering'));
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Set an environment variable of the given name and value
|
||||
* then check the given config key to see if it matches the given result.
|
||||
|
||||
Reference in New Issue
Block a user