Added content filtering of tags with javascript or data in values attr

[bookstack] / app / Util / HtmlContentFilter.php

diff --git a/app/Util/HtmlContentFilter.php b/app/Util/HtmlContentFilter.php
index 08dde7048320f93b8f7a98fdfb536b4480ef7b73..182f6e63529a3e283330b39a6fd35203eccbedef 100644 (file)
--- a/app/Util/HtmlContentFilter.php
+++ b/app/Util/HtmlContentFilter.php
@@ -45,6 +45,11 @@ class HtmlContentFilter
         $badIframes = $xPath->query('//*[' . static::xpathContains('@src', 'data:') . '] | //*[' . static::xpathContains('@src', 'javascript:') . '] | //*[@srcdoc]');
         static::removeNodes($badIframes);
 
+        // Remove tags hiding JavaScript or data uris in values attribute.
+        // For example, SVG animate tag can exploit javascript in values.
+        $badValuesTags = $xPath->query('//*[' . static::xpathContains('@values', 'data:') . '] | //*[' . static::xpathContains('@values', 'javascript:') . ']');
+        static::removeNodes($badValuesTags);
+
         // Remove elements with a xlink:href attribute
         // Used in SVG but deprecated anyway, so we'll be a bit more heavy-handed here.
         $xlinkHrefAttributes = $xPath->query('//@*[contains(name(), \'xlink:href\')]');