From 684ec5d462aa9946d56dc401557c0f136cd3db0b Mon Sep 17 00:00:00 2001 From: Zaharia Alexandru Date: Thu, 12 Dec 2024 12:35:28 +0200 Subject: [PATCH] feat(security): sanitize HTML and JSON to prevent XSS Ensure `compiled_html` and JSON data are sanitized using `wp_kses_post` to block potentially unsafe inputs. Added filtering for "javascript:" schemes and inline event handlers to mitigate XSS vulnerabilities. --- editor/post.php | 5 +++++ editor/trait/sanitize.php | 2 ++ 2 files changed, 7 insertions(+) diff --git a/editor/post.php b/editor/post.php index 1bf4a8ce2..ae2b4bd43 100755 --- a/editor/post.php +++ b/editor/post.php @@ -411,6 +411,11 @@ public function get_compiled_html() public function set_compiled_html($compiled_html) { $compiled_html = Brizy_SiteUrlReplacer::hideSiteUrl($compiled_html); + + if ( !current_user_can( 'unfiltered_html' ) ) { + $compiled_html = wp_kses_post($compiled_html); + } + $this->compiled_html = $compiled_html; return $this; } diff --git a/editor/trait/sanitize.php b/editor/trait/sanitize.php index 733db8f64..b6b159c74 100644 --- a/editor/trait/sanitize.php +++ b/editor/trait/sanitize.php @@ -15,10 +15,12 @@ public function sanitizeJson( $data ) { return $styles; } ); + $dataDecoded = wp_kses_post_deep( $dataDecoded ); //$dataDecoded = $this->escapeJsonValues( $dataDecoded ); $data = json_encode( $dataDecoded ); $data = preg_replace( '/javascript:.*?"/', '"', $data ); + $data = preg_replace( '/javascript%3A.*?%22/', '%22', $data ); $data = preg_replace( '/(on(click|mouseover|keydown|keyup|change|submit|load|error|focus|blur|select|dblclick))\s*[:=]\s*(\\\"|\\\')(.*?)(\3)/i', '', $data ); return $data;