From ab18ae9703bee8b15f1b9d889d40e1881728bae6 Mon Sep 17 00:00:00 2001 From: Jukka Svahn Date: Tue, 7 Jan 2025 16:03:16 +0200 Subject: [PATCH] In restricted mode, restrict image link protocol In restricted mode, protocol for image links is restricted the same way it was already done for text links. This disallows using JavaScript in image links, for example. --- CHANGELOG.textile | 3 +++ src/Netcarver/Textile/Parser.php | 4 ++++ test/fixtures/GHSA-95m2-chm4-mq7m.yaml | 11 +++++++++++ 3 files changed, 18 insertions(+) create mode 100644 test/fixtures/GHSA-95m2-chm4-mq7m.yaml diff --git a/CHANGELOG.textile b/CHANGELOG.textile index 22adbe8..41f6cdd 100644 --- a/CHANGELOG.textile +++ b/CHANGELOG.textile @@ -4,6 +4,9 @@ Here's a summary of changes in each release. The list doesn't include some small h2. Version 4.1.3 - upcoming +* This is a security update, which fixes stored XSS vulnerability in image link handing. +* Fixed: In restricted mode, restrict image link protocol. Previously and an image link's href allowed all protocols in restricted mode. Now it goes through the same validation as text links. + h2. "Version 4.1.2 - 2024/08/29":https://github.com/textile/php-textile/releases/tag/v4.1.2 * Fix PHP 8.4 compatibility issues (closes "#227":https://github.com/textile/php-textile/issues/227). diff --git a/src/Netcarver/Textile/Parser.php b/src/Netcarver/Textile/Parser.php index c670615..f8ae92a 100644 --- a/src/Netcarver/Textile/Parser.php +++ b/src/Netcarver/Textile/Parser.php @@ -4719,6 +4719,10 @@ protected function fImage($m) $title = (isset($m['title'])) ? $m['title'] : ''; $href = (isset($m['href'])) ? $m['href'] : ''; + if ($href && !$this->isValidUrl($href)) { + return $m[0]; + } + $alignments = array( '<' => 'left', '=' => 'center', diff --git a/test/fixtures/GHSA-95m2-chm4-mq7m.yaml b/test/fixtures/GHSA-95m2-chm4-mq7m.yaml new file mode 100644 index 0000000..fc91e87 --- /dev/null +++ b/test/fixtures/GHSA-95m2-chm4-mq7m.yaml @@ -0,0 +1,11 @@ +In restricted mode, restrict protocol for image links too like it was already done for text links: + setup: + - setRestricted: true + input: | + !securing.pl(Click Tu)!:javascript:document.innerHTML=''+document.cookie) + + "securing.pl(Click Tu)":javascript:document.innerHTML=''+document.cookie) + expect : | +

!securing.pl(Click Tu)!:javascript:document.innerHTML=’<script>alert(1);</script>’+document.cookie)

+ +

“securing.pl(Click Tu)”:javascript:document.innerHTML=’<script>alert(1);</script>’+document.cookie)