Add HTML Purifier and XSS Security

Author: rcarvello

composer.json

@@ -20,7 +20,8 @@
     "ext-mbstring": "*",
     "ext-openssl": "*",
     "ext-gd": "*",
-    "ext-pdo": "*"
+    "ext-pdo": "*",
+    "ezyang/htmlpurifier": "^4.17"
   },
   "require-dev": {
     "phpunit/phpunit": "^10.5 || ^11.0"

config/security.config.php

@@ -228,15 +228,16 @@
  */
 define("USE_HTMLPURIFIER", false);
 
+/*Old implementation without composer (by using htmlpurifier folder)
 if (XSS_PROTECTION) {
     if (USE_HTMLPURIFIER) {
         require_once(RELATIVE_PATH . 'framework/htmlpurifier/HTMLPurifier.auto.php');
     }
 }
-
+*/
 /**
  * Securing forms
- * Specifies csrftoken token fields for Record Component
+ * Specifies the csrftoken token fields for Record Component
  */
 
 define("CSRF_TOKEN_FORM_FIELD", "csrftoken");

framework/Controller.php

@@ -505,15 +505,15 @@ protected function restrictToAuthentication($redirect = null, $returnLink = null
 
     public function xssClean(&$data,$charset = CHARSET)
     {
-        /* TODO
+
         if (is_array($data)){
             foreach ($data as $k => $v) {
                 $data[$k] = $this->view->xssCleanString($v, $charset);
             }
         } else {
             $this->view->xssCleanString($data, $charset);
         }
-        */
+
     }
 
             /**

framework/View.php

@@ -36,10 +36,9 @@
 use framework\exceptions\NotInitializedViewException;
 use framework\exceptions\BlockNotFoundException;
 
-/** TODO
- * use HTMLPurifier;
- * use HTMLPurifier_Config;
- */
+use HTMLPurifier;
+use HTMLPurifier_Config;
+
 
 class View
 {
@@ -425,7 +424,7 @@ public function getTplFileName()
         return $this->tplFileName;
     }
 
-    /** TODO
+    /**
      * Cleans a string against XSS attack
      *
      * @param string $string String to purify
@@ -434,6 +433,42 @@ public function getTplFileName()
      */
     public function xssCleanString($string, $charset = CHARSET)
     {
-        return null;
+
+        if (!USE_HTMLPURIFIER) {
+            // Fix &entity\n;
+            $string = str_replace(array('&', '<', '>'), array('&', '<', '>'), $string);
+            $string = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $string);
+            $string = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $string);
+            $string = html_entity_decode($string, ENT_COMPAT, $charset);
+
+            // Remove any attribute starting with "on" or xmlns
+            $string = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $string);
+
+            // Remove javascript: and vbscript: protocols
+            $string = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $string);
+            $string = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $string);
+            $string = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $string);
+
+            // Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
+            $string = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $string);
+            $string = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $string);
+            $string = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $string);
+
+            // Remove namespaced elements (we do not need them)
+            $string = preg_replace('#</*\w+:\w[^>]*+>#i', '', $string);
+
+            do {
+                // Remove really unwanted tags
+                $oldString = $string;
+                $string = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $string);
+            } while ($oldString !== $string);
+        } else {
+            // Using HTMLPurifier
+            $config = HTMLPurifier_Config::createDefault();
+            $purifier = new HTMLPurifier($config);
+            $string = $purifier->purify($string);
+        }
+        return $string;
     }
+
 }

framework/components/Record.php

@@ -239,7 +239,8 @@ public function init(Model $beanAdapter = null, View $view = null, $isBusinessVa
     {
         $this->beanAdapter = $beanAdapter;
         $this->view->setVar("Separator", $this->actionsSeparator);
-
+        $this->view->setVar("CSRF_TOKEN_FORM_FIELD", CSRF_TOKEN_FORM_FIELD);
+        $this->view->setVar("CRSFTOKEN", $this->getCSRFToken());
         // $this->doAction($beanAdapter,$isBusinessValidationError);
 
         if (!empty($this->currentRecord[0])) {
@@ -276,6 +277,43 @@ public function init(Model $beanAdapter = null, View $view = null, $isBusinessVa
 
     }
 
+    /**
+     * Manages and gets CSRF Token
+     * @return string The CSRF Token
+     */
+    protected function getCSRFToken()
+    {
+        if (@empty($_SESSION['token'])) {
+            if (function_exists('mcrypt_create_iv')) {
+                // TODO random_bytes
+                $_SESSION['token'] = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
+            } else {
+                $_SESSION['token'] = bin2hex(openssl_random_pseudo_bytes(32));
+            }
+        }
+        // print_r($_SESSION['token']);
+        return $_SESSION['token'];
+
+    }
+
+    /**
+     * Detects CSRF attack
+     * @return bool True if it detetecs a pibble attack.
+     */
+    public function detectedCSRF()
+    {
+        $csrf_token_field = CSRF_TOKEN_FORM_FIELD;
+        if (@!empty($_POST[$csrf_token_field])) {
+            if ($_SESSION["token"] == $_POST[$csrf_token_field]) {
+                return false;
+            } else {
+                return true;
+            }
+        } else {
+            return true;
+        }
+    }
+
     /**
      * Verifies if action's name is valid
      * @param string $action The action name
@@ -465,6 +503,16 @@ private function doAction(BeanAdapter $beanAdapter, $isBusinessValidationError =
         // Note: also excluded in observing mode.
         try {
             if (!isset($_REQUEST["getState"])) {
+
+                // Handles CSRF
+                if (isset($_REQUEST[$this->record_add]) || isset($_REQUEST[$this->record_update]) || isset($_REQUEST[$this->record_delete])) {
+                    if ($this->detectedCSRF()) {
+                        $isBusinessValidationError = true;
+                        $this->addError("{RES:CRSFErrorMessage}");
+                    }
+                }
+
+                // Handles ADD
                 if (isset($_REQUEST[$this->record_add]) && !$isBusinessValidationError) {
                     $beanAdapter->insert();
                     if ($beanAdapter->getBean()->isSqlError()) {
@@ -474,6 +522,8 @@ private function doAction(BeanAdapter $beanAdapter, $isBusinessValidationError =
                     if (!empty($this->redirectAfterAdd))
                         header("Location: " . $this->redirectAfterAdd);
                 }
+
+                // Handles UPDATE
                 if (isset($_REQUEST[$this->record_update]) && !$isBusinessValidationError) {
                     $beanAdapter->update($this->currentRecord);
                     if ($beanAdapter->getBean()->isSqlError()) {
@@ -484,6 +534,7 @@ private function doAction(BeanAdapter $beanAdapter, $isBusinessValidationError =
                         header("Location: " . $this->redirectAfterUpdate);
                 }
 
+                // Handles DELETE
                 if (isset($_REQUEST[$this->record_delete]) && !$isBusinessValidationError) {
                     $beanAdapter->delete($this->currentRecord);
                     if ($beanAdapter->getBean()->isSqlError()) {
@@ -494,6 +545,7 @@ private function doAction(BeanAdapter $beanAdapter, $isBusinessValidationError =
                         header("Location: " . $this->redirectAfterDelete);
                 }
 
+                // Handles Reset
                 if (isset($_REQUEST[$this->record_close])) {
                     if (!empty($this->redirectAfterClose))
                         header("Location: " . $this->redirectAfterClose);

framework/resources/components/record.html.tpl

@@ -8,6 +8,7 @@
 }
 </style>
 <input type="hidden" name="Observer_Data_Changed_Alert_Message" id = "Observer_Data_Changed_Alert_Message" value="{RES:Observer_Data_Changed_Alert_Message}">
+<input type="hidden" name="{CSRF_TOKEN_FORM_FIELD}" value="{CRSFTOKEN}">
 <input class ="record_button btn btn-success" type="submit" value="{RES:Record_Add}"        id="{record_add}"      name="{record_add}"     data-action="add">
 <input class ="record_button btn btn-success" type="submit" value="{RES:Record_Update}"     id="{record_update}"   name="{record_update}"  data-action="update">
 <input class ="record_button btn btn-danger"  type="submit" value="{RES:Record_Delete}"     id="{record_delete}"   name="{record_delete}"  data-action="delete" data-jsconfirm="true">