Since it appeared to cause problems in some scenarios.
Related to #2490
use BookStack\Entities\Tools\Markdown\CustomStrikeThroughExtension;
use BookStack\Facades\Theme;
use BookStack\Theming\ThemeEvents;
+use BookStack\Util\HtmlContentFilter;
use DOMDocument;
use DOMNodeList;
use DOMXPath;
$content = $this->page->html;
if (!config('app.allow_content_scripts')) {
- $content = $this->escapeScripts($content);
+ $content = HtmlContentFilter::removeScripts($content);
}
if ($blankIncludes) {
return $innerContent;
}
-
- /**
- * Escape script tags within HTML content.
- */
- protected function escapeScripts(string $html) : string
- {
- if (empty($html)) {
- return $html;
- }
-
- libxml_use_internal_errors(true);
- $doc = new DOMDocument();
- $doc->loadHTML(mb_convert_encoding($html, 'HTML-ENTITIES', 'UTF-8'));
- $xPath = new DOMXPath($doc);
-
- // Remove standard script tags
- $scriptElems = $xPath->query('//script');
- foreach ($scriptElems as $scriptElem) {
- $scriptElem->parentNode->removeChild($scriptElem);
- }
-
- // Remove clickable links to JavaScript URI
- $badLinks = $xPath->query('//*[contains(@href, \'javascript:\')]');
- foreach ($badLinks as $badLink) {
- $badLink->parentNode->removeChild($badLink);
- }
-
- // Remove forms with calls to JavaScript URI
- $badForms = $xPath->query('//*[contains(@action, \'javascript:\')] | //*[contains(@formaction, \'javascript:\')]');
- foreach ($badForms as $badForm) {
- $badForm->parentNode->removeChild($badForm);
- }
-
- // Remove meta tag to prevent external redirects
- $metaTags = $xPath->query('//meta[contains(@content, \'url\')]');
- foreach ($metaTags as $metaTag) {
- $metaTag->parentNode->removeChild($metaTag);
- }
-
- // Remove data or JavaScript iFrames
- $badIframes = $xPath->query('//*[contains(@src, \'data:\')] | //*[contains(@src, \'javascript:\')] | //*[@srcdoc]');
- foreach ($badIframes as $badIframe) {
- $badIframe->parentNode->removeChild($badIframe);
- }
-
- // Remove 'on*' attributes
- $onAttributes = $xPath->query('//@*[starts-with(name(), \'on\')]');
- foreach ($onAttributes as $attr) {
- /** @var \DOMAttr $attr*/
- $attrName = $attr->nodeName;
- $attr->parentNode->removeAttribute($attrName);
- }
-
- $html = '';
- $topElems = $doc->documentElement->childNodes->item(0)->childNodes;
- foreach ($topElems as $child) {
- $html .= $doc->saveHTML($child);
- }
-
- return $html;
- }
}
*/
public function customHeadContent()
{
- return view('partials.custom-head-content');
+ return view('partials.custom-head');
}
/**
--- /dev/null
+<?php namespace BookStack\Util;
+
+use DOMDocument;
+use DOMNode;
+use DOMNodeList;
+use DOMXPath;
+
+class HtmlContentFilter
+{
+ /**
+ * Remove all of the script elements from the given HTML.
+ */
+ public static function removeScripts(string $html): string
+ {
+ if (empty($html)) {
+ return $html;
+ }
+
+ libxml_use_internal_errors(true);
+ $doc = new DOMDocument();
+ $doc->loadHTML(mb_convert_encoding($html, 'HTML-ENTITIES', 'UTF-8'));
+ $xPath = new DOMXPath($doc);
+
+ // Remove standard script tags
+ $scriptElems = $xPath->query('//script');
+ static::removeNodes($scriptElems);
+
+ // Remove clickable links to JavaScript URI
+ $badLinks = $xPath->query('//*[contains(@href, \'javascript:\')]');
+ static::removeNodes($badLinks);
+
+ // Remove forms with calls to JavaScript URI
+ $badForms = $xPath->query('//*[contains(@action, \'javascript:\')] | //*[contains(@formaction, \'javascript:\')]');
+ static::removeNodes($badForms);
+
+ // Remove meta tag to prevent external redirects
+ $metaTags = $xPath->query('//meta[contains(@content, \'url\')]');
+ static::removeNodes($metaTags);
+
+ // Remove data or JavaScript iFrames
+ $badIframes = $xPath->query('//*[contains(@src, \'data:\')] | //*[contains(@src, \'javascript:\')] | //*[@srcdoc]');
+ static::removeNodes($badIframes);
+
+ // Remove 'on*' attributes
+ $onAttributes = $xPath->query('//@*[starts-with(name(), \'on\')]');
+ foreach ($onAttributes as $attr) {
+ /** @var \DOMAttr $attr*/
+ $attrName = $attr->nodeName;
+ $attr->parentNode->removeAttribute($attrName);
+ }
+
+ $html = '';
+ $topElems = $doc->documentElement->childNodes->item(0)->childNodes;
+ foreach ($topElems as $child) {
+ $html .= $doc->saveHTML($child);
+ }
+
+ return $html;
+ }
+
+ /**
+ * Removed all of the given DOMNodes.
+ */
+ static protected function removeNodes(DOMNodeList $nodes): void
+ {
+ foreach ($nodes as $node) {
+ $node->parentNode->removeChild($node);
+ }
+ }
+
+}
\ No newline at end of file
}
</style>
@yield('head')
- @include('partials.custom-head')
+ @include('partials.export-custom-head')
</head>
<body>
}
}
</style>
- @include('partials.custom-head')
+ @include('partials.export-custom-head')
</head>
<body>
</style>
@endif
- @include('partials.custom-head')
+ @include('partials.export-custom-head')
</head>
<body>
+++ /dev/null
-@if(setting('app-custom-head', false))
- <!-- Custom user content -->
- {!! setting('app-custom-head') !!}
- <!-- End custom user content -->
-@endif
\ No newline at end of file
@if(setting('app-custom-head') && \Route::currentRouteName() !== 'settings')
- <!-- Custom user content -->
- {!! setting('app-custom-head') !!}
- <!-- End custom user content -->
+<!-- Custom user content -->
+{!! setting('app-custom-head') !!}
+<!-- End custom user content -->
@endif
\ No newline at end of file
--- /dev/null
+@if(setting('app-custom-head'))
+<!-- Custom user content -->
+{!! \BookStack\Util\HtmlContentFilter::removeScripts(setting('app-custom-head')) !!}
+<!-- End custom user content -->
+@endif
\ No newline at end of file
<?php namespace Tests\Entity;
+use BookStack\Entities\Models\Book;
use BookStack\Entities\Models\Chapter;
use BookStack\Entities\Models\Page;
use Illuminate\Support\Facades\Storage;
$resp->assertSee('src="/uploads/svg_test.svg"');
}
+ public function test_exports_removes_scripts_from_custom_head()
+ {
+ $entities = [
+ Page::query()->first(), Chapter::query()->first(), Book::query()->first(),
+ ];
+ setting()->put('app-custom-head', '<script>window.donkey = "cat";</script><style>.my-test-class { color: red; }</style>');
+
+ foreach ($entities as $entity) {
+ $resp = $this->asEditor()->get($entity->getUrl('/export/html'));
+ $resp->assertDontSee('window.donkey');
+ $resp->assertDontSee('script');
+ $resp->assertSee('.my-test-class { color: red; }');
+ }
+ }
+
}
projects / bookstack / commitdiff