Backport...

Backport http://dev.plone.org/archetypes/changeset/9449/Products.PortalTransforms/trunk/Products/PortalTransforms/transforms/safe_html.py Improve patterns to detect embedded javascripts. git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@36538 20353a03-c40f-0410-a6d1-a30d3c3de9de

Backport...
Backport http://dev.plone.org/archetypes/changeset/9449/Products.PortalTransforms/trunk/Products/PortalTransforms/transforms/safe_html.py Improve patterns to detect embedded javascripts. git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@36538 20353a03-c40f-0410-a6d1-a30d3c3de9de
691e9541 · Nicolas Delaby · 4e15b638 · 691e9541
Commit 691e9541 authored Jun 23, 2010 by Nicolas Delaby
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 5 deletions

product/PortalTransforms/transforms/safe_html.py product/PortalTransforms/transforms/safe_html.py +13 -5

No files found.
--- a/product/PortalTransforms/transforms/safe_html.py
+++ b/product/PortalTransforms/transforms/safe_html.py
@@ -74,12 +74,20 @@ msg_pat = """
 """

 def hasScript(s):
-   """ Dig out evil Java/VB script inside an HTML attribute """
-
-   # look for "script" and "expression"
-   javascript_pattern = re.compile("([\s\n]*?s[\s\n]*?c[\s\n]*?r[\s\n]*?i[\s\n]*?p[\s\n]*?t[\s\n]*?:)|([\s\n]*?e[\s\n]*?x[\s\n]*?p[\s\n]*?r[\s\n]*?e[\s\n]*?s[\s\n]*?s[\s\n]*?i[\s\n]*?o[\s\n]*?n)", re.DOTALL|re.IGNORECASE)
+   """
+   >>> hasScript('script:evil(1);')
+   True
+   >>> hasScript('expression:evil(1);')
+   True
+   >>> hasScript('http://foo.com/ExpressionOfInterest.doc')
+   False
+   """
   s = decode_htmlentities(s)
-   return javascript_pattern.findall(s)
+   s = ''.join(s.split()).lower()
+   for t in ('script:', 'expression:', 'expression('):
+      if t in s:
+         return True
+   return False

 def decode_htmlentities(s):
   """ XSS code can be hidden with htmlentities """