mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-07-15 21:31:36 +03:00
Upstream libraries used did not specifically treat values in srcset as URIs like other attributes, so this adds a simple filter for possible bad values. Updated tests to cover. Thanks for Gurmandeep Deol for reporting.
27 lines
608 B
PHP
27 lines
608 B
PHP
<?php
|
|
|
|
namespace BookStack\Util\HtmlPurifier;
|
|
|
|
use HTMLPurifier_AttrDef;
|
|
|
|
/**
|
|
* Custom attribute definition to filter out potentially dangerous
|
|
* values from the srcset attribute.
|
|
*/
|
|
class SrcsetAttrDef extends HTMLPurifier_AttrDef
|
|
{
|
|
public function validate($string, $config, $context)
|
|
{
|
|
$lower = strtolower($string);
|
|
$nonAllowed = ['javascript:', 'vbscript:', 'data:', 'file:'];
|
|
|
|
foreach ($nonAllowed as $nonAllowedString) {
|
|
if (str_contains($lower, $nonAllowedString)) {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
return $string;
|
|
}
|
|
}
|