1
0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-10-26 17:31:27 +03:00

Added togglable script escaping to page content

Configurable via 'ALLOW_CONTENT_SCRIPTS' env variable.
Fixes #575
This commit is contained in:
Dan Brown
2018-03-17 15:51:40 +00:00
parent 0a1546daea
commit 1ad6fe1cbd
3 changed files with 51 additions and 0 deletions

View File

@@ -713,6 +713,10 @@ class EntityRepo
public function renderPage(Page $page, $ignorePermissions = false)
{
$content = $page->html;
if (!config('app.allow_content_scripts')) {
$content = $this->escapeScripts($content);
}
$matches = [];
preg_match_all("/{{@\s?([0-9].*?)}}/", $content, $matches);
if (count($matches[0]) === 0) {
@@ -760,6 +764,24 @@ class EntityRepo
return $content;
}
/**
* Escape script tags within HTML content.
* @param string $html
* @return mixed
*/
protected function escapeScripts(string $html)
{
$scriptSearchRegex = '/<script.*?>.*?<\/script>/ms';
$matches = [];
preg_match_all($scriptSearchRegex, $html, $matches);
if (count($matches) === 0) return $html;
foreach ($matches[0] as $match) {
$html = str_replace($match, htmlentities($match), $html);
}
return $html;
}
/**
* Get the plain text version of a page's content.
* @param Page $page

View File

@@ -8,6 +8,8 @@ return [
'books' => env('APP_VIEWS_BOOKS', 'list')
],
'allow_content_scripts' => env('ALLOW_CONTENT_SCRIPTS', false),
/*
|--------------------------------------------------------------------------
| Application Debug Mode

View File

@@ -112,4 +112,31 @@ class PageContentTest extends TestCase
$pageView->assertSee('def456');
}
public function test_page_content_scripts_escaped_by_default()
{
$this->asEditor();
$page = Page::first();
$script = '<script>console.log("hello-test")</script>';
$page->html = "escape {$script}";
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertDontSee($script);
$pageView->assertSee(htmlentities($script));
}
public function test_page_content_scripts_show_when_configured()
{
$this->asEditor();
$page = Page::first();
config()->push('app.allow_content_scripts', 'true');
$script = '<script>console.log("hello-test")</script>';
$page->html = "no escape {$script}";
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertSee($script);
$pageView->assertDontSee(htmlentities($script));
}
}