Added togglable script escaping to page content

Configurable via 'ALLOW_CONTENT_SCRIPTS' env variable.
Fixes #575

diff --git a/app/Repos/EntityRepo.php b/app/Repos/EntityRepo.php
index 64f7a0810b24a7a04cb4de18f835bffacd1f0d74..ece9aa3057572fd14f7549181eec0b94b65e7f92 100644 (file)
--- a/app/Repos/EntityRepo.php
+++ b/app/Repos/EntityRepo.php
@@ -713,6 +713,10 @@ class EntityRepo
     public function renderPage(Page $page, $ignorePermissions = false)
     {
         $content = $page->html;
+        if (!config('app.allow_content_scripts')) {
+            $content = $this->escapeScripts($content);
+        }
+
         $matches = [];
         preg_match_all("/{{@\s?([0-9].*?)}}/", $content, $matches);
         if (count($matches[0]) === 0) {
@@ -760,6 +764,24 @@ class EntityRepo
         return $content;
     }
 
+    /**
+     * Escape script tags within HTML content.
+     * @param string $html
+     * @return mixed
+     */
+    protected function escapeScripts(string $html)
+    {
+        $scriptSearchRegex = '/<script.*?>.*?<\/script>/ms';
+        $matches = [];
+        preg_match_all($scriptSearchRegex, $html, $matches);
+        if (count($matches) === 0) return $html;
+
+        foreach ($matches[0] as $match) {
+            $html = str_replace($match, htmlentities($match), $html);
+        }
+        return $html;
+    }
+
     /**
      * Get the plain text version of a page's content.
      * @param Page $page

diff --git a/config/app.php b/config/app.php
index fb958f89c3225e425ef914f941315c81b927c457..ce2225221a7081dd19e54a279caee63806bf3f69 100755 (executable)
--- a/config/app.php
+++ b/config/app.php
@@ -8,6 +8,8 @@ return [
         'books' => env('APP_VIEWS_BOOKS', 'list')
     ],
 
+    'allow_content_scripts' => env('ALLOW_CONTENT_SCRIPTS', false),
+
     /*
     |--------------------------------------------------------------------------
     | Application Debug Mode

diff --git a/tests/Entity/PageContentTest.php b/tests/Entity/PageContentTest.php
index 37051478882e94f25c9cb1f6f2c5f334779a043d..8b0e180da724617234b3da246556e2f82d742f84 100644 (file)
--- a/tests/Entity/PageContentTest.php
+++ b/tests/Entity/PageContentTest.php
@@ -112,4 +112,31 @@ class PageContentTest extends TestCase
         $pageView->assertSee('def456');
     }
 
+    public function test_page_content_scripts_escaped_by_default()
+    {
+        $this->asEditor();
+        $page = Page::first();
+        $script = '<script>console.log("hello-test")</script>';
+        $page->html = "escape {$script}";
+        $page->save();
+
+        $pageView = $this->get($page->getUrl());
+        $pageView->assertDontSee($script);
+        $pageView->assertSee(htmlentities($script));
+    }
+
+    public function test_page_content_scripts_show_when_configured()
+    {
+        $this->asEditor();
+        $page = Page::first();
+        config()->push('app.allow_content_scripts', 'true');
+        $script = '<script>console.log("hello-test")</script>';
+        $page->html = "no escape {$script}";
+        $page->save();
+
+        $pageView = $this->get($page->getUrl());
+        $pageView->assertSee($script);
+        $pageView->assertDontSee(htmlentities($script));
+    }
+
 }