From f1b229549fe0f32205d0ee5899a706dcd6a81df6 Mon Sep 17 00:00:00 2001
From: root <you@example.com>
Date: Fri, 3 May 2024 18:08:58 +0530
Subject: [PATCH 1/3] Fixes : Xss payload in Users last name and first name
issue is fixed
---
include/utils/VtlibUtils.php | 29 +++++-----------------------
layouts/v7/modules/Vtiger/Header.tpl | 2 +-
2 files changed, 6 insertions(+), 25 deletions(-)
diff --git a/include/utils/VtlibUtils.php b/include/utils/VtlibUtils.php
index 87b4ba224..7b4640319 100644
--- a/include/utils/VtlibUtils.php
+++ b/include/utils/VtlibUtils.php
@@ -751,32 +751,13 @@ function str_replace_json($search, $replace, $subject){
*/
function purifyHtmlEventAttributes($value,$replaceAll = false){
-$tmp_markers = $office365ImageMarkers = array();
-$value = Vtiger_Functions::strip_base64_data($value,true,$tmp_markers);
-$value = Vtiger_Functions::stripInlineOffice365Image($value,true,$office365ImageMarkers);
-$tmp_markers = array_merge($tmp_markers, $office365ImageMarkers);
-
-$htmlEventAttributes = "onerror|onblur|onchange|oncontextmenu|onfocus|oninput|oninvalid|onresize|onauxclick|oncancel|oncanplay|oncanplaythrough|".
- "onreset|onsearch|onselect|onsubmit|onkeydown|onkeypress|onkeyup|onclose|oncuechange|ondurationchange|onemptied|onended|".
- "onclick|ondblclick|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragexit|onformdata|onloadeddata|onloadedmetadata|".
- "ondragstart|ondrop|onmousedown|onmousemove|onmouseout|onmouseover|onmouseenter|onmouseleave|onpause|onplay|onplaying|".
- "onmouseup|onmousewheel|onscroll|onwheel|oncopy|oncut|onpaste|onload|onprogress|onratechange|onsecuritypolicyviolation|".
- "onselectionchange|onabort|onselectstart|onstart|onfinish|onloadstart|onshow|onreadystatechange|onseeked|onslotchange|".
- "onseeking|onstalled|onsubmit|onsuspend|ontimeupdate|ontoggle|onvolumechange|onwaiting|onwebkitanimationend|onstorage|".
- "onwebkitanimationiteration|onwebkitanimationstart|onwebkittransitionend|onafterprint|onbeforeprint|onbeforeunload|".
- "onhashchange|onlanguagechange|onmessage|onmessageerror|onoffline|ononline|onpagehide|onpageshow|onpopstate|onunload|".
- "onrejectionhandled|onunhandledrejection|onloadend|onpointerenter|ongotpointercapture|onlostpointercapture|onpointerdown|".
- "onpointermove|onpointerup|onpointercancel|onpointerover|onpointerout|onpointerleave|onactivate|onafterscriptexecute|".
- "onanimationcancel|onanimationend|onanimationiteration|onanimationstart|onbeforeactivate|onbeforedeactivate|onbeforescriptexecute|".
- "onbegin|onbounce|ondeactivate|onend|onfocusin|onfocusout|onrepeat|ontransitioncancel|ontransitionend|ontransitionrun|".
- "ontransitionstart|onbeforecopy|onbeforecut|onbeforepaste|onfullscreenchange|onmozfullscreenchange|onpointerrawupdate|".
- "ontouchend|ontouchmove|ontouchstart";
-
+ $tmp_markers = $office365ImageMarkers = array();
+ $value = Vtiger_Functions::strip_base64_data($value,true,$tmp_markers);
+ $value = Vtiger_Functions::stripInlineOffice365Image($value,true,$office365ImageMarkers);
+ $tmp_markers = array_merge($tmp_markers, $office365ImageMarkers);
// remove malicious html attributes with its value.
if ($replaceAll) {
- $regex = '\s*[=&%#]\s*(?:"[^"]*"[\'"]*|\'[^\']*\'[\'"]*|[^]*[\s\/>])*/i';
- $value = preg_replace("/\s*(" . $htmlEventAttributes . ")" . $regex, '', $value);
-
+ $value = preg_replace('/\b(alert|on\w+)\s*\([^)]*\)|\s*(?:on\w+)=(".*?"|\'.*?\'|[^\'">\s]+)\s*/', '', $value);
//remove script tag with contents
$value = purifyScript($value);
//purify javascript alert from the tag contents
diff --git a/layouts/v7/modules/Vtiger/Header.tpl b/layouts/v7/modules/Vtiger/Header.tpl
index 6e5e79f46..5591664ff 100644
--- a/layouts/v7/modules/Vtiger/Header.tpl
+++ b/layouts/v7/modules/Vtiger/Header.tpl
@@ -61,7 +61,7 @@
{if $CURRENT_USER_MODEL}
_USERMETA = { 'id' : "{$CURRENT_USER_MODEL->get('id')}", 'menustatus' : "{$CURRENT_USER_MODEL->get('leftpanelhide')}",
'currency' : "{decode_html($USER_CURRENCY_SYMBOL)}", 'currencySymbolPlacement' : "{$CURRENT_USER_MODEL->get('currency_symbol_placement')}",
- 'currencyGroupingPattern' : "{$CURRENT_USER_MODEL->get('currency_grouping_pattern')}", 'truncateTrailingZeros' : "{$CURRENT_USER_MODEL->get('truncate_trailing_zeros')}",'userlabel':"{vtlib_purify(decode_html($CURRENT_USER_MODEL->get('userlabel')))}",};
+ 'currencyGroupingPattern' : "{$CURRENT_USER_MODEL->get('currency_grouping_pattern')}", 'truncateTrailingZeros' : "{$CURRENT_USER_MODEL->get('truncate_trailing_zeros')}",'userlabel':"{($CURRENT_USER_MODEL->get('userlabel'))}",};
{/if}
</script>
</head>
--
GitLab
From adb65d2937b8aa26149403adde880fa65166715b Mon Sep 17 00:00:00 2001
From: root <you@example.com>
Date: Thu, 9 May 2024 12:28:37 +0530
Subject: [PATCH 2/3] Fixes : Xss payload in Users last name and first name
issue is fixed
---
layouts/v7/modules/Vtiger/Header.tpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/layouts/v7/modules/Vtiger/Header.tpl b/layouts/v7/modules/Vtiger/Header.tpl
index 5591664ff..cd72c18da 100644
--- a/layouts/v7/modules/Vtiger/Header.tpl
+++ b/layouts/v7/modules/Vtiger/Header.tpl
@@ -61,7 +61,7 @@
{if $CURRENT_USER_MODEL}
_USERMETA = { 'id' : "{$CURRENT_USER_MODEL->get('id')}", 'menustatus' : "{$CURRENT_USER_MODEL->get('leftpanelhide')}",
'currency' : "{decode_html($USER_CURRENCY_SYMBOL)}", 'currencySymbolPlacement' : "{$CURRENT_USER_MODEL->get('currency_symbol_placement')}",
- 'currencyGroupingPattern' : "{$CURRENT_USER_MODEL->get('currency_grouping_pattern')}", 'truncateTrailingZeros' : "{$CURRENT_USER_MODEL->get('truncate_trailing_zeros')}",'userlabel':"{($CURRENT_USER_MODEL->get('userlabel'))}",};
+ 'currencyGroupingPattern' : "{$CURRENT_USER_MODEL->get('currency_grouping_pattern')}", 'truncateTrailingZeros' : "{$CURRENT_USER_MODEL->get('truncate_trailing_zeros')}",'userlabel':"{($CURRENT_USER_MODEL->get('userlabel'))|escape:html}",};
{/if}
</script>
</head>
--
GitLab
From 2ff447f46dbcc81d60fc4ca366f11ee3f43d5155 Mon Sep 17 00:00:00 2001
From: root <you@example.com>
Date: Thu, 9 May 2024 17:54:46 +0530
Subject: [PATCH 3/3] Fixes : Xss payload in Users last name and first name
issue is fixed
---
include/utils/VtlibUtils.php | 7 +++++++
modules/Users/Users.php | 2 +-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/include/utils/VtlibUtils.php b/include/utils/VtlibUtils.php
index 0922f46f9..109e01ca0 100644
--- a/include/utils/VtlibUtils.php
+++ b/include/utils/VtlibUtils.php
@@ -530,6 +530,13 @@ function vtlib_tosingular($text) {
return $text;
}
+/**
+ * Helps to remove HTML tags and attributes.
+ */
+function vtlib_strip_tagattrs($str) {
+ return preg_replace('/=/', '-', strip_tags($str));
+}
+
/**
* Get picklist values that is accessible by all roles.
*/
diff --git a/modules/Users/Users.php b/modules/Users/Users.php
index b0ad5bd58..4c1559fab 100755
--- a/modules/Users/Users.php
+++ b/modules/Users/Users.php
@@ -779,7 +779,7 @@ class Users extends CRMEntity {
}
$userlabel = trim(decode_html($userlabel));
- $this->column_fields['userlabel'] = strip_tags($userlabel);
+ $this->column_fields['userlabel'] = vtlib_strip_tagattrs($userlabel);
}
if($insertion_mode == 'edit') {
--
GitLab