Index: typo3/sysext/core/Tests/Legacy/typo3/contrib/class.removexssTest.php
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- typo3/sysext/core/Tests/Legacy/typo3/contrib/class.removexssTest.php (revision 26a7a3044838fd62f11d74d19caa0279038c2634)
+++ typo3/sysext/core/Tests/Legacy/typo3/contrib/class.removexssTest.php (revision )
@@ -245,7 +245,8 @@
public function checkAttackMetaWithUrl()
{
$testString = '';
- $expectedString = 'ta HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">';
+ $expectedString = 'ta HTTP-EQUIV="refresh" CONTENT="0;url=ript>alert(\'XSS\')
+">';
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
@@ -467,4 +468,64 @@
RemoveXSS::process($input)
);
}
+
+ /**
+ * @return array input strings and expected output strings to test
+ *
+ * @see dataUrlWithDataProvider
+ */
+ public function dataUrlDataProvider()
+ {
+ return array(
+ 'attackWithUrlEncodedData' => array(
+ 'click',
+ 'click',
+ ),
+ 'attackWithUrlEncodedDataAndMimeType' => array(
+ 'click',
+ 'click',
+ ),
+ 'attackWithUrlEncodedDataAndCharset' => array(
+ 'click',
+ 'click',
+ ),
+ 'attackWithUrlEncodedDataAndMimeTypeAndCharset' => array(
+ 'click',
+ 'click',
+ ),
+ 'attackWithBase64Data' => array(
+ 'click',
+ 'click',
+ ),
+ 'attackWithBase64DataAndMimeType' => array(
+ 'click',
+ 'click',
+ ),
+ 'attackWithBase64DataAndCharset' => array(
+ 'click',
+ 'click',
+ ),
+ 'attackWithBase64DataAndMimeTypeAndCharset' => array(
+ 'click',
+ 'click',
+ ),
+ );
+ }
+
+ /**
+ * @test
+ *
+ * @param string $input input value to test
+ * @param string $expected expected output value
+ *
+ * @dataProvider dataUrlDataProvider
+ */
+ public function dataUrlWithDataProvider($input, $expected)
+ {
+ $this->assertEquals(
+ $expected,
+ RemoveXSS::process($input)
+ );
+ }
+
}
Index: typo3/sysext/core/Resources/PHP/RemoveXSS.php
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- typo3/sysext/core/Resources/PHP/RemoveXSS.php (revision 26a7a3044838fd62f11d74d19caa0279038c2634)
+++ typo3/sysext/core/Resources/PHP/RemoveXSS.php (revision )
@@ -38,6 +38,43 @@
// Note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs
$value = preg_replace('/([\x00-\x08]|[\x0b-\x0c]|[\x0e-\x19])/', '', $value);
+ // Replace data URLs as they can obfuscate the payload
+ if (stripos($value, 'data:') !== false) {
+ $searchDataUris = '/data:((?
$searchHexEncodings = '/[xX]0{0,8}(21|22|23|24|25|26|27|28|29|2a|2b|2d|2f|30|31|32|33|34|35|36|37|38|39|3a|3b|3d|3f|40|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|5b|5c|5d|5e|5f|60|61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|7b|7c|7d|7e);?/i';