Skip to content

Commit

Permalink
[SECURITY] Deny processing instructions
Browse files Browse the repository at this point in the history
XML processing instructions (e.g. `<?xml>`)
are denied during the sanitization process.
  • Loading branch information
ohader committed Nov 14, 2023
1 parent 070009f commit cead6b6
Show file tree
Hide file tree
Showing 4 changed files with 33 additions and 1 deletion.
10 changes: 10 additions & 0 deletions src/Behavior.php
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,11 @@ class Behavior
*/
const ENCODE_INVALID_CDATA_SECTION = 32;

/**
* in case an unexpected processing instruction (e.g. `<?xml>`) was found, encode the whole node as HTML
*/
const ENCODE_INVALID_PROCESSING_INSTRUCTION = 64;

/**
* @var int
*/
Expand Down Expand Up @@ -230,6 +235,11 @@ public function shallEncodeInvalidCdataSection(): bool
return ($this->flags & self::ENCODE_INVALID_CDATA_SECTION) === self::ENCODE_INVALID_CDATA_SECTION;
}

public function shallEncodeInvalidProcessingInstruction(): bool
{
return ($this->flags & self::ENCODE_INVALID_PROCESSING_INSTRUCTION) === self::ENCODE_INVALID_PROCESSING_INSTRUCTION;
}

public function shallRemoveUnexpectedChildren(): bool
{
return ($this->flags & self::REMOVE_UNEXPECTED_CHILDREN) === self::REMOVE_UNEXPECTED_CHILDREN;
Expand Down
6 changes: 5 additions & 1 deletion src/Builder/CommonBuilder.php
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,11 @@ public function build(): Sanitizer
protected function createBehavior(): Behavior
{
return (new Behavior())
->withFlags(Behavior::ENCODE_INVALID_TAG | Behavior::REMOVE_UNEXPECTED_CHILDREN)
->withFlags(
Behavior::ENCODE_INVALID_TAG
| Behavior::REMOVE_UNEXPECTED_CHILDREN
| Behavior::ENCODE_INVALID_PROCESSING_INSTRUCTION
)
->withName('common')
->withTags(...array_values($this->createBasicTags()))
->withTags(...array_values($this->createMediaTags()))
Expand Down
6 changes: 6 additions & 0 deletions src/Visitor/CommonVisitor.php
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
use DOMComment;
use DOMElement;
use DOMNode;
use DOMProcessingInstruction;
use DOMText;
use Psr\Log\LoggerAwareInterface;
use Psr\Log\LoggerAwareTrait;
Expand Down Expand Up @@ -70,6 +71,10 @@ public function beforeTraverse(Context $context)
*/
public function enterNode(DOMNode $domNode)
{
if ($domNode instanceof DOMProcessingInstruction) {
return $this->handleInvalidNode($domNode);
}

if (!$domNode instanceof DOMCdataSection
&& !$domNode instanceof DOMComment
&& !$domNode instanceof DOMElement
Expand Down Expand Up @@ -248,6 +253,7 @@ protected function handleInvalidNode(DOMNode $domNode)
if (
($domNode instanceof DOMComment && $this->behavior->shallEncodeInvalidComment())
|| ($domNode instanceof DOMCdataSection && $this->behavior->shallEncodeInvalidCdataSection())
|| ($domNode instanceof DOMProcessingInstruction && $this->behavior->shallEncodeInvalidProcessingInstruction())
) {
$this->log('Found unexpected node {nodeName}', [
'behavior' => $this->behavior->getName(),
Expand Down
12 changes: 12 additions & 0 deletions tests/CommonBuilderTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -263,6 +263,14 @@ public function isSanitizedDataProvider(): array
'<!-- &lt;&quot;comment&quot;&gt; -->',
'<!-- &lt;&quot;comment&quot;&gt; -->',
],
'#912' => [
'<!---><p>',
'<!---&gt;&lt;p&gt;-->',
],
'#913' => [
'<!---!><p>',
'<!---!&gt;&lt;p&gt;-->',
],
'#915' => [
'#text',
'#text',
Expand Down Expand Up @@ -303,6 +311,10 @@ public function isSanitizedDataProvider(): array
'<p class="{&quot;json&quot;:true}">value</p>',
'<p class="{&quot;json&quot;:true}">value</p>',
],
'#941' => [
'<?xml >s<img src=x onerror=alert(1)> ?>',
'&lt;?xml &gt;s&lt;img src=x onerror=alert(1)&gt; ?&gt;',
],
];
}

Expand Down

0 comments on commit cead6b6

Please sign in to comment.