Changeset 52304

Timestamp:

12/02/2021 12:54:03 AM (3 years ago)

Author:

peterwilsoncc

Message:

KSES: Allow attributes to be restricted via callbacks.

Add callback validation to HTML tag attributes for increased flexibility over an array of values only.

In object tags, validate the data attribute via a callback to ensure it is a PDF and matches the type attribute. This prevents mime type mismatches in browsers.

Follow up to [51963].

Props Pento, dd32, swissspidy, xknown, peterwilsoncc.
Fixes #54261.

Location:

trunk

Files:

• src/wp-includes/kses.php (modified) (3 diffs)
• tests/phpunit/tests/kses.php (modified) (1 diff)

trunk/src/wp-includes/kses.php

@@ -273 +273 @@
         ),
         'object'     => array(
-            'data' => true,
+            'data' => array(
+                'required'       => true,
+                'value_callback' => '_wp_kses_allow_pdf_objects',
+            ),
             'type' => array(
                 'required' => true,
@@ -1662 +1665 @@
             }
             break;
+
+        case 'value_callback':
+            /*
+             * The value_callback check is used when you want to make sure that the attribute
+             * value is accepted by the callback function.
+             */
+
+            if ( ! call_user_func( $checkvalue, $value ) ) {
+                $ok = false;
+            }
+            break;
     } // End switch.
 
@@ -2567 +2581 @@
     return $value;
 }
+
+/**
+ * Helper function to check if this is a safe PDF URL.
+ *
+ * @since 5.9.0
+ * @access private
+ * @ignore
+ *
+ * @param string $url The URL to check.
+ * @return bool True if the URL is safe, false otherwise.
+ */
+function _wp_kses_allow_pdf_objects( $value ) {
+    // We're not interested in URLs that contain query strings or fragments.
+    if ( strpos( $value, '?' ) !== false || strpos( $value, '#' ) !== false ) {
+        return false;
+    }
+
+    // If it doesn't have a PDF extension, it's not safe.
+    if ( 0 !== substr_compare( $value, '.pdf', -4, 4, true ) ) {
+        return false;
+    }
+
+    // If the URL host matches the current site's media URL, it's safe.
+    $upload_info = wp_upload_dir( null, false );
+    $upload_host = wp_parse_url( $upload_info['url'], PHP_URL_HOST );
+    if ( 0 === strpos( $value, "http://$upload_host/" ) || 0 === strpos( $value, "https://$upload_host/" ) ) {
+        return true;
+    }
+
+    return false;
+}

trunk/tests/phpunit/tests/kses.php

@@ -1518 +1518 @@
         return array(
             'valid value for type'                    => array(
-                '<object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
-                '<object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
+                '<object type="application/pdf" data="https://example.org/foo.pdf" />',
+                '<object type="application/pdf" data="https://example.org/foo.pdf" />',
             ),
             'invalid value for type'                  => array(
-                '<object type="application/exe" data="https://wordpress.org/foo.exe" />',
+                '<object type="application/exe" data="https://example.org/foo.exe" />',
                 '',
             ),
             'multiple type attributes, last invalid'  => array(
-                '<object type="application/pdf" type="application/exe" data="https://wordpress.org/foo.pdf" />',
-                '<object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
+                '<object type="application/pdf" type="application/exe" data="https://example.org/foo.pdf" />',
+                '<object type="application/pdf" data="https://example.org/foo.pdf" />',
             ),
             'multiple type attributes, first uppercase, last invalid' => array(
-                '<object TYPE="application/pdf" type="application/exe" data="https://wordpress.org/foo.pdf" />',
-                '<object TYPE="application/pdf" data="https://wordpress.org/foo.pdf" />',
+                '<object TYPE="application/pdf" type="application/exe" data="https://example.org/foo.pdf" />',
+                '<object TYPE="application/pdf" data="https://example.org/foo.pdf" />',
             ),
             'multiple type attributes, last upper case and invalid' => array(
-                '<object type="application/pdf" TYPE="application/exe" data="https://wordpress.org/foo.pdf" />',
-                '<object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
+                '<object type="application/pdf" TYPE="application/exe" data="https://example.org/foo.pdf" />',
+                '<object type="application/pdf" data="https://example.org/foo.pdf" />',
             ),
             'multiple type attributes, first invalid' => array(
-                '<object type="application/exe" type="application/pdf" data="https://wordpress.org/foo.pdf" />',
+                '<object type="application/exe" type="application/pdf" data="https://example.org/foo.pdf" />',
                 '',
             ),
             'multiple type attributes, first upper case and invalid' => array(
-                '<object TYPE="application/exe" type="application/pdf" data="https://wordpress.org/foo.pdf" />',
+                '<object TYPE="application/exe" type="application/pdf" data="https://example.org/foo.pdf" />',
                 '',
             ),
             'multiple type attributes, first invalid, last uppercase' => array(
-                '<object type="application/exe" TYPE="application/pdf" data="https://wordpress.org/foo.pdf" />',
+                '<object type="application/exe" TYPE="application/pdf" data="https://example.org/foo.pdf" />',
                 '',
             ),
             'multiple object tags, last invalid'      => array(
-                '<object type="application/pdf" data="https://wordpress.org/foo.pdf" /><object type="application/exe" data="https://wordpress.org/foo.exe" />',
-                '<object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
+                '<object type="application/pdf" data="https://example.org/foo.pdf" /><object type="application/exe" data="https://example.org/foo.exe" />',
+                '<object type="application/pdf" data="https://example.org/foo.pdf" />',
             ),
             'multiple object tags, first invalid'     => array(
-                '<object type="application/exe" data="https://wordpress.org/foo.exe" /><object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
-                '<object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
+                '<object type="application/exe" data="https://example.org/foo.exe" /><object type="application/pdf" data="https://example.org/foo.pdf" />',
+                '<object type="application/pdf" data="https://example.org/foo.pdf" />',
             ),
             'type attribute with partially incorrect value' => array(
-                '<object type="application/pdfa" data="https://wordpress.org/foo.pdf" />',
+                '<object type="application/pdfa" data="https://example.org/foo.pdf" />',
                 '',
             ),
             'type attribute with empty value'         => array(
-                '<object type="" data="https://wordpress.org/foo.pdf" />',
+                '<object type="" data="https://example.org/foo.pdf" />',
                 '',
             ),
             'type attribute with no value'            => array(
-                '<object type data="https://wordpress.org/foo.pdf" />',
+                '<object type data="https://example.org/foo.pdf" />',
                 '',
             ),
             'no type attribute'                       => array(
-                '<object data="https://wordpress.org/foo.pdf" />',
+                '<object data="https://example.org/foo.pdf" />',
+                '',
+            ),
+            'different protocol in url'               => array(
+                '<object type="application/pdf" data="http://example.org/foo.pdf" />',
+                '<object type="application/pdf" data="http://example.org/foo.pdf" />',
+            ),
+            'query string on url'                     => array(
+                '<object type="application/pdf" data="https://example.org/foo.pdf?lol=.pdf" />',
+                '',
+            ),
+            'fragment on url'                         => array(
+                '<object type="application/pdf" data="https://example.org/foo.pdf#lol.pdf" />',
+                '',
+            ),
+            'wrong extension'                         => array(
+                '<object type="application/pdf" data="https://example.org/foo.php" />',
+                '',
+            ),
+            'protocol relative url'                   => array(
+                '<object type="application/pdf" data="//example.org/foo.pdf" />',
+                '',
+            ),
+            'relative url'                            => array(
+                '<object type="application/pdf" data="/cat/foo.pdf" />',
                 '',
             ),