Bug #1536875 “Update to HTMLPurifier 4.7.0” : Bugs : Mahara

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-01-22: A patch has been submitted for review

#1

Patch for "master" branch: https://reviews.mahara.org/5961

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-03-30: A change has been merged

#2

Reviewed: https://reviews.mahara.org/5961
Committed: https://git.mahara.org/mahara/mahara/commit/14357182122daf7e9c72618bd6e64c748498a60a
Submitter: Aaron Wells (<email address hidden>)
Branch: master

commit 14357182122daf7e9c72618bd6e64c748498a60a
Author: Robert Lyon <email address hidden>
Date: Fri Jan 22 16:21:20 2016 +1300

Bug 1536875: Updating HTMLPurifier to 4.7.0

incl the three minor local changes
859478ef6e3f05dbdedb0df0d1d2a922bdc16b0e
9694c3a2965a8d9cc5789879cd4a6f0960423544
efe949976ef5a2ace679085a1151da7c392a24d0

(and updating HTMLPurifier/ConfigSchema/schema.ser
by running maintenance/generate-schema-cache.php
from the main HTMLPurifier git project)

behatnotneeded

Change-Id: I0cde726f429d191795296e87e668c6419aa3ccde
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2016-03-30:

#3

A tricky one to test, because most of the places where we use htmlpurifier (i.e. in the "html_clean()" method in web.php) are invoked after you enter text via a Pieforms TinyMCE element. Our TinyMCE configuration is pretty well in line with our HTMLPurifier rules, so most malicious HTML will be stripped out by TinyMCE prior to saving it into the database, meaning that HTMLPurifier doesn't even get a chance at it.

Disabling TinyMCE via the "HTML Editor" account setting, causes Pieforms to run your text through the format_whitespace() method, which entity-escapes most HTML tags, so that doesn't let you enter malicious HTML either.

I found the easiest way to test it was to leave TinyMCE enabled in my account settings, but then turn it off by disabling Javascript using the developer tools in my web browser:

1. Create a new page, with an innocuous title and description.
2. After saving the new page, click the "Edit title and description" link to go back to that.
3. Using your browser's web developer tools, disable Javascript.
4. Reload the page (with Javascript disabled)
5. In the exposed plaintext field, enter some malicious code like <a href="#" onclick="alert(1)">Test</a>
6. Click the form's submit button to save this.
7. In your browser's web developer tools, turn Javascript back on
8. View the page in "Display" mode
9. You should see the "Test" link in the page description. Click on it and see if it causes a Javascript alert (and see that the Javascript has been stripped out).

I also tested our semi-custom "allowed iframes" code, like so:

1. Embed a YouTube iframe into a page description:

2. View the page in "display" mode, and verify that the iframe is displayed.

3. Go to Administration -> Extensions -> Allowed iframe URLs, and remove YouTube from the list of allowed iframes.

4. View the page in "display" mode again, and verify that the iframe is *not* displayed.

A tricky one to test, because most of the places where we use htmlpurifier (i.e. in the "html_clean()" method in web.php) are invoked after you enter text via a Pieforms TinyMCE element. Our TinyMCE configuration is pretty well in line with our HTMLPurifier rules, so most malicious HTML will be stripped out by TinyMCE prior to saving it into the database, meaning that HTMLPurifier doesn't even get a chance at it.

Disabling TinyMCE via the "HTML Editor" account setting, causes Pieforms to run your text through the format_whitespace() method, which entity-escapes most HTML tags, so that doesn't let you enter malicious HTML either.

I found the easiest way to test it was to leave TinyMCE enabled in my account settings, but then turn it off by disabling Javascript using the developer tools in my web browser:

1. Create a new page, with an innocuous title and description.
2. After saving the new page, click the "Edit title and description" link to go back to that.
3. Using your browser's web developer tools, disable Javascript.
4. Reload the page (with Javascript disabled)
5. In the exposed plaintext field, enter some malicious code like <a href="#" onclick="alert(1)">Test</a>
6. Click the form's submit button to save this.
7. In your browser's web developer tools, turn Javascript back on
8. View the page in "Display" mode
9. You should see the "Test" link in the page description. Click on it and see if it causes a Javascript alert (and see that the Javascript has been stripped out).

I also tested our semi-custom "allowed iframes" code, like so:

1. Embed a YouTube iframe into a page description:

2. View the page in "display" mode, and verify that the iframe is displayed.

3. Go to Administration -> Extensions -> Allowed iframe URLs, and remove YouTube from the list of allowed iframes.

4. View the page in "display" mode again, and verify that the iframe is *not* displayed.

Changed in mahara:
status:	In Progress → Fix Committed

Kristina Hoeppner (kris-hoeppner) on 2016-04-30

Changed in mahara:
status:	Fix Committed → Fix Released

Mahara

Update to HTMLPurifier 4.7.0

Bug Description

Other bug subscribers

Remote bug watches