Skip to content

Commit

Permalink
Merge pull request #461 from nanasess/add-script-escape
Browse files Browse the repository at this point in the history 
`<svg.*on.*?>|<img.*on.*?>` はマッチする範囲が広すぎるため onload|onerror にサニタイズ対象を限定する
  • Loading branch information
@okazy
okazy authored May 13, 2021
2 parents 2575786 + cefd605 commit 5d5509d
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 3 deletions.
4 changes: 2 additions & 2 deletions data/Smarty/templates/admin/home.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,8 @@
<!--{foreach item=info from=$arrInfo}-->
<dl class="home-info-item">
<dt class="date"><!--{$info.disp_date|sfDispDBDate:false|h}--></dt>
<dt class="title"><!--{$info.title}--></dt>
<dd class="body"><!--{$info.body}--></dd>
<dt class="title"><!--{$info.title nofilter}--></dt>
<dd class="body"><!--{$info.body nofilter}--></dd>
</dl>
<!--{/foreach}-->
</div>
Expand Down
2 changes: 1 addition & 1 deletion data/smarty_extends/modifier.script_escape.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ function smarty_modifier_script_escape($value)
{
if (is_array($value)) return $value;

$pattern = "/<script.*?>|<\/script>|javascript:|<svg.*on.*?>|<img.*on.*?>|<body.*onload.*?>|<iframe.*?>|<object.*?>|<embed.*?>|<.*onmouse.*?>/i";
$pattern = "/<script.*?>|<\/script>|javascript:|<svg.*(onload|onerror).*?>|<img.*(onload|onerror).*?>|<body.*onload.*?>|<iframe.*?>|<object.*?>|<embed.*?>|<.*onmouse.*?>/i";
$convert = '#script tag escaped#';

if (preg_match_all($pattern, $value, $matches)) {
Expand Down

0 comments on commit 5d5509d

Please sign in to comment.