improve comment XSS attack protection #746
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
评论内容区域可在后台自定义配置允许的HTML标签与其属性,但是基本未对属性内容作任何保护。后台该输入框提示如下:
如果用户按照提示填入
<a href="">则评论如下内容,即会导致问题:在文章后的评论显示区域及后台管理界面中的管理 - 评论界面,都会产生问题。
鉴于常用的几个标签里面只有
href属性会导致这个问题,且不考虑类似主动开放<script>标签的行为,应当对其进行防御。根据Typecho_Common::__parseAttrs()的解析流程及边界情况,只需要利用Typecho_Validate::url()对去掉包裹的引号的属性值进行判定即可,这样也禁掉了其他方式可能会被采用 Unicode 字符编码绕过的问题,而正常用户不会以字符编码形式输入所以无影响。感觉允许评论区域插入链接的老哥应该还是不少的...