Issues
- scriptProtect doesn't filter out tag on* attributesLDEV-3050Resolved issue: LDEV-3050
- Regression: Property shorthand in script components brokenLDEV-2874Resolved issue: LDEV-2874Michael Offner
- Converting an image to jpg on serverLDEV-2869Pothys - MitrahSoft
- shutdown taking 1mLDEV-2712Resolved issue: LDEV-2712Michael Offner
- update javaMail to 1.6.2LDEV-2618Resolved issue: LDEV-2618
- pd4fonts.properties file generated by PDF extension is missing an important newlineLDEV-2595Resolved issue: LDEV-2595Michael Offner
- No provider for smtp exception using AWS SESLDEV-2561Resolved issue: LDEV-2561Pothys - MitrahSoft
- REGRESSION - createObject webservice WSDL error on generating tokenLDEV-2277Resolved issue: LDEV-2277Michael Offner
8 of 8
scriptProtect doesn't filter out tag on* attributes
Fixed
Details
Assignee
UnassignedUnassignedReporter
Zac SpitzerZac SpitzerPriority
NewNew Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Affects versions
Details
Details
Assignee
Unassigned
UnassignedReporter
Zac Spitzer
Zac Spitzer
Priority
NewNew Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Affects versions
Created 8 September 2020 at 11:50
Updated 19 August 2024 at 20:47
Resolved 19 August 2024 at 20:47
Activity
Show:
David Raschper20 December 2021 at 11:45Edited
https://github.com/lucee/Lucee/pull/1493
I changed the current scriptprotect implementation to a configurable regex (acf have this also in a config-file).
That way the users can configure the filter-regex to their needs.
The filter-regex is displayed in the admin.
Because of possible regression issues, I just took the current tag list as the regex filter.
In Lucee 6 we could change the filter to a more aggressive filter, something like this (or use some other library like Zac mentions in this issue):
<scriptprotect>
<filter-regex value="<s*(object|embed|script|applet|meta|svg|img|body|bgsound|input|video|isindex|iframe|audio|a)"/>
<filter-regex value="(src|onabort|onactivate|onbeforeunload|onchange|onclick|oncontextmenu|oncopy|oncut|ondblclick|onkeydown|onkeypress|onkeyuponload|onload|onmousedown|onmouseenter|onmouseleave|onmousemove|onmouseout|onmouseover|onmouseup|onreset|onresize|onstart|onstop|onsubmit|onunload)s*="/> <!-- Adjust this list -->
<filter-regex value="(expression|eval)s*\("/>
</scriptprotect>
this.scriptprotect="all"; only invalidates tags, but not dangerous attributes like onclick, onload, onerror etc, etc
https://docs.lucee.org/reference/tags/application.html#attribute-scriptprotect
scriptProtect should be updated to strip any on* attributes, perhaps using jsoup (which is already supports osgi)
https://github.com/jhy/jsoup/
https://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer
or
https://github.com/nahsra/antisamy
https://github.com/lucee/Lucee/blob/5.3/core/src/main/java/lucee/runtime/security/ScriptProtect.java
any html tag should have any an on* attributes automatically stripped out or invalidAttribute added, when scriptProtect is enabled
it would be good to expose this as a BIF too, i.e. getSafeHtml() https://luceeserver.atlassian.net/browse/LDEV-838
https://dev.lucee.org/t/would-it-make-sense-to-add-a-tag-function-to-validate-and-or-sanitize-html-input-to-lucee/1253