mirror of
https://github.com/BookStackApp/BookStack.git
synced 2025-03-23 22:45:14 +08:00
Added togglable script escaping to page content
Configurable via 'ALLOW_CONTENT_SCRIPTS' env variable. Fixes #575
This commit is contained in:
parent
0a1546daea
commit
1ad6fe1cbd
@ -713,6 +713,10 @@ class EntityRepo
|
|||||||
public function renderPage(Page $page, $ignorePermissions = false)
|
public function renderPage(Page $page, $ignorePermissions = false)
|
||||||
{
|
{
|
||||||
$content = $page->html;
|
$content = $page->html;
|
||||||
|
if (!config('app.allow_content_scripts')) {
|
||||||
|
$content = $this->escapeScripts($content);
|
||||||
|
}
|
||||||
|
|
||||||
$matches = [];
|
$matches = [];
|
||||||
preg_match_all("/{{@\s?([0-9].*?)}}/", $content, $matches);
|
preg_match_all("/{{@\s?([0-9].*?)}}/", $content, $matches);
|
||||||
if (count($matches[0]) === 0) {
|
if (count($matches[0]) === 0) {
|
||||||
@ -760,6 +764,24 @@ class EntityRepo
|
|||||||
return $content;
|
return $content;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Escape script tags within HTML content.
|
||||||
|
* @param string $html
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
protected function escapeScripts(string $html)
|
||||||
|
{
|
||||||
|
$scriptSearchRegex = '/<script.*?>.*?<\/script>/ms';
|
||||||
|
$matches = [];
|
||||||
|
preg_match_all($scriptSearchRegex, $html, $matches);
|
||||||
|
if (count($matches) === 0) return $html;
|
||||||
|
|
||||||
|
foreach ($matches[0] as $match) {
|
||||||
|
$html = str_replace($match, htmlentities($match), $html);
|
||||||
|
}
|
||||||
|
return $html;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the plain text version of a page's content.
|
* Get the plain text version of a page's content.
|
||||||
* @param Page $page
|
* @param Page $page
|
||||||
|
@ -8,6 +8,8 @@ return [
|
|||||||
'books' => env('APP_VIEWS_BOOKS', 'list')
|
'books' => env('APP_VIEWS_BOOKS', 'list')
|
||||||
],
|
],
|
||||||
|
|
||||||
|
'allow_content_scripts' => env('ALLOW_CONTENT_SCRIPTS', false),
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
| Application Debug Mode
|
| Application Debug Mode
|
||||||
|
@ -112,4 +112,31 @@ class PageContentTest extends TestCase
|
|||||||
$pageView->assertSee('def456');
|
$pageView->assertSee('def456');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function test_page_content_scripts_escaped_by_default()
|
||||||
|
{
|
||||||
|
$this->asEditor();
|
||||||
|
$page = Page::first();
|
||||||
|
$script = '<script>console.log("hello-test")</script>';
|
||||||
|
$page->html = "escape {$script}";
|
||||||
|
$page->save();
|
||||||
|
|
||||||
|
$pageView = $this->get($page->getUrl());
|
||||||
|
$pageView->assertDontSee($script);
|
||||||
|
$pageView->assertSee(htmlentities($script));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_page_content_scripts_show_when_configured()
|
||||||
|
{
|
||||||
|
$this->asEditor();
|
||||||
|
$page = Page::first();
|
||||||
|
config()->push('app.allow_content_scripts', 'true');
|
||||||
|
$script = '<script>console.log("hello-test")</script>';
|
||||||
|
$page->html = "no escape {$script}";
|
||||||
|
$page->save();
|
||||||
|
|
||||||
|
$pageView = $this->get($page->getUrl());
|
||||||
|
$pageView->assertSee($script);
|
||||||
|
$pageView->assertDontSee(htmlentities($script));
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user