MAGETWO-95236: Change regular expression

zakdma · zakdma · commit 116a3b7693e3 · 2018-10-23T10:38:52.000+03:00
diff --git a/app/code/Magento/Sales/Helper/Admin.php b/app/code/Magento/Sales/Helper/Admin.php
@@ -3,8 +3,12 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+
 namespace Magento\Sales\Helper;
 
+/**
+ * Sales admin helper.
+ */
 class Admin extends \Magento\Framework\App\Helper\AbstractHelper
 {
     /**
@@ -148,22 +152,15 @@ public function escapeHtmlWithLinks($data, $allowedTags = null)
             $links = [];
             $i = 1;
             $data = str_replace('%', '%%', $data);
-            $regexp = "/<a\s[^>]*href\s*?=\s*?([\"\']??)([^\" >]*?)\\1[^>]*>(.*)<\/a>/siU";
+            $regexp = "#(?J)<a"
+                ."(?:(?:\s+(?:(?:href\s*=\s*(['\"])(?<link>.*?)\\1\s*)|(?:\S+\s*=\s*(['\"])(.*?)\\3)\s*)*)|>)"
+                .">?(?:(?:(?<text>.*?)(?:<\/a\s*>?|(?=<\w))|(?<text>.*)))#si";
             while (preg_match($regexp, $data, $matches)) {
-                //Revert the sprintf escaping
-                $url = str_replace('%%', '%', $matches[2]);
-                $text = str_replace('%%', '%', $matches[3]);
-                //Check for an valid url
-                if ($url) {
-                    $urlScheme = strtolower(parse_url($url, PHP_URL_SCHEME));
-                    if ($urlScheme !== 'http' && $urlScheme !== 'https') {
-                        $url = null;
-                    }
-                }
-                //Use hash tag as fallback
-                if (!$url) {
-                    $url = '#';
+                $text = '';
+                if (!empty($matches['text'])) {
+                    $text = str_replace('%%', '%', $matches['text']);
                 }
+                $url = $this->filterUrl($matches['link'] ?? '');
                 //Recreate a minimalistic secure a tag
                 $links[] = sprintf(
                     '<a href="%s">%s</a>',
@@ -178,4 +175,29 @@ public function escapeHtmlWithLinks($data, $allowedTags = null)
         }
         return $this->escaper->escapeHtml($data, $allowedTags);
     }
+
+    /**
+     * Filter the URL for allowed protocols.
+     *
+     * @param string $url
+     * @return string
+     */
+    private function filterUrl(string $url): string
+    {
+        if ($url) {
+            //Revert the sprintf escaping
+            $url = str_replace('%%', '%', $url);
+            $urlScheme = parse_url($url, PHP_URL_SCHEME);
+            $urlScheme = $urlScheme ? strtolower($urlScheme) : '';
+            if ($urlScheme !== 'http' && $urlScheme !== 'https') {
+                $url = null;
+            }
+        }
+
+        if (!$url) {
+            $url = '#';
+        }
+
+        return $url;
+    }
 }
diff --git a/lib/internal/Magento/Framework/Escaper.php b/lib/internal/Magento/Framework/Escaper.php
@@ -3,6 +3,7 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+
 namespace Magento\Framework;
 
 /**
@@ -32,38 +33,43 @@ class Escaper
      */
     private $allowedAttributes = ['id', 'class', 'href', 'target', 'title', 'style'];
 
+    /**
+     * @var string
+     */
+    private static $xssFiltrationPattern =
+        '/((javascript(\\\\x3a|:|%3A))|(data(\\\\x3a|:|%3A))|(vbscript:))|'
+        . '((\\\\x6A\\\\x61\\\\x76\\\\x61\\\\x73\\\\x63\\\\x72\\\\x69\\\\x70\\\\x74(\\\\x3a|:|%3A))|'
+        . '(\\\\x64\\\\x61\\\\x74\\\\x61(\\\\x3a|:|%3A)))/i';
+
     /**
      * @var string[]
      */
     private $escapeAsUrlAttributes = ['href'];
 
     /**
-     * Escape string for HTML context. allowedTags will not be escaped, except the following: script, img, embed,
-     * iframe, video, source, object, audio
+     * Escape string for HTML context.
+     *
+     * AllowedTags will not be escaped, except the following: script, img, embed,
+     * iframe, video, source, object, audio.
      *
      * @param string|array $data
      * @param array|null $allowedTags
      * @return string|array
      */
     public function escapeHtml($data, $allowedTags = null)
     {
+        if (!is_array($data)) {
+            $data = (string)$data;
+        }
+
         if (is_array($data)) {
             $result = [];
             foreach ($data as $item) {
                 $result[] = $this->escapeHtml($item, $allowedTags);
             }
         } elseif (strlen($data)) {
             if (is_array($allowedTags) && !empty($allowedTags)) {
-                $notAllowedTags = array_intersect(
-                    array_map('strtolower', $allowedTags),
-                    $this->notAllowedTags
-                );
-                if (!empty($notAllowedTags)) {
-                    $this->getLogger()->critical(
-                        'The following tag(s) are not allowed: ' . implode(', ', $notAllowedTags)
-                    );
-                    $allowedTags = array_diff($allowedTags, $this->notAllowedTags);
-                }
+                $allowedTags = $this->filterProhibitedTags($allowedTags);
                 $wrapperElementId = uniqid();
                 $domDocument = new \DOMDocument('1.0', 'UTF-8');
                 set_error_handler(
@@ -197,7 +203,7 @@ public function escapeHtmlAttr($string, $escapeSingleQuote = true)
         if ($escapeSingleQuote) {
             return $this->getEscaper()->escapeHtmlAttr((string) $string);
         }
-        return htmlspecialchars($string, ENT_COMPAT, 'UTF-8', false);
+        return htmlspecialchars((string)$string, ENT_COMPAT, 'UTF-8', false);
     }
 
     /**
@@ -278,30 +284,47 @@ public function escapeJsQuote($data, $quote = '\'')
                 $result[] = $this->escapeJsQuote($item, $quote);
             }
         } else {
-            $result = str_replace($quote, '\\' . $quote, $data);
+            $result = str_replace($quote, '\\' . $quote, (string)$data);
         }
         return $result;
     }
 
     /**
      * Escape xss in urls
-     * Remove `javascript:`, `vbscript:`, `data:` words from url
      *
      * @param string $data
      * @return string
      * @deprecated 100.2.0
      */
     public function escapeXssInUrl($data)
     {
-        $pattern = '/((javascript(\\\\x3a|:|%3A))|(data(\\\\x3a|:|%3A))|(vbscript:))|'
-            . '((\\\\x6A\\\\x61\\\\x76\\\\x61\\\\x73\\\\x63\\\\x72\\\\x69\\\\x70\\\\x74(\\\\x3a|:|%3A))|'
-            . '(\\\\x64\\\\x61\\\\x74\\\\x61(\\\\x3a|:|%3A)))/i';
-        $result = preg_replace($pattern, ':', $data);
-        return htmlspecialchars($result, ENT_COMPAT | ENT_HTML5 | ENT_HTML401, 'UTF-8', false);
+        return htmlspecialchars(
+            $this->escapeScriptIdentifiers((string)$data),
+            ENT_COMPAT | ENT_HTML5 | ENT_HTML401,
+            'UTF-8',
+            false
+        );
+    }
+
+    /**
+     * Remove `javascript:`, `vbscript:`, `data:` words from the string.
+     *
+     * @param string $data
+     * @return string
+     */
+    private function escapeScriptIdentifiers(string $data): string
+    {
+        $filteredData = preg_replace(self::$xssFiltrationPattern, ':', $data) ?: '';
+        if (preg_match(self::$xssFiltrationPattern, $filteredData)) {
+            $filteredData = $this->escapeScriptIdentifiers($filteredData);
+        }
+
+        return $filteredData;
     }
 
     /**
      * Escape quotes inside html attributes
+     *
      * Use $addSlashes = false for escaping js that inside html attribute (onClick, onSubmit etc)
      *
      * @param string $data
@@ -346,4 +369,27 @@ private function getLogger()
         }
         return $this->logger;
     }
+
+    /**
+     * Filter prohibited tags.
+     *
+     * @param string[] $allowedTags
+     * @return string[]
+     */
+    private function filterProhibitedTags(array $allowedTags): array
+    {
+        $notAllowedTags = array_intersect(
+            array_map('strtolower', $allowedTags),
+            $this->notAllowedTags
+        );
+
+        if (!empty($notAllowedTags)) {
+            $this->getLogger()->critical(
+                'The following tag(s) are not allowed: ' . implode(', ', $notAllowedTags)
+            );
+            $allowedTags = array_diff($allowedTags, $this->notAllowedTags);
+        }
+
+        return $allowedTags;
+    }
 }
diff --git a/lib/internal/Magento/Framework/View/Element/AbstractBlock.php b/lib/internal/Magento/Framework/View/Element/AbstractBlock.php
@@ -952,7 +952,7 @@ public function stripTags($data, $allowableTags = null, $allowHtmlEntities = fal
      */
     public function escapeUrl($string)
     {
-        return $this->_escaper->escapeUrl($string);
+        return $this->_escaper->escapeUrl((string)$string);
     }
 
     /**
@@ -1152,7 +1152,8 @@ public function getVar($name, $module = null)
 
     /**
      * Determine if the block scope is private or public.
-     * Returns true if scope is private, false otherwise
+     *
+     * Returns true if scope is private, false otherwise.
      *
      * @return bool
      */

Original file line number	Diff line number	Diff line change
`@@ -952,7 +952,7 @@ public function stripTags($data, $allowableTags = null, $allowHtmlEntities = fal`
`952`	`952`	`*/`
`953`	`953`	`public function escapeUrl($string)`
`954`	`954`	`{`
`955`		`- return $this->_escaper->escapeUrl($string);`
	`955`	`+ return $this->_escaper->escapeUrl((string)$string);`
`956`	`956`	`}`
`957`	`957`
`958`	`958`	`/**`
`@@ -1152,7 +1152,8 @@ public function getVar($name, $module = null)`
`1152`	`1152`
`1153`	`1153`	`/**`
`1154`	`1154`	`* Determine if the block scope is private or public.`
`1155`		`- * Returns true if scope is private, false otherwise`
	`1155`	`+ *`
	`1156`	`+ * Returns true if scope is private, false otherwise.`
`1156`	`1157`	`*`
`1157`	`1158`	`* @return bool`
`1158`	`1159`	`*/`