Skip to content

Commit

Permalink
Make sure nested php tags are also removed when sanitising svg
Browse files Browse the repository at this point in the history
  • Loading branch information
adam-holdbrook-technologywithin committed Aug 7, 2024
1 parent 15668e0 commit a6b3933
Show file tree
Hide file tree
Showing 4 changed files with 85 additions and 22 deletions.
9 changes: 7 additions & 2 deletions src/Sanitizer.php
Original file line number Diff line number Diff line change
Expand Up @@ -220,8 +220,13 @@ public function sanitize($dirty)
return '';
}

// Strip php tags
$dirty = preg_replace('/<\?(=|php)(.+?)\?>/i', '', $dirty);
do {
/*
* recursively remove php tags because they can be hidden inside tags
* i.e. <?p<?php test?>hp echo . ' danger! ';?>
*/
$dirty = preg_replace('/<\?(=|php)(.+?)\?>/i', '', $dirty);
} while (preg_match('/<\?(=|php)(.+?)\?>/i', $dirty) != 0);

$this->resetInternal();
$this->setUpBefore();
Expand Down
74 changes: 54 additions & 20 deletions tests/SanitizerTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -308,34 +308,34 @@ public function testLargeUseDOSattacksAreNullified()
self::assertXmlStringEqualsXmlString($expected, $cleanData);
}

public function testInvalidNodesAreHandled()
{
$dataDirectory = __DIR__ . '/data';
$initialData = file_get_contents($dataDirectory . '/htmlTest.svg');
$expected = file_get_contents($dataDirectory . '/htmlClean.svg');
public function testInvalidNodesAreHandled()
{
$dataDirectory = __DIR__ . '/data';
$initialData = file_get_contents($dataDirectory . '/htmlTest.svg');
$expected = file_get_contents($dataDirectory . '/htmlClean.svg');

$sanitizer = new Sanitizer();
$sanitizer->minify(false);
$cleanData = $sanitizer->sanitize($initialData);
$sanitizer = new Sanitizer();
$sanitizer->minify(false);
$cleanData = $sanitizer->sanitize($initialData);

self::assertXmlStringEqualsXmlString($expected, $cleanData);
}
self::assertXmlStringEqualsXmlString($expected, $cleanData);
}

/**
* @test
*/
public function cdataSectionIsSanitized()
{
$dataDirectory = __DIR__ . '/data';
$initialData = file_get_contents($dataDirectory . '/cdataTest.svg');
$expected = file_get_contents($dataDirectory . '/cdataClean.svg');
public function cdataSectionIsSanitized()
{
$dataDirectory = __DIR__ . '/data';
$initialData = file_get_contents($dataDirectory . '/cdataTest.svg');
$expected = file_get_contents($dataDirectory . '/cdataClean.svg');

$sanitizer = new Sanitizer();
$sanitizer->minify(false);
$cleanData = $sanitizer->sanitize($initialData);
$sanitizer = new Sanitizer();
$sanitizer->minify(false);
$cleanData = $sanitizer->sanitize($initialData);

self::assertXmlStringEqualsXmlString($expected, $cleanData);
}
self::assertXmlStringEqualsXmlString($expected, $cleanData);
}

/**
* @test
Expand Down Expand Up @@ -368,4 +368,38 @@ public function formDataisSanitized()

self::assertXmlStringEqualsXmlString($expected, $cleanData);
}

/**
* @test
*/
public function maliciousSvgJsSanitized()
{
$dataDirectory = __DIR__ . '/data';
$initialData = file_get_contents($dataDirectory . '/maliciousJsAndPhpTest.svg');
$expected = file_get_contents($dataDirectory . '/maliciousJsAndPhpClean.svg');


$sanitizer = new Sanitizer();
$sanitizer->minify(false);
$cleanData = $sanitizer->sanitize($initialData);

self::assertXmlStringEqualsXmlString($expected, $cleanData);
}

/**
* @test
*/
public function maliciousSvgPhpTagsStripped()
{
$dataDirectory = __DIR__ . '/data';
$initialData = file_get_contents($dataDirectory . '/maliciousJsAndPhpTest.svg');

$sanitizer = new Sanitizer();
$sanitizer->minify(false);
$cleanData = $sanitizer->sanitize($initialData);

foreach (['<?php', '<?='] as $value) {
self::assertStringNotContainsString($value, $cleanData);
}
}
}
11 changes: 11 additions & 0 deletions tests/data/maliciousJsAndPhpClean.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
13 changes: 13 additions & 0 deletions tests/data/maliciousJsAndPhpTest.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit a6b3933

Please sign in to comment.