← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #33867

[Bug 1536875] Re: Update to HTMLPurifier 4.7.0

  Thread PreviousDate PreviousThread Next 
A tricky one to test, because most of the places where we use
htmlpurifier (i.e. in the "html_clean()" method in web.php) are invoked
after you enter text via a Pieforms TinyMCE element. Our TinyMCE
configuration is pretty well in line with our HTMLPurifier rules, so
most malicious HTML will be stripped out by TinyMCE prior to saving it
into the database, meaning that HTMLPurifier doesn't even get a chance
at it.

Disabling TinyMCE via the "HTML Editor" account setting, causes Pieforms
to run your text through the format_whitespace() method, which entity-
escapes most HTML tags, so that doesn't let you enter malicious HTML
either.

I found the easiest way to test it was to leave TinyMCE enabled in my
account settings, but then turn it off by disabling Javascript using the
developer tools in my web browser:

1. Create a new page, with an innocuous title and description.
2. After saving the new page, click the "Edit title and description" link to go back to that.
3. Using your browser's web developer tools, disable Javascript.
4. Reload the page (with Javascript disabled)
5. In the exposed plaintext field, enter some malicious code like <a href="#" onclick="alert(1)">Test</a>
6. Click the form's submit button to save this.
7. In your browser's web developer tools, turn Javascript back on
8. View the page in "Display" mode
9. You should see the "Test" link in the page description. Click on it and see if it causes a Javascript alert (and see that the Javascript has been stripped out).

I also tested our semi-custom "allowed iframes" code, like so:

1. Embed a YouTube iframe into a page description:

<iframe width="560" height="315"
src="https://www.youtube.com/embed/gQd313jMTjE"; frameborder="0"
allowfullscreen></iframe>

2. View the page in "display" mode, and verify that the iframe is
displayed.

3. Go to Administration -> Extensions -> Allowed iframe URLs, and remove
YouTube from the list of allowed iframes.

4. View the page in "display" mode again, and verify that the iframe is
*not* displayed.

** Changed in: mahara
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1536875

Title:
  Update to HTMLPurifier 4.7.0

Status in Mahara:
  Fix Committed

Bug description:
  Update to the latest code - best to be safe

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1536875/+subscriptions

References

  Thread PreviousDate PreviousThread Next