8000 Fix xss though the description in the info.xml file of a theme or module by carakas · Pull Request #3499 · forkcms/forkcms · GitHub
[go: up one dir, main page]
Skip to content

Fix xss though the description in the info.xml file of a theme or module#3499

Merged
carakas merged 1 commit intoforkcms:masterfrom
justcarakas:fix-xss-though-theme-or-module-description
Mar 23, 2022
Merged

Fix xss though the description in the info.xml file of a theme or module#3499
carakas merged 1 commit intoforkcms:masterfrom
justcarakas:fix-xss-though-theme-or-module-description

Conversation

@carakas
Copy link
Member
@carakas carakas commented Mar 23, 2022

Type

  • Security

Resolves the following issues

Pull request description

Sanitise the HTML that is allowed in the description of a module or theme to prevent XSS

@carakas carakas added this to the 5.11.1 milestone Mar 23, 2022
@carakas carakas requested a review from a team March 23, 2022 13:21
@carakas carakas added Extensions security Pull requests that address a security vulnerability labels Mar 23, 2022
@codecov
Copy link
codecov bot commented Mar 23, 2022
edited
Loading

Codecov Report

Merging #3499 (981730f) into master (1b38e33) will not change coverage.
The diff coverage is 100.00%.

@@            Coverage Diff            @@
##             master    #3499   +/-   ##
=========================================
  Coverage     27.88%   27.88%           
  Complexity     8145     8145           
=========================================
  Files           575      575           
  Lines         30691    30691           
=========================================
  Hits           8557     8557           
  Misses        22134    22134
Flag Coverage Δ
functional 23.78% <100.00%> (ø)
installer 3.84% <0.00%> (ø)
unit 7.69% <0.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
src/Backend/Modules/Extensions/Engine/Model.php 44.57% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1b38e33...981730f. Read the comment docs.

tijsverkoyen
tijsverkoyen approved these changes Mar 23, 2022
View reviewed changes
src/Backend/Modules/Extensions/Engine/Model.php
$information['version'] = (string) $module->version;
$information['requirements'] = (array) $module->requirements;
$information['description'] = (string) $module->description;
$information['description'] = strip_tags((string) $module->description, '<h1><h2><h3><h4><h5><h6><p><li><a>');
Copy link
Member
@tijsverkoyen tijsverkoyen Mar 23, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fine by me, but shouldn't this be some generic function where we can centralise the safe tags?

Copy link
Member Author
@carakas carakas Mar 23, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

symfony is busy making a package (no 1.0.0 release yet) that will be included in version 6.1 that I'm already using in fork 6 so didn't think of making something custom for this.
Fixed this because of a security issue that was reported to me

@carakas carakas merged commit 73ced08 into forkcms:master Mar 23, 2022
@carakas carakas deleted the fix-xss-though-theme-or-module-description branch March 23, 2022 18:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tijsverkoyen tijsverkoyen tijsverkoyen approved these changes

Assignees

@tijsverkoyen tijsverkoyen

Labels

Extensions security Pull requests that address a security vulnerability

Projects

None yet

Milestone

5.11.1

Development

Successfully merging this pull request may close these issues.

2 participants

@carakas @tijsverkoyen
0