Skip to content

Commit

Permalink
ISLANDORA-2409:Scholar is vulnerable to a stored XSS exploit. (#321)
Browse files Browse the repository at this point in the history
  • Loading branch information
@willtp87 @dannylamb
willtp87 authored and dannylamb committed Apr 8, 2019
1 parent e35f6c7 commit 62597f3
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 2 deletions.
3 changes: 2 additions & 1 deletion includes/coins.inc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,7 @@ class Coins {
* describing the reference
*/
public function renderView($type = 'citation') {
module_load_include('inc', 'citeproc', 'includes/utilities');
global $base_url;
$admin = user_access('administer scholarly research');
$fedora_url = variable_get('fedora_base_url', 'http://localhost:8080/fedora');
Expand Down Expand Up @@ -327,7 +328,7 @@ class Coins {
}
return array(
'headers' => $headers,
'rows' => $rows,
'rows' => citeproc_deep_array_filter_xss($rows),
);
}

Expand Down
3 changes: 2 additions & 1 deletion modules/citeproc/includes/converter.inc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ function _citeproc_array_to_object($in) {
* extracted for them from the provided MODS record.
*/
function convert_mods_to_citeproc_jsons($mods_in) {
module_load_include('inc', 'citeproc', 'includes/utilities');
$mods = NULL;
if ($mods_in instanceof DOMNode) {
$mods = simplexml_import_dom($mods_in);
Expand Down Expand Up @@ -157,7 +158,7 @@ function convert_mods_to_citeproc_jsons($mods_in) {

drupal_alter('convert_mods_to_citeproc_jsons', $output, $mods);

return $output;
return citeproc_deep_array_filter_xss($output);
}
else {
watchdog('citeproc', 'Not a SimpleXMLElement!');
Expand Down
13 changes: 13 additions & 0 deletions modules/citeproc/includes/utilities.inc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,3 +70,16 @@ function citeproc_lookup_language($language) {
drupal_alter('citeproc_language', $citeproc_lang);
return $citeproc_lang;
}

/**
* Call filter_xss on the leaves of an array.
*/
function citeproc_deep_array_filter_xss(&$array) {
// @codingStandardsIgnoreStart
$func = function ($item) use (&$func) {
return is_array($item) ? array_map($func, $item) : filter_xss($item);
};
// @codingStandardsIgnoreEnd

return array_map($func, $array);
};

0 comments on commit 62597f3

Please sign in to comment.