1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
|
package MojoMojo::Formatter::Defang;
use strict;
use warnings;
use parent qw/MojoMojo::Formatter/;
use MojoMojo::Declaw;
use URI;
=head1 NAME
MojoMojo::Formatter::Defang - Scrub user HTML and XSS
=head1 DESCRIPTION
This formatter makes sure only a safe range of tags are
allowed, using L<MojoMojo::Defang>; It also tries to remove XSS attempts.
=head1 METHODS
=head2 format_content_order
Format order can be 1-99. The Defang formatter runs on 16, just after the main
formatter, in order to catch direct user input. Defang trusts the main formatter
and all subsequently ran plugins to not output unsafe HTML.
=cut
sub format_content_order { 16 }
=head2 defang_tags_callback
Callback for custom handling specific HTML tags
=cut
sub defang_tags_callback {
my (
$c, $defang, $open_angle,
$lc_tag, $is_end_tag, $attribute_hash,
$close_angle, $html_r, $out_r
) = @_;
# Explicitly whitelist this tag, although unsafe
return 0 if $lc_tag eq 'embed';
return 0 if $lc_tag eq 'object';
return 0 if $lc_tag eq 'param';
return 0 if $lc_tag eq 'pre';
# I am not sure what to do with this tag, so process as
# HTML::Defang normally would
#return 2 if $lc_tag eq 'img';
}
=head2 defang_url_callback
Callback for custom handling URLs in HTML attributes as well as
styletag/attribute declarations
=cut
sub defang_url_callback {
my ( $c, $defang, $lc_tag, $lc_attr_key, $attr_val_r, $attribute_hash,
$html_r )
= @_;
# Do not allow javascript to start a URL in tag attributes or stylesheets
return 1 if $$attr_val_r =~ /^javascript/i;
# Do not allow bypassing of protocol
return 1 if $$attr_val_r =~ m{^//}i;
# Explicitly defang this URL in tag attributes or stylesheets
return 1 if $$attr_val_r =~ /youporn.com/i;
# Allow URL's otherwise
return 0;
}
=head2 defang_css_callback
Callback for custom handling style tags/attributes.
=cut
sub defang_css_callback {
my ( $c, $defang, $selectors, $selector_rules, $tag, $is_attr ) = @_;
my $i = 0;
foreach (@$selectors) {
my $selector_rule = $$selector_rules[$i];
foreach my $key_value_rules (@$selector_rule) {
foreach my $key_value_rule (@$key_value_rules) {
my ( $key, $value ) = @$key_value_rule;
# Comment out any ’!important’ directive
$$key_value_rule[2] = 1 if $value =~ '!important';
# Comment out any ’position=fixed;’ declaration
$$key_value_rule[2] = 1
if $key =~ 'position' && $value =~ 'fixed';
}
}
$i++;
}
}
=head2 defang_attribs_callback
Callback for custom handling HTML tag attributes.
=cut
sub defang_attribs_callback {
my ( $c, $defang, $lc_tag, $lc_attr_key, $attr_val_r, $html_r ) = @_;
# if $lc_attr_key eq 'value';
# Initial Defang effort on attributes applies specifically to 'src'
if ( $lc_attr_key eq 'src' ) {
my $src_uri_object = URI->new($$attr_val_r);
# Allow src URI's from configuration.
my @allowed_src_regex;
# Tests may not have a $c
if ( defined $c ) {
if ( exists $c->stash->{allowed_src_regexes} ) {
@allowed_src_regex = @{ $c->stash->{allowed_src_regexes} };
}
else {
my $allowed_src = $c->config->{allowed}{src};
my @allowed_src =
ref $allowed_src ? @{$allowed_src} : ($allowed_src);
@allowed_src_regex = map { qr/$_/ } @allowed_src if $allowed_src[0];
# TODO: Shouldn't this be using pref cache?
$c->stash->{allowed_src_regexes} = \@allowed_src_regex;
}
}
for my $allowed_src_regex (@allowed_src_regex) {
if ( $$attr_val_r =~ $allowed_src_regex ) {
return 0;
}
}
# When $c and src uri authority are defined we want to make sure
# it matches the server of the img src. i.e. we allow images from the
# local server whether the URI is relative or absolute..
if ( defined $c && defined $src_uri_object->authority ) {
if ( $c->request->uri->authority eq $src_uri_object->authority ) {
return 0;
}
else {
return 1;
}
}
# We have an authority but no context.
# Probably means we're testing with just the Defang formatter
# instead of the Full formatter chain.
# We will defang any src's left with an authority (defang_src)
# since the approved ones were already allowed in above.
elsif ( defined $src_uri_object->authority ) {
return 1;
}
# Explicitly defang javascript in img src.
elsif ( $$attr_val_r =~ m{javascript}i ) {
return 1;
}
else {
return 0;
}
}
return 0;
}
=head2 format_content
Calls the formatter. Takes a ref to the content as well as the
context object.
=cut
sub format_content {
my ( $self, $content, $c ) = @_;
my $defang = MojoMojo::Declaw->new(
context => $c,
fix_mismatched_tags => 1,
tags_to_callback => [qw/br embed object param img/],
tags_callback => \&defang_tags_callback,
url_callback => \&defang_url_callback,
css_callback => \&defang_css_callback,
attribs_to_callback => [qw(src value title)],
attribs_callback => \&defang_attribs_callback,
);
$$content = $defang->defang($$content);
return;
}
=head1 SEE ALSO
L<MojoMojo>, L<Module::Pluggable::Ordered>, L<MojoMojo::Defang>
=head1 AUTHORS
Marcus Ramberg <mramberg@cpan.org>
=head1 LICENSE
This library is free software. You can redistribute it and/or modify
it under the same terms as Perl itself.
=cut
1;
|
