Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options
HTML Formatter Security Bug (October 30 2005)
Mark
Vanilla Staff
Everyone should be aware that SirNot and I discovered some bugs in the HTML formatter whereby someone could execute javascript in specific browsers. SirNot has fixed the bugs in the release version of the html formatter that comes with Vanilla. You can either download that version of Vanilla from getvanilla.com, or you can do the following to repair the bug:
Open up extensions/HtmlFormatter.php
Replace the Execute function with this:
Open up extensions/HtmlFormatter.php
Replace the Execute function with this:
function Execute($String)
{
$AllowedProtocols = array('http', 'ftp', 'https', 'irc', 'gopher');
$Patterns = array(
"/o(?i)(n)/", //block all js events, but keep it as exact as possible in case
"/O(?i)(n)/", //we're mistaking it for a url or something
"/<a(.+?)href\s*=(\W*)([\w\d\x0a\x0d#&;]+?):([^>]+?)>/esi",
//on some browsers the js protocol will still work even if it
//contains html entities or a newline seperating 'java' and 'script'
"/s(?i)(cript)/", //now we can go through and cancel out any script tags
"/S(?i)(cript)/"
);
$Replacements = array(
"o\\1",
"O\\1",
'$this->CheckProtocol("\\3", $AllowedProtocols, "href="."\\2", "<a"."\\1", "\\4".">")',
"s\\1",
"S\\1"
);
return preg_replace($Patterns, $Replacements, $String);
}
Then you'd want to add in this function in the same class as well:
function CheckProtocol($Check, $Allow, $Extra, $Prefix, $Suffix)
{
$sReturn = stripslashes($Prefix);
if(!in_array($Check, $Allow)) $sReturn .= ($Extra.'http://');
else $sReturn .= ($Extra.$Check.':');
$sReturn .= stripslashes($Suffix);
return $sReturn;
} 0
This discussion has been closed.
Comments