Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ezyang/htmlpurifier の導入 #710

Open
nanasess opened this issue Apr 10, 2023 · 2 comments · May be fixed by #1066
Open

ezyang/htmlpurifier の導入 #710

nanasess opened this issue Apr 10, 2023 · 2 comments · May be fixed by #1066

Comments

@nanasess
Copy link
Contributor

4系でも使用している ezyang/htmlpurifier の導入を検討する。
PHP5.6以降のサポートだが、コードを見るかぎりはPHP5.4以降で動作しそう。

@nanasess
Copy link
Contributor Author

modifier.script_escape.php に htmlpurifier を適用することで対応できそう

@nanasess
Copy link
Contributor Author

以下のようなパッチで、従来以外のパターンにも対応できそう

diff --git a/data/smarty_extends/modifier.script_escape.php b/data/smarty_extends/modifier.script_escape.php
index 99885cd382..3d14551bb1 100644
--- a/data/smarty_extends/modifier.script_escape.php
+++ b/data/smarty_extends/modifier.script_escape.php
@@ -1,4 +1,5 @@
 <?php
+require_once __DIR__ . '/../vendor/ezyang/htmlpurifier/library/HTMLPurifier.auto.php';
 /**
  * Scriptタグをエスケープする
  *
@@ -50,5 +51,10 @@ function smarty_modifier_script_escape($value)
         $value = preg_replace($pattern, $convert, $value);
     }
 
-    return $value;
+    // 念のために HTMLPurifier でサニタイズ
+    $config = HTMLPurifier_Config::createDefault();
+    $config->set('Cache.SerializerPath', __DIR__ . '/../cache');
+    $purify = new HTMLPurifier($config);
+
+    return $purify->purify($value ?? '');
 }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
1 participant