Security: Remove on* attributes through new filter of HTML Purifier

Fix advisory GHSA-gw58-89f7-4xgj
9 months ago · 82cc07edd8
parent 241c569dde
commit 82cc07edd8
3 changed files with 36 additions and 4 deletions
--- a/main/inc/lib/formvalidator/FormValidator.class.php
+++ b/main/inc/lib/formvalidator/FormValidator.class.php
@ -2,6 +2,7 @@

 /* For licensing terms, see /license.txt */

+use Chamilo\CoreBundle\Component\HTMLPurifier\Filter\RemoveOnAttributes;
 use Chamilo\UserBundle\Entity\User;

 /**
@ -2107,7 +2108,5 @@ function plain_url_filter($html, $mode = NO_HTML)
 */
 function attr_on_filter(string $html): string
 {
-    $pattern = '/\s*on\w+=(?:"[^"]*"|\'[^\']*\'|[^\s>]+)/i';
-
-    return preg_replace($pattern, '', $html);
+    return RemoveOnAttributes::filter($html);
 }
--- a/main/inc/lib/security.lib.php
+++ b/main/inc/lib/security.lib.php
@ -3,6 +3,7 @@
 /* For licensing terms, see /license.txt */

 use Chamilo\CoreBundle\Component\HTMLPurifier\Filter\AllowIframes;
+use Chamilo\CoreBundle\Component\HTMLPurifier\Filter\RemoveOnAttributes;
 use ChamiloSession as Session;

 /**
@ -347,8 +348,16 @@ class Security
            $config->set('Core.ConvertDocumentToFragment', false);
            $config->set('Core.RemoveProcessingInstructions', true);

+            $customFilters = [
+                new RemoveOnAttributes(),
+            ];
+
            if (api_get_setting('enable_iframe_inclusion') == 'true') {
-                $config->set('Filter.Custom', [new AllowIframes()]);
+                $customFilters[] = new AllowIframes();
+            }
+
+            if ($customFilters) {
+                $config->set('Filter.Custom', $customFilters);
            }

            // Shows _target attribute in anchors
--- a/src/Chamilo/CoreBundle/Component/HTMLPurifier/Filter/RemoveOnAttributes.php
+++ b/src/Chamilo/CoreBundle/Component/HTMLPurifier/Filter/RemoveOnAttributes.php
@ -0,0 +1,24 @@
+<?php
+
+/* For licensing terms, see /license.txt */
+
+namespace Chamilo\CoreBundle\Component\HTMLPurifier\Filter;
+
+use HTMLPurifier_Filter;
+
+class RemoveOnAttributes extends HTMLPurifier_Filter
+{
+    public $name = 'RemoveOnAttributes';
+
+    public function preFilter($html, $config, $context)
+    {
+        return self::filter($html);
+    }
+
+    public static function filter($html)
+    {
+        $pattern = '/\s*on\w+=(?:"[^"]*"|\'[^\']*\'|[^\s>]+)/i';
+
+        return preg_replace($pattern, '', $html);
+    }
+}