improve comment XSS attack protection #746
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
评论内容区域可在后台自定义配置允许的HTML标签与其属性,但是基本未对属性内容作任何保护。后台该输入框提示如下:
如果用户按照提示填入
<a href="">
则评论如下内容,即会导致问题:在文章后的评论显示区域及后台管理界面中的管理 - 评论界面,都会产生问题。
鉴于常用的几个标签里面只有
href
属性会导致这个问题,且不考虑类似主动开放<script>
标签的行为,应当对其进行防御。根据Typecho_Common::__parseAttrs()
的解析流程及边界情况,只需要利用Typecho_Validate::url()
对去掉包裹的引号的属性值进行判定即可,这样也禁掉了其他方式可能会被采用 Unicode 字符编码绕过的问题,而正常用户不会以字符编码形式输入所以无影响。感觉允许评论区域插入链接的老哥应该还是不少的...