Commit 691e9541 authored by Nicolas Delaby's avatar Nicolas Delaby

Backport...

Backport http://dev.plone.org/archetypes/changeset/9449/Products.PortalTransforms/trunk/Products/PortalTransforms/transforms/safe_html.py
Improve patterns to detect embedded javascripts.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@36538 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 4e15b638
...@@ -74,12 +74,20 @@ msg_pat = """ ...@@ -74,12 +74,20 @@ msg_pat = """
""" """
def hasScript(s): def hasScript(s):
""" Dig out evil Java/VB script inside an HTML attribute """ """
>>> hasScript('script:evil(1);')
# look for "script" and "expression" True
javascript_pattern = re.compile("([\s\n]*?s[\s\n]*?c[\s\n]*?r[\s\n]*?i[\s\n]*?p[\s\n]*?t[\s\n]*?:)|([\s\n]*?e[\s\n]*?x[\s\n]*?p[\s\n]*?r[\s\n]*?e[\s\n]*?s[\s\n]*?s[\s\n]*?i[\s\n]*?o[\s\n]*?n)", re.DOTALL|re.IGNORECASE) >>> hasScript('expression:evil(1);')
True
>>> hasScript('http://foo.com/ExpressionOfInterest.doc')
False
"""
s = decode_htmlentities(s) s = decode_htmlentities(s)
return javascript_pattern.findall(s) s = ''.join(s.split()).lower()
for t in ('script:', 'expression:', 'expression('):
if t in s:
return True
return False
def decode_htmlentities(s): def decode_htmlentities(s):
""" XSS code can be hidden with htmlentities """ """ XSS code can be hidden with htmlentities """
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment