Merge pull request #1856

nuxsmin · web-flow · commit 9d0e169d2163 · 2022-07-02T07:48:11.000+02:00
* fix: Encode XSS related characters and strip tags.
diff --git a/lib/SP/Html/Html.php b/lib/SP/Html/Html.php
@@ -191,12 +191,12 @@ public static function getSafeUrl(string $url): string
         }
 
         return preg_replace_callback(
-            '/[^:\/@?&=#%\w]+/u',
+            '/["<>\']+/u',
             function ($matches)
             {
                 return urlencode($matches[0]);
             },
-            $url
+            strip_tags($url)
         );
     }
 }
diff --git a/lib/SP/Services/Install/Installer.php b/lib/SP/Services/Install/Installer.php
@@ -60,9 +60,9 @@ final class Installer extends Service
     /**
      * sysPass' version and build number
      */
-    const VERSION      = [3, 2, 10];
+    const VERSION      = [3, 2, 11];
     const VERSION_TEXT = '3.2';
-    const BUILD        = 22070101;
+    const BUILD        = 22070201;
 
     /**
      * @var DatabaseSetupInterface
diff --git a/tests/SP/Html/HtmlTest.php b/tests/SP/Html/HtmlTest.php
@@ -56,7 +56,7 @@ public function testGetSafeUrlOk()
      */
     public function testGetSafeUrlEncoded(string $url)
     {
-        $this->assertEquals(0, preg_match('/["<>]+/', Html::getSafeUrl($url)));
+        $this->assertEquals(0, preg_match('/["<>\']+/', Html::getSafeUrl($url)));
     }
 
     private function urlProvider(): array
@@ -67,6 +67,7 @@ private function urlProvider(): array
             ['https://foo.com/"><script>alert("TEST");</script>'],
             ['https://foo.com/"%20onClick="alert(\'TEST\'")'],
             ['https://foo.com/" onClick="alert(\'TEST\')"'],
+            ['mongodb+srv://cluster.foo.mongodb.net/bar'],
         ];
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -191,12 +191,12 @@ public static function getSafeUrl(string $url): string`
`191`	`191`	`}`
`192`	`192`
`193`	`193`	`return preg_replace_callback(`
`194`		`- '/[^:\/@?&=#%\w]+/u',`
	`194`	`+ '/["<>\']+/u',`
`195`	`195`	`function ($matches)`
`196`	`196`	`{`
`197`	`197`	`return urlencode($matches[0]);`
`198`	`198`	`},`
`199`		`- $url`
	`199`	`+ strip_tags($url)`
`200`	`200`	`);`
`201`	`201`	`}`
`202`	`202`	`}`
Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ public function testGetSafeUrlOk()`
`56`	`56`	`*/`
`57`	`57`	`public function testGetSafeUrlEncoded(string $url)`
`58`	`58`	`{`
`59`		`- $this->assertEquals(0, preg_match('/["<>]+/', Html::getSafeUrl($url)));`
	`59`	`+ $this->assertEquals(0, preg_match('/["<>\']+/', Html::getSafeUrl($url)));`
`60`	`60`	`}`
`61`	`61`
`62`	`62`	`private function urlProvider(): array`
`@@ -67,6 +67,7 @@ private function urlProvider(): array`
`67`	`67`	`['https://foo.com/"><script>alert("TEST");</script>'],`
`68`	`68`	`['https://foo.com/"%20onClick="alert(\'TEST\'")'],`
`69`	`69`	`['https://foo.com/" onClick="alert(\'TEST\')"'],`
	`70`	`+ ['mongodb+srv://cluster.foo.mongodb.net/bar'],`
`70`	`71`	`];`
`71`	`72`	`}`
`72`	`73`	`}`