Commit 4bcc6333 authored by Ed Hager's avatar Ed Hager Committed by Bastien ROUCARIÈS

CVE-2018-6561: Update Editor to remove event handler attributes from tags in...

CVE-2018-6561: Update Editor to remove event handler attributes from tags in the editor's contents. (#146)

dijit.Editor in Dojo Toolkit 1.13 allows XSS via the onload attribute of an SVG element.

(debian use svg file instead of png for test)

bug: https://github.com/dojo/dijit/issues/145
bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898944
bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-6561
origin: https://github.com/dojo/dijit/commit/d22d6cc3458c3c29d2d1fc44652b4bd7f10751f6
parent 3ac1cb32
......@@ -45,6 +45,12 @@ define([
// Defaults to true.
stripIFrames: true,
// stripEventHandlers: [public] Boolean
// Boolean flag used to indicate if event handler attributes like onload should be
// stripped from the document.
// Defaults to true.
stripEventHandlers: true,
// readOnly: [const] Boolean
// Boolean flag used to indicate if the source view should be readonly or not.
// Cannot be changed after initialization of the plugin.
......@@ -477,6 +483,22 @@ define([
return html;
},
_stripEventHandlers: function (html) {
if(html){
// Find all tags that contain an event handler attribute (an on* attribute).
var matches = html.match(/<[a-z]+?\b(.*?on.*?(['"]).*?\2.*?)+>/gim);
if(matches){
for(var i = 0, l = matches.length; i < l; i++){
// For each tag, remove only the event handler attributes.
var match = matches[i];
var replacement = match.replace(/\s+on[a-z]*\s*=\s*(['"])(.*?)\1/igm, "");
html = html.replace(match, replacement);
}
}
}
return html;
},
_filter: function(html){
// summary:
// Internal function to perform some filtering on the HTML.
......@@ -494,6 +516,9 @@ define([
if(this.stripIFrames){
html = this._stripIFrames(html);
}
if(this.stripEventHandlers){
html = this._stripEventHandlers(html);
}
}
return html;
},
......@@ -543,7 +568,8 @@ define([
readOnly: ("readOnly" in args) ? args.readOnly : false,
stripComments: ("stripComments" in args) ? args.stripComments : true,
stripScripts: ("stripScripts" in args) ? args.stripScripts : true,
stripIFrames: ("stripIFrames" in args) ? args.stripIFrames : true
stripIFrames: ("stripIFrames" in args) ? args.stripIFrames : true,
stripEventHandlers: ("stripEventHandlers" in args) ? args.stripEventHandlers : true
});
};
......
<?xml version="1.0" encoding="utf-8"?>
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="300" height="200">
<rect width="100" height="80" x="0" y="70" fill="green" />
</svg>
......@@ -105,6 +105,48 @@
</div>
<br>
<br>
<div>
<div id="editor4" data-dojo-type="dijit/Editor"
data-dojo-props='"aria-label":"editor3",extraPlugins:["fullScreen", "viewSource"],
style:"background-color: white; width: 800px;", height:"300px" '>
<h1>ViewSource Plugin with stripEventHandlers enabled</h1>
<img ondrag="alert('Bug dragged!')" src="./bug.svg" onclick="alert('Bug clicked!');">
<button
onclick="alert('Button clicked!')"
id="button1"
ondblclick="alert('Button double clicked!')">
onclick button
</button>
<button name="button" id="button2">Just a button</button>
<h2>Things to test:</h2>
<ol>
<li>Click the view source button and verify that all on* attributes have been removed.</li>
</ol>
</div>
</div>
<br>
<br>
<div>
<div id="editor5" data-dojo-type="dijit/Editor"
data-dojo-props='"aria-label":"editor3",extraPlugins:["fullScreen", {name: "viewSource", stripEventHandlers: false}],
style:"background-color: white; width: 800px;", height:"300px" '>
<h1>ViewSource Plugin with stripEventHandlers disabled</h1>
<img ondrag="alert('Bug dragged!')" src="./bug.svg" onclick="alert('Bug clicked!');">
<button
onclick="alert('Button clicked!')"
id="button3"
ondblclick="alert('Button double clicked!')">
onclick button
</button>
<button name="button" id="button4">Just a button</button>
<h2>Things to test:</h2>
<ol>
<li>Click the view source button and verify that all on* attributes have NOT been removed.</li>
</ol>
</div>
</div>
<br>
<br>
<div>Content after the editors.</div>
</body>
</html>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment