Skip to content

Commit

Permalink
In restricted mode, restrict image link protocol
Browse files Browse the repository at this point in the history
In restricted mode, protocol for image links is restricted the
same way it was already done for text links. This disallows
using JavaScript in image links, for example.
  • Loading branch information
gocom committed Jan 7, 2025
1 parent 5764751 commit ab18ae9
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 0 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.textile
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ Here's a summary of changes in each release. The list doesn't include some small

h2. Version 4.1.3 - upcoming

* This is a security update, which fixes stored XSS vulnerability in image link handing.
* Fixed: In restricted mode, restrict image link protocol. Previously and an image link's href allowed all protocols in restricted mode. Now it goes through the same validation as text links.

h2. "Version 4.1.2 - 2024/08/29":https://github.com/textile/php-textile/releases/tag/v4.1.2

* Fix PHP 8.4 compatibility issues (closes "#227":https://github.com/textile/php-textile/issues/227).
Expand Down
4 changes: 4 additions & 0 deletions src/Netcarver/Textile/Parser.php
Original file line number Diff line number Diff line change
Expand Up @@ -4719,6 +4719,10 @@ protected function fImage($m)
$title = (isset($m['title'])) ? $m['title'] : '';
$href = (isset($m['href'])) ? $m['href'] : '';

if ($href && !$this->isValidUrl($href)) {
return $m[0];
}

$alignments = array(
'<' => 'left',
'=' => 'center',
Expand Down
11 changes: 11 additions & 0 deletions test/fixtures/GHSA-95m2-chm4-mq7m.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
In restricted mode, restrict protocol for image links too like it was already done for text links:
setup:
- setRestricted: true
input: |
!securing.pl(Click Tu)!:javascript:document.innerHTML='<script>alert(1);</script>'+document.cookie)
"securing.pl(Click Tu)":javascript:document.innerHTML='<script>alert(1);</script>'+document.cookie)
expect : |
<p>!securing.pl(Click Tu)!:javascript:document.innerHTML=&#8217;&lt;script&gt;alert(1);&lt;/script&gt;&#8217;+document.cookie)</p>
<p>&#8220;securing.pl(Click Tu)&#8221;:javascript:document.innerHTML=&#8217;&lt;script&gt;alert(1);&lt;/script&gt;&#8217;+document.cookie)</p>

0 comments on commit ab18ae9

Please sign in to comment.