-
Notifications
You must be signed in to change notification settings - Fork 387
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(Update) Remove XSS cleaner and remove XSS vulnerabilities #3222
base: 8.x.x
Are you sure you want to change the base?
Conversation
This is the definition of an open redirect vulnerability which is unacceptable and will require rethinking. |
89670bd
to
994edc7
Compare
PR Summary
|
994edc7
to
8903111
Compare
Open redirect vulnerabilities are only valid for links ( |
a852f82
to
8ab3967
Compare
8ab3967
to
c8622fa
Compare
c8622fa
to
52416d7
Compare
52416d7
to
edbc86d
Compare
2017c0b
to
ea8be74
Compare
We've been mostly relying on the 3rd party xss cleaner to make sure user submitted content is clean. This PR fixes up any leftover holes in the bbcode parser that allow xss vulnerabilities, and as a result, the 3rd party library isn't needed anymore. It cleans responsibly by first, running `htmlspecialchars()` over the content, followed by sanitizing the untrusted urls and whitelisting their protocol.
ea8be74
to
011d07e
Compare
Hey @JoshyPHP It's been awhile but I remember you responding to UNIT3D comments before and I just saw on another repo that you reviewed their BBCode implementation. Is there any chance you would be willing to do a brief lookover of the code here to see if I missed anything in terms of XSS prevention? I would greatly appreciate it. |
@Roardom I wouldn't consider myself an XSS expert but for what it's worth, I gave this PR a half-decent look-over and didn't find anything. If you're concerned about XSS and exploits based on user input in general, I would consider URL-encoding non-ASCII characters and Punycoding host names to avoid homoglyphs, but modern browsers already present host names punycoded so it's not a requirement. By the way, I'm subscribed to this repo and I almost missed your mention because GitHub doesn't differentiate between normal PR churn and user mentions. If you tag me in a discussion and I don't reply within 48 hours, assume that I missed it and feel free to ping me again and/or try alternative methods. |
Thank you so much for checking it out. If I understand correctly, we need to decode |
We've been mostly relying on the 3rd party xss cleaner to make sure user submitted content is clean. This PR fixes up any leftover holes in the bbcode parser that allow xss vulnerabilities, and as a result, the 3rd party library isn't needed anymore. It cleans responsibly by first, running
htmlspecialchars()
over the content, followed by validating any untrusted input used inside html attributes. It validates urls by returning them as redirects relying on the browser not supporting executable protocols (likejavascript:
).