Security: Remove on* attributes through new filter of HTML Purifier

AngelFQC · AngelFQC · commit 82cc07edd8ef · 2024-12-02T13:33:27.000-05:00
Fix advisory GHSA-gw58-89f7-4xgj
diff --git a/main/inc/lib/formvalidator/FormValidator.class.php b/main/inc/lib/formvalidator/FormValidator.class.php
@@ -2,6 +2,7 @@
 
 /* For licensing terms, see /license.txt */
 
+use Chamilo\CoreBundle\Component\HTMLPurifier\Filter\RemoveOnAttributes;
 use Chamilo\UserBundle\Entity\User;
 
 /**
@@ -2107,7 +2108,5 @@ function plain_url_filter($html, $mode = NO_HTML)
  */
 function attr_on_filter(string $html): string
 {
-    $pattern = '/\s*on\w+=(?:"[^"]*"|\'[^\']*\'|[^\s>]+)/i';
-
-    return preg_replace($pattern, '', $html);
+    return RemoveOnAttributes::filter($html);
 }
diff --git a/main/inc/lib/security.lib.php b/main/inc/lib/security.lib.php
@@ -3,6 +3,7 @@
 /* For licensing terms, see /license.txt */
 
 use Chamilo\CoreBundle\Component\HTMLPurifier\Filter\AllowIframes;
+use Chamilo\CoreBundle\Component\HTMLPurifier\Filter\RemoveOnAttributes;
 use ChamiloSession as Session;
 
 /**
@@ -347,8 +348,16 @@ public static function remove_XSS($var, int $user_status = null, bool $filter_te
             $config->set('Core.ConvertDocumentToFragment', false);
             $config->set('Core.RemoveProcessingInstructions', true);
 
+            $customFilters = [
+                new RemoveOnAttributes(),
+            ];
+
             if (api_get_setting('enable_iframe_inclusion') == 'true') {
-                $config->set('Filter.Custom', [new AllowIframes()]);
+                $customFilters[] = new AllowIframes();
+            }
+
+            if ($customFilters) {
+                $config->set('Filter.Custom', $customFilters);
             }
 
             // Shows _target attribute in anchors
diff --git a/src/Chamilo/CoreBundle/Component/HTMLPurifier/Filter/RemoveOnAttributes.php b/src/Chamilo/CoreBundle/Component/HTMLPurifier/Filter/RemoveOnAttributes.php
@@ -0,0 +1,24 @@
+<?php
+
+/* For licensing terms, see /license.txt */
+
+namespace Chamilo\CoreBundle\Component\HTMLPurifier\Filter;
+
+use HTMLPurifier_Filter;
+
+class RemoveOnAttributes extends HTMLPurifier_Filter
+{
+    public $name = 'RemoveOnAttributes';
+
+    public function preFilter($html, $config, $context)
+    {
+        return self::filter($html);
+    }
+
+    public static function filter($html)
+    {
+        $pattern = '/\s*on\w+=(?:"[^"]*"|\'[^\']*\'|[^\s>]+)/i';
+
+        return preg_replace($pattern, '', $html);
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@`
`2`	`2`
`3`	`3`	`/* For licensing terms, see /license.txt */`
`4`	`4`
	`5`	`+use Chamilo\CoreBundle\Component\HTMLPurifier\Filter\RemoveOnAttributes;`
`5`	`6`	`use Chamilo\UserBundle\Entity\User;`
`6`	`7`
`7`	`8`	`/**`
`@@ -2107,7 +2108,5 @@ function plain_url_filter($html, $mode = NO_HTML)`
`2107`	`2108`	`*/`
`2108`	`2109`	`function attr_on_filter(string $html): string`
`2109`	`2110`	`{`
`2110`		`- $pattern = '/\son\w+=(?:"[^"]"\|\'[^\']*\'\|[^\s>]+)/i';`
`2111`		`-`
`2112`		`- return preg_replace($pattern, '', $html);`
	`2111`	`+ return RemoveOnAttributes::filter($html);`
`2113`	`2112`	`}`