Dan Brown
6955b2fd5a
Widened svg content attribute xss filtering
...
Takes care of additional cases that can occur.
Closes #3705
2022-09-06 17:01:56 +01:00
Dan Brown
5f7cd735ea
Added content filtering of tags with javascript or data in values attr
...
Case would be blocked by CSP but adding for cases where CSP may not be
active when content taken externally.
For #3636
2022-08-11 10:28:32 +01:00
Dan Brown
8d7c8ac8bf
Done a round of phpstan fixes
2021-11-06 00:32:01 +00:00
Dan Brown
fb80bb5d58
Applied latest styleci changes
2021-09-06 22:19:06 +01:00
Dan Brown
fd44e4ba74
Started application of CSP headers
2021-09-03 23:32:42 +01:00
Dan Brown
040997fdc4
Added filter for xlink:href svg xss
...
Simply remove all such attributes
2021-09-03 22:34:49 +01:00
Dan Brown
5e6092aaf8
Added extra HTML filtering of dangerous content
...
In particular, That around the casing of dangerous values within
attributes. This uses some xpath translation to handle different casing
in contains searching.
2021-09-02 22:02:30 +01:00
Dan Brown
934a833818
Apply fixes from StyleCI
2021-06-26 15:23:15 +00:00
Dan Brown
b5caaa73b7
Fixed content parsing break with line html comment
...
Fixes issues thrown in custom HMTL head & page content filtering when
the content is comprised of only a single HTML comment.
Adds tests to cover.
For #2804
2021-06-13 12:53:04 +01:00
Dan Brown
43b6633183
Filtered scripts in custom HTML head for exports
...
Since it appeared to cause problems in some scenarios.
Related to #2490
2021-05-03 23:59:52 +01:00