Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

scriptProtect doesn't filter out tag on* attributes

Description

this.scriptprotect="all"; only invalidates tags, but not dangerous attributes like onclick, onload, onerror etc, etc

https://docs.lucee.org/reference/tags/application.html#attribute-scriptprotect

scriptProtect should be updated to strip any on* attributes, perhaps using jsoup (which is already supports osgi)

https://github.com/jhy/jsoup/

https://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer

or

https://github.com/nahsra/antisamy

https://github.com/lucee/Lucee/blob/5.3/core/src/main/java/lucee/runtime/security/ScriptProtect.java

any html tag should have any an on* attributes automatically stripped out or invalidAttribute added, when scriptProtect is enabled

it would be good to expose this as a BIF too, i.e. getSafeHtml() https://luceeserver.atlassian.net/browse/LDEV-838

https://dev.lucee.org/t/would-it-make-sense-to-add-a-tag-function-to-validate-and-or-sanitize-html-input-to-lucee/1253

Environment

None

Activity

Show:

David Raschper 20 December 2021 at 11:45
Edited

https://github.com/lucee/Lucee/pull/1493

I changed the current scriptprotect implementation to a configurable regex (acf have this also in a config-file).
That way the users can configure the filter-regex to their needs.
The filter-regex is displayed in the admin.
Because of possible regression issues, I just took the current tag list as the regex filter.
In Lucee 6 we could change the filter to a more aggressive filter, something like this (or use some other library like Zac mentions in this issue):

<scriptprotect> <filter-regex value="&lt;s*(object|embed|script|applet|meta|svg|img|body|bgsound|input|video|isindex|iframe|audio|a)"/> <filter-regex value="(src|onabort|onactivate|onbeforeunload|onchange|onclick|oncontextmenu|oncopy|oncut|ondblclick|onkeydown|onkeypress|onkeyuponload|onload|onmousedown|onmouseenter|onmouseleave|onmousemove|onmouseout|onmouseover|onmouseup|onreset|onresize|onstart|onstop|onsubmit|onunload)s*="/> <!-- Adjust this list --> <filter-regex value="(expression|eval)s*\("/> </scriptprotect>
Fixed

Details

Assignee

Reporter

Priority

Labels

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Affects versions

Created 8 September 2020 at 11:50
Updated 19 August 2024 at 20:47
Resolved 19 August 2024 at 20:47

Flag notifications