Mahara

Bug #1536875
Comment #3

Comment 3 for bug 1536875

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2016-03-30:

A tricky one to test, because most of the places where we use htmlpurifier (i.e. in the "html_clean()" method in web.php) are invoked after you enter text via a Pieforms TinyMCE element. Our TinyMCE configuration is pretty well in line with our HTMLPurifier rules, so most malicious HTML will be stripped out by TinyMCE prior to saving it into the database, meaning that HTMLPurifier doesn't even get a chance at it.

Disabling TinyMCE via the "HTML Editor" account setting, causes Pieforms to run your text through the format_whitespace() method, which entity-escapes most HTML tags, so that doesn't let you enter malicious HTML either.

I found the easiest way to test it was to leave TinyMCE enabled in my account settings, but then turn it off by disabling Javascript using the developer tools in my web browser:

1. Create a new page, with an innocuous title and description.
2. After saving the new page, click the "Edit title and description" link to go back to that.
3. Using your browser's web developer tools, disable Javascript.
4. Reload the page (with Javascript disabled)
5. In the exposed plaintext field, enter some malicious code like <a href="#" onclick="alert(1)">Test</a>
6. Click the form's submit button to save this.
7. In your browser's web developer tools, turn Javascript back on
8. View the page in "Display" mode
9. You should see the "Test" link in the page description. Click on it and see if it causes a Javascript alert (and see that the Javascript has been stripped out).

I also tested our semi-custom "allowed iframes" code, like so:

1. Embed a YouTube iframe into a page description:

2. View the page in "display" mode, and verify that the iframe is displayed.

3. Go to Administration -> Extensions -> Allowed iframe URLs, and remove YouTube from the list of allowed iframes.

4. View the page in "display" mode again, and verify that the iframe is *not* displayed.