mirror of
https://github.com/sbrl/Pepperminty-Wiki.git
synced 2024-10-31 21:33:00 +00:00
feature-upload: ensure that Javascript in SVG images does not execute
My first time using Content-Security-Policy. Yay! It's real powerful, but I have yet to find a good generator to help me create more complex policies. In this case, the policy allows everything by default, but disables all Javascript. This new Content-Security-Policy header is served for all image previews.
This commit is contained in:
parent
f59e68127c
commit
7b6cbbe821
1 changed files with 8 additions and 1 deletions
|
@ -313,6 +313,10 @@ register_module([
|
||||||
add_action("preview", function() {
|
add_action("preview", function() {
|
||||||
global $settings, $env, $pageindex, $start_time;
|
global $settings, $env, $pageindex, $start_time;
|
||||||
|
|
||||||
|
// Disable Javascript in all SVGs
|
||||||
|
// Doesn't hurt to serve it for other images too just in case some wacky new format supports Javascript for some crazy reason
|
||||||
|
header("Content-Security-Policy: default-src *; script-src 'none'; script-src-elem 'none'; script-src-attr 'none'");
|
||||||
|
|
||||||
if(empty($pageindex->{$env->page}->uploadedfilepath))
|
if(empty($pageindex->{$env->page}->uploadedfilepath))
|
||||||
{
|
{
|
||||||
$im = errorimage("The page '$env->page_safe' doesn't have an associated file.");
|
$im = errorimage("The page '$env->page_safe' doesn't have an associated file.");
|
||||||
|
@ -487,7 +491,7 @@ register_module([
|
||||||
$dimensions = $mime_type !== "image/svg+xml" ? getimagesize($env->storage_prefix . $filepath) : getsvgsize($env->storage_prefix . $filepath);
|
$dimensions = $mime_type !== "image/svg+xml" ? getimagesize($env->storage_prefix . $filepath) : getsvgsize($env->storage_prefix . $filepath);
|
||||||
$fileTypeDisplay = slugify(substr($mime_type, 0, strpos($mime_type, "/")));
|
$fileTypeDisplay = slugify(substr($mime_type, 0, strpos($mime_type, "/")));
|
||||||
$previewUrl = htmlentities("?action=preview&size=$settings->default_preview_size&page=" . rawurlencode($env->page));
|
$previewUrl = htmlentities("?action=preview&size=$settings->default_preview_size&page=" . rawurlencode($env->page));
|
||||||
$originalUrl = htmlentities($env->storage_prefix == "./" ? $filepath : "?action=preview&size=original&page=" . rawurlencode($env->page));
|
$originalUrl = htmlentities($env->storage_prefix == "./" && $mime_type !== "image/svg+xml" ? $filepath : "?action=preview&size=original&page=" . rawurlencode($env->page));
|
||||||
if($mime_type == "application/pdf")
|
if($mime_type == "application/pdf")
|
||||||
$fileTypeDisplay = "pdf";
|
$fileTypeDisplay = "pdf";
|
||||||
|
|
||||||
|
@ -547,6 +551,9 @@ register_module([
|
||||||
$fileInfo["Uploaded by"] = $pageindex->{$env->page}->lasteditor;
|
$fileInfo["Uploaded by"] = $pageindex->{$env->page}->lasteditor;
|
||||||
$fileInfo["Short markdown embed code"] = "<input type='text' class='short-embed-markdown-code' value='![" . htmlentities($fileInfo["Name"], ENT_QUOTES | ENT_HTML5) . "](" . htmlentities($filepath, ENT_QUOTES | ENT_HTML5) . " | right | 350x350)' readonly /> <button class='short-embed-markdown-button'>Copy</button>";
|
$fileInfo["Short markdown embed code"] = "<input type='text' class='short-embed-markdown-code' value='![" . htmlentities($fileInfo["Name"], ENT_QUOTES | ENT_HTML5) . "](" . htmlentities($filepath, ENT_QUOTES | ENT_HTML5) . " | right | 350x350)' readonly /> <button class='short-embed-markdown-button'>Copy</button>";
|
||||||
|
|
||||||
|
if($mime_type == "image/svg+xml")
|
||||||
|
$fileInfo["Warning"] = "Warning: SVG images may contain Javascript. Although $settings->sitename disables execution of Javascript in SVGs, if you download an SVG and view it in your browser directly the Javascript may execute. <strong>Make sure you trust the source of this SVG before downloading!</strong>";
|
||||||
|
|
||||||
$preview_html .= "\t\t\t<h2>File Information</h2>
|
$preview_html .= "\t\t\t<h2>File Information</h2>
|
||||||
<table>";
|
<table>";
|
||||||
foreach ($fileInfo as $displayName => $displayValue)
|
foreach ($fileInfo as $displayName => $displayValue)
|
||||||
|
|
Loading…
Reference in a new issue