fix: added check on valid HTML attributes, closes #2093

Author: thorsten

CHANGELOG.md

@@ -6,8 +6,9 @@
 
 This is a log of major user-visible changes in each phpMyFAQ release.
 
-### phpMyFAQ v3.1.3 - 2022-XX-XX
+### phpMyFAQ v3.1.3 - 2022-04-XX
 
+- fixed login via LDAP or ActiveDirectory (Thorsten)
 - fixed minor bugs (Thorsten)
 
 ### phpMyFAQ v3.1.2 - 2022-03-16

phpmyfaq/src/phpMyFAQ/Filter.php

@@ -125,11 +125,40 @@ public static function removeAttributes(string $html = ''): string
 
         foreach ($attributes[0] as $attribute) {
             $attributeName = stristr($attribute, '=', true);
-            if (!in_array($attributeName, $keep)) {
+            if (self::isAttribute($attributeName) && !in_array($attributeName, $keep)) {
                 $html = str_replace(' ' . $attribute, '', $html);
             }
         }
 
         return $html;
     }
+
+    /**
+     * @param string $attribute
+     * @return bool
+     */
+    private static function isAttribute(string $attribute): bool
+    {
+        $globalAttributes = [
+            'autocomplete', 'autofocus', 'disabled', 'list', 'name', 'readonly', 'required', 'tabindex', 'type',
+            'value', 'accesskey', 'class', 'contenteditable', 'contextmenu', 'dir', 'draggable', 'dropzone', 'id',
+            'lang', 'style', 'tabindex', 'title', 'inputmode', 'is', 'itemid', 'itemprop', 'itemref', 'itemscope',
+            'itemtype', 'lang', 'slot', 'spellcheck', 'translate', 'autofocus', 'disabled', 'form', 'multiple', 'name',
+            'required', 'size', 'autocapitalize', 'autocomplete', 'autofocus', 'cols', 'disabled', 'form', 'maxlength',
+            'minlength', 'name', 'placeholder', 'readonly', 'required', 'rows', 'spellcheck', 'wrap', 'onmouseenter',
+            'onmouseleave', 'onafterprint', 'onbeforeprint', 'onbeforeunload', 'onhashchange', 'onmessage', 'onoffline',
+            'ononline', 'onpopstate', 'onpagehide', 'onpageshow', 'onresize', 'onunload', 'ondevicemotion',
+            'ondeviceorientation', 'onabort', 'onblur', 'oncanplay', 'oncanplaythrough', 'onchange', 'onclick',
+            'oncontextmenu', 'ondblclick', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover',
+            'ondragstart', 'ondrop', 'ondurationchange', 'onemptied', 'onended', 'onerror', 'onfocus', 'oninput',
+            'oninvalid', 'onkeydown', 'onkeypress', 'onkeyup', 'onload', 'onloadeddata', 'onloadedmetadata',
+            'onloadstart', 'onmousedown', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup',
+            'onmozfullscreenchange', 'onmozfullscreenerror', 'onpause', 'onplay', 'onplaying', 'onprogress',
+            'onratechange', 'onreset', 'onscroll', 'onseeked', 'onseeking', 'onselect', 'onshow', 'onstalled',
+            'onsubmit', 'onsuspend', 'ontimeupdate', 'onvolumechange', 'onwaiting', 'oncopy', 'oncut', 'onpaste',
+            'onbeforescriptexecute', 'onafterscriptexecute'
+        ];
+
+        return in_array($attribute, $globalAttributes);
+    }
 }

phpmyfaq/src/phpMyFAQ/Utils.php

@@ -7,13 +7,13 @@
  * v. 2.0. If a copy of the MPL was not distributed with this file, You can
  * obtain one at http://mozilla.org/MPL/2.0/.
  *
- * @package phpMyFAQ
+ * @package   phpMyFAQ
  * @author    Thorsten Rinne <[email protected]>
  * @author    Matteo Scaramuccia <[email protected]>
  * @copyright 2005-2022 phpMyFAQ Team
  * @license   http://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
- * @link  https://www.phpmyfaq.de
- * @since 2005-11-01
+ * @link      https://www.phpmyfaq.de
+ * @since     2005-11-01
  */
 
 namespace phpMyFAQ;
@@ -185,9 +185,9 @@ public static function setHighlightedString(string $string, string $highlight):
      */
     public static function highlightNoLinks(array $matches): string
     {
-        $prefix = isset($matches[3]) ? $matches[3] : '';
-        $item = isset($matches[4]) ? $matches[4] : '';
-        $postfix = isset($matches[5]) ? $matches[5] : '';
+        $prefix = $matches[3] ?? '';
+        $item = $matches[4] ?? '';
+        $postfix = $matches[5] ?? '';
 
         if (!empty($item) && !self::isForbiddenElement($item)) {
             return sprintf(
@@ -260,13 +260,11 @@ public static function parseUrl(string $string): string
         $string = str_replace($protocols, '', $string);
         $string = str_replace('www.', 'http://www.', $string);
         $string = preg_replace('|http://([a-zA-Z0-9-\./]+)|', '<a href="http://$1">$1</a>', $string);
-        $string = preg_replace(
+        return preg_replace(
             '/(([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6})/',
             '<a href="mailto:$1">$1</a>',
             $string
         );
-
-        return $string;
     }
 
     /**

tests/phpMyFAQ/FilterTest.php

@@ -0,0 +1,50 @@
+<?php
+
+/**
+ * Test suite for Filter class
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <[email protected]>
+ * @copyright 2022 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2022-04-08
+ */
+
+namespace phpMyFAQ;
+
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @testdox A Filter
+ */
+class FilterTest extends TestCase
+{
+    /**
+     * @testdox removes unwanted attributes
+     */
+    public function testRemoveAttributes()
+    {
+        $expected = '<a href="#">phpMyFAQ</a>';
+        $actual = Filter::removeAttributes($expected);
+        $this->assertEquals($expected, $actual);
+
+        $expected = '<a href="#">phpMyFAQ</a>';
+        $toTest = '<a href="#" onchange="bar()">phpMyFAQ</a>';
+        $actual = Filter::removeAttributes($toTest);
+        $this->assertEquals($expected, $actual);
+
+        $expected = '<a href="#">phpMyFAQ</a>';
+        $toTest = '<a href="#" disabled="disabled">phpMyFAQ</a>';
+        $actual = Filter::removeAttributes($toTest);
+        $this->assertEquals($expected, $actual);
+
+        $expected = 'To: sslEnabledProtocols="TLSv1.2"';
+        $actual = Filter::removeAttributes($expected);
+        $this->assertEquals($expected, $actual);
+    }
+}