Project

General

Profile

Bug #2768

HTML Purifier doesn't escape double quotes

Added by Julio Montoya almost 9 years ago. Updated over 8 years ago.

Status:
Feature implemented
Priority:
High
Assignee:
Category:
-
Target version:
Start date:
08/02/2011
Due date:
% Done:

50%

Estimated time:
Complexity:
Normal
SCRUM pts - complexity:
?

Description

In some cases when we do this:

$query = '" stYle=x:expre/**/ssion(alert(9)) ns="';

<input type="text" size="30" value="'.Security::remove_XSS($query).'" name="q"/> 

the result will be a contaminated input

<input type="text" size="30"  value=""  style="x:expre/**/ssion(alert(9))" name="q"/> 

" stYle="x:expre/**/ssion(alert(9))

see http://htmlpurifier.org/phorum/read.php?2,3108,3118,quote=1

Associated revisions

Revision 2df5fedd (diff)
Added by Julio Montoya over 8 years ago

Adding security::remove_XSS see #2768

History

#3

Updated by Julio Montoya almost 9 years ago

  • Priority changed from Urgent to High
#4

Updated by Julio Montoya almost 9 years ago

http://repo.or.cz/w/htmlpurifier.git/blob/882ffed9babb9ddc20bfb0979b14bb52d64c96c4:/NEWS

Double-quotes outside of attribute values are now unescaped

#5

Updated by Yannick Warnier over 8 years ago

Julio, is there anything that remains to be done here? You marked earlier that you wanted to remove a commit when we were closing the task...

#6

Updated by Julio Montoya over 8 years ago

  • % Done changed from 0 to 50

Well, in fact this is a problem of HTML Purifier that doesn't escape double quotes, in the mid time I did some fixes,

Fixing bug in ajaxfilemanager/ajaxfilemanager.php?editor=stand_alone&nsextt='"­­

http://code.google.com/p/chamilo/source/detail?r=f20af3e7e4a7cca1c574c628f7b6471dfe55c957&repo=classic

#7

Updated by Julio Montoya over 8 years ago

  • Target version changed from 1.8.8 stable to 1.9 Stable
#8

Updated by Julio Montoya over 8 years ago

  • Target version changed from 1.9 Stable to 1.8.8 stable
#9

Updated by Yannick Warnier over 8 years ago

  • Status changed from New to Feature implemented
  • Assignee set to Julio Montoya

OK, then as far as I am concerned, this is not a Chamilo bug anymore. Closing.

#10

Updated by Julio Montoya over 8 years ago

Some comments:

I think we can't avoid that using HTMLPurifier. HTMLPurifier was build to purify HTML pages and not strings of HTMLs.

I think the error here is that we shouldn't use this:

<a href="a.php?coursecode='.Security::remove_XSS($_GET['coursecode']).'">

We should use a function that generates anchors something like Display::url() and there we apply the htmlspecialchars() and do not use Security::remove_XSS() because is useless when using double quotes hacks ...

#11

Updated by Ivan Tcholakov over 8 years ago

If we want to deal with course code exactly, then we may create a special filter, for example in the Security class:

public static function filterCourseCode($course_code) {
    return api_preg_replace('/[^[:alnum:]_.\-]/', '', $course_code);
}

Also available in: Atom PDF