Sanitize messages at server side

2025-02-07 16:24:43 +03:00 · 2014-09-12 10:59:56 +00:00 · 2014-09-12 10:59:56 +00:00 · ae9de7aa92
commit ae9de7aa92
parent ce6761755e
9 changed files with 31 additions and 103 deletions
--- a/src/mibew/js/source/default/handlebars_helpers.js
+++ b/src/mibew/js/source/default/handlebars_helpers.js
@ -17,24 +17,6 @@
 */

 (function(Mibew, Handlebars){
-   /**
-    * Register 'allowTags' Handlebars helper.
-    *
-    * This helper unescape HTML entities for allowed (span and strong) tags.
-    */
-    Handlebars.registerHelper('allowTags', function(text) {
-        var result = text.toString();
-        result = result.replace(
-            /&lt;(span|strong)&gt;(.*?)&lt;\/\1&gt;/g,
-            '<$1>$2</$1>'
-        );
-        result = result.replace(
-            /&lt;span class=&quot;(.*?)&quot;&gt;(.*?)&lt;\/span&gt;/g,
-            '<span class="$1">$2</span>'
-        );
-        return new Handlebars.SafeString(result);
-    });
-
    /**
     * Register 'formatTime' Handlebars helper.
     *
--- a/src/mibew/js/source/default/model_views/message.js
+++ b/src/mibew/js/source/default/model_views/message.js
@ -18,27 +18,6 @@

 (function(Mibew, Backbone, Handlebars) {

-    /**
-     * List of replacements pairs
-     * @type Object
-     * @private
-     */
-    var badCharList = {
-        "<": "&lt;",
-        ">": "&gt;",
-        "&": "&amp;",
-        '"': "&quot;",
-        "'": "&#x27;",
-        "`": "&#x60;"
-    }
-
-    /**
-     * Regular expression for characters that must be replaced by HTML entities
-     * @type RegExp
-     * @private
-     */
-    var badCharRegEx = /[&<>'"`]/g;
-
    /**
     * @class Represents default message view
     */
@ -75,10 +54,7 @@
                var messageKind = this.model.get('kind');

                // Add message fields
-                msg.allowFormatting = (messageKind != this.model.KIND_USER
-                    && messageKind != this.model.KIND_AGENT);
                msg.kindName = this.kindToString(messageKind);
-                msg.message = this.escapeString(msg.message);

                return msg;
            },
@ -111,22 +87,6 @@
                    return "plugin";
                }
                return "";
-            },
-
-            /**
-             * Replace HTML special characters('<', '>', '&', "'", '"', '`') by
-             * corresponding HTML entities.
-             *
-             * @param {String} str Unescaped string
-             * @returns {String} Escaped string
-             */
-            escapeString: function(str) {
-                return str.replace(
-                    badCharRegEx,
-                    function(chr) {
-                        return badCharList[chr] || "&amp;";
-                    }
-                );
            }
        }
    );
--- a/src/mibew/libs/chat.php
+++ b/src/mibew/libs/chat.php
@ -50,6 +50,26 @@ function message_to_text($msg)
    }
 }

+/**
+ * Sanitize message body and make it a safe HTML string.
+ *
+ * @param array $msg Message object
+ * @return array Message object with sanitized body.
+ */
+function sanitize_message($msg)
+{
+    $message_body = $msg['message'];
+
+    // Messages entered by user or operator cannot contain any markup
+    if ($msg['kind'] == Thread::KIND_USER || $msg['kind'] == Thread::KIND_AGENT) {
+        $message_body = safe_htmlspecialchars($message_body);
+    }
+
+    $msg['message'] = sanitize_string($message_body, 'low', 'moderate');
+
+    return $msg;
+}
+
 /**
 * Format username
 *
--- a/src/mibew/libs/classes/Mibew/Controller/HistoryController.php
+++ b/src/mibew/libs/classes/Mibew/Controller/HistoryController.php
@ -197,7 +197,10 @@ class HistoryController extends AbstractController

        // Build messages list
        $last_id = -1;
-        $messages = $thread->getMessages(false, $last_id);
+        $messages = array_map(
+            'sanitize_message',
+            $thread->getMessages(false, $last_id)
+        );
        $page['threadMessages'] = json_encode($messages);
        $page['title'] = getlocal("Chat log");

--- a/src/mibew/libs/classes/Mibew/RequestProcessor/ThreadProcessor.php
+++ b/src/mibew/libs/classes/Mibew/RequestProcessor/ThreadProcessor.php
@ -340,10 +340,10 @@ class ThreadProcessor extends ClientSideProcessor implements RouterAwareInterfac

        // Send new messages
        $last_message_id = $args['lastId'];
-        $messages = $thread->getMessages($args['user'], $last_message_id);
-        if (empty($messages)) {
-            $messages = array();
-        }
+        $messages = array_map(
+            'sanitize_message',
+            $thread->getMessages($args['user'], $last_message_id)
+        );

        return array(
            'messages' => $messages,
--- a/src/mibew/styles/dialogs/default/templates_src/client_side/chat/message.handlebars
+++ b/src/mibew/styles/dialogs/default/templates_src/client_side/chat/message.handlebars
@ -1,3 +1,3 @@
 <span>{{formatTime created}}</span> 
 {{#if name}}<span class='n{{kindName}}'>{{name}}</span>: {{/if}}
-<span class='m{{kindName}}'>{{#if allowFormatting}}{{allowTags (nl2br (urlReplace message))}}{{else}}{{nl2br (urlReplace message)}}{{/if}}</span><br/>
+<span class='m{{kindName}}'>{{nl2br (urlReplace message)}}</span><br/>
--- a/src/mibew/styles/dialogs/default/templates_src/client_side/message.handlebars
+++ b/src/mibew/styles/dialogs/default/templates_src/client_side/message.handlebars
@ -1,3 +1,3 @@
 <span>{{formatTime created}}</span>
 {{#if name}}<span class='n{{kindName}}'>{{name}}</span>: {{/if}}
-<span class='m{{kindName}}'>{{#if allowFormatting}}{{allowTags (nl2br (urlReplace message))}}{{else}}{{nl2br (urlReplace message)}}{{/if}}</span><br/>
+<span class='m{{kindName}}'>{{nl2br (urlReplace message)}}</span><br/>
--- a/src/mibew/styles/pages/default/templates_src/client_side/default/message.handlebars
+++ b/src/mibew/styles/pages/default/templates_src/client_side/default/message.handlebars
@ -1,3 +1,3 @@
 <span>{{formatTime created}}</span>
 {{#if name}}<span class='n{{kindName}}'>{{name}}</span>: {{/if}}
-<span class='m{{kindName}}'>{{#if allowFormatting}}{{allowTags (nl2br (urlReplace message))}}{{else}}{{nl2br (urlReplace message)}}{{/if}}</span><br/>
+<span class='m{{kindName}}'>{{nl2br (urlReplace message)}}</span><br/>
--- a/src/tests/client_side/qunit/test_cases/handlebars_helpers_tests.js
+++ b/src/tests/client_side/qunit/test_cases/handlebars_helpers_tests.js
@ -37,43 +37,6 @@ test('urlReplace', function() {
    );
 });

-// Test "allowTags" Handlebars helper
-test('allowTags', function() {
-    var template = '{{allowTags foo}}';
-    var compiledTemplate = Handlebars.compile(template);
-    var escape = Handlebars.Utils.escapeExpression;
-
-    equal(
-        compiledTemplate({foo: escape('<span>The content</span>')}),
-        '<span>The content</span>',
-        'Test a tag without attributes'
-    );
-
-    equal(
-        compiledTemplate({foo: escape('<span class="red">The content</span>')}),
-        '<span class="red">The content</span>',
-        'Test a tag with class attribute'
-    );
-
-    equal(
-        compiledTemplate({foo: escape('<span data-foo="bar">The content</span>')}),
-        escape('<span data-foo="bar">The content</span>'),
-        'Test a tag with arbitrary attributes'
-    );
-
-    equal(
-        compiledTemplate({foo: 'content'}),
-        'content',
-        'Test not a tag'
-    );
-
-    equal(
-        compiledTemplate({foo: 456}),
-        '456',
-        'Test not a string argument'
-    );
-});
-
 // Test "nl2br" Handlebars helper
 test('nl2br', function() {
    var template = '{{nl2br foo}}';