diff --git a/src/Sanitizer.php b/src/Sanitizer.php index 9fcab00..c0cb120 100644 --- a/src/Sanitizer.php +++ b/src/Sanitizer.php @@ -220,8 +220,13 @@ public function sanitize($dirty) return ''; } - // Strip php tags - $dirty = preg_replace('/<\?(=|php)(.+?)\?>/i', '', $dirty); + do { + /* + * recursively remove php tags because they can be hidden inside tags + * i.e. hp echo . ' danger! ';?> + */ + $dirty = preg_replace('/<\?(=|php)(.+?)\?>/i', '', $dirty); + } while (preg_match('/<\?(=|php)(.+?)\?>/i', $dirty) != 0); $this->resetInternal(); $this->setUpBefore(); diff --git a/tests/SanitizerTest.php b/tests/SanitizerTest.php index 97514f0..11cdf96 100644 --- a/tests/SanitizerTest.php +++ b/tests/SanitizerTest.php @@ -308,34 +308,34 @@ public function testLargeUseDOSattacksAreNullified() self::assertXmlStringEqualsXmlString($expected, $cleanData); } - public function testInvalidNodesAreHandled() - { - $dataDirectory = __DIR__ . '/data'; - $initialData = file_get_contents($dataDirectory . '/htmlTest.svg'); - $expected = file_get_contents($dataDirectory . '/htmlClean.svg'); + public function testInvalidNodesAreHandled() + { + $dataDirectory = __DIR__ . '/data'; + $initialData = file_get_contents($dataDirectory . '/htmlTest.svg'); + $expected = file_get_contents($dataDirectory . '/htmlClean.svg'); - $sanitizer = new Sanitizer(); - $sanitizer->minify(false); - $cleanData = $sanitizer->sanitize($initialData); + $sanitizer = new Sanitizer(); + $sanitizer->minify(false); + $cleanData = $sanitizer->sanitize($initialData); - self::assertXmlStringEqualsXmlString($expected, $cleanData); - } + self::assertXmlStringEqualsXmlString($expected, $cleanData); + } /** * @test */ - public function cdataSectionIsSanitized() - { - $dataDirectory = __DIR__ . '/data'; - $initialData = file_get_contents($dataDirectory . '/cdataTest.svg'); - $expected = file_get_contents($dataDirectory . '/cdataClean.svg'); + public function cdataSectionIsSanitized() + { + $dataDirectory = __DIR__ . '/data'; + $initialData = file_get_contents($dataDirectory . '/cdataTest.svg'); + $expected = file_get_contents($dataDirectory . '/cdataClean.svg'); - $sanitizer = new Sanitizer(); - $sanitizer->minify(false); - $cleanData = $sanitizer->sanitize($initialData); + $sanitizer = new Sanitizer(); + $sanitizer->minify(false); + $cleanData = $sanitizer->sanitize($initialData); - self::assertXmlStringEqualsXmlString($expected, $cleanData); - } + self::assertXmlStringEqualsXmlString($expected, $cleanData); + } /** * @test @@ -368,4 +368,38 @@ public function formDataisSanitized() self::assertXmlStringEqualsXmlString($expected, $cleanData); } + + /** + * @test + */ + public function maliciousSvgJsSanitized() + { + $dataDirectory = __DIR__ . '/data'; + $initialData = file_get_contents($dataDirectory . '/maliciousJsAndPhpTest.svg'); + $expected = file_get_contents($dataDirectory . '/maliciousJsAndPhpClean.svg'); + + + $sanitizer = new Sanitizer(); + $sanitizer->minify(false); + $cleanData = $sanitizer->sanitize($initialData); + + self::assertXmlStringEqualsXmlString($expected, $cleanData); + } + + /** + * @test + */ + public function maliciousSvgPhpTagsStripped() + { + $dataDirectory = __DIR__ . '/data'; + $initialData = file_get_contents($dataDirectory . '/maliciousJsAndPhpTest.svg'); + + $sanitizer = new Sanitizer(); + $sanitizer->minify(false); + $cleanData = $sanitizer->sanitize($initialData); + + foreach ([' + + + + + + + + + + diff --git a/tests/data/maliciousJsAndPhpTest.svg b/tests/data/maliciousJsAndPhpTest.svg new file mode 100644 index 0000000..1913859 --- /dev/null +++ b/tests/data/maliciousJsAndPhpTest.svg @@ -0,0 +1,13 @@ + + + + + + + + + + + <ΓΈ:script src="//0x.lv/" /> + +