Add default_template as Book setting

[bookstack] / app / Util / HtmlContentFilter.php

diff --git a/app/Util/HtmlContentFilter.php b/app/Util/HtmlContentFilter.php
index 1943aa7802c81d6edb7707bc0f7d211d45514839..5e3c4822c2e16a43c48da4c6f8a0edcbcf618746 100644 (file)
--- a/app/Util/HtmlContentFilter.php
+++ b/app/Util/HtmlContentFilter.php
@@ -4,6 +4,7 @@ namespace BookStack\Util;
 
 use DOMAttr;
 use DOMDocument;
+use DOMElement;
 use DOMNodeList;
 use DOMXPath;
 
@@ -44,6 +45,12 @@ class HtmlContentFilter
         $badIframes = $xPath->query('//*[' . static::xpathContains('@src', 'data:') . '] | //*[' . static::xpathContains('@src', 'javascript:') . '] | //*[@srcdoc]');
         static::removeNodes($badIframes);
 
+        // Remove attributes, within svg children, hiding JavaScript or data uris.
+        // A bunch of svg element and attribute combinations expose xss possibilities.
+        // For example, SVG animate tag can exploit javascript in values.
+        $badValuesAttrs = $xPath->query('//svg//@*[' . static::xpathContains('.', 'data:') . '] | //svg//@*[' . static::xpathContains('.', 'javascript:') . ']');
+        static::removeAttributes($badValuesAttrs);
+
         // Remove elements with a xlink:href attribute
         // Used in SVG but deprecated anyway, so we'll be a bit more heavy-handed here.
         $xlinkHrefAttributes = $xPath->query('//@*[contains(name(), \'xlink:href\')]');
@@ -92,7 +99,9 @@ class HtmlContentFilter
         /** @var DOMAttr $attr */
         foreach ($attrs as $attr) {
             $attrName = $attr->nodeName;
-            $attr->parentNode->removeAttribute($attrName);
+            /** @var DOMElement $parentNode */
+            $parentNode = $attr->parentNode;
+            $parentNode->removeAttribute($attrName);
         }
     }
 }