fix: escapeUrl("0") should return "0", not ""

wpalmer · wpalmer · commit dfb068536752 · 2019-08-05T11:01:14.000+01:00
previously, we assumed that when removing XSS-like script URLs, the only
non-truthy result would be a failure in preg_replace, or an empty
string. A value of "0" would therefor pass through the script-tag
check, but then be converted into the empty string because it is
non-truthy.

instead, we now specifically test for those values which we want to
convert into an empty string, and do so immediately. This allows the
value of "0" to remain intact when passed through a escape methods such
as encodeUrlParam(...) or escapeUrl(...)

Arguably, this is not the "real" solution. Theoretically, this happens
because of the expectation that escapeXssInUrl should only be called
on "full" URLs, and is intended to remove URLs such as
"javascript:alert('I am an XSS attack')". However, escapeXssInUrl is
used by escapeUrl, which is in-turn used by encodeUrlParam. I believe
this to potentially be a bug in encodeUrlParam, which (by its name)
seems to be intended to actually do something similar to PHP's builtin
urlencode(...) function.

I consider this to be a separate issue, however, and this change would
both fix the encodeUrlParam case for this specific issue, while not
negatively-impacting the pathological case of the string "0" being
passed to escapeUrl directly.
diff --git a/lib/internal/Magento/Framework/Escaper.php b/lib/internal/Magento/Framework/Escaper.php
@@ -335,8 +335,16 @@ public function escapeXssInUrl($data)
      */
     private function escapeScriptIdentifiers(string $data): string
     {
-        $filteredData = preg_replace('/[\x00-\x1F\x7F\xA0]/u', '', $data) ?: '';
-        $filteredData = preg_replace(self::$xssFiltrationPattern, ':', $filteredData) ?: '';
+        $filteredData = preg_replace('/[\x00-\x1F\x7F\xA0]/u', '', $data);
+        if ($filteredData === false || $filteredData === '') {
+            return '';
+        }
+
+        $filteredData = preg_replace(self::$xssFiltrationPattern, ':', $filteredData);
+        if ($filteredData === false) {
+            return '';
+        }
+
         if (preg_match(self::$xssFiltrationPattern, $filteredData)) {
             $filteredData = $this->escapeScriptIdentifiers($filteredData);
         }
diff --git a/lib/internal/Magento/Framework/Test/Unit/EscaperTest.php b/lib/internal/Magento/Framework/Test/Unit/EscaperTest.php
@@ -343,6 +343,10 @@ public function testEscapeXssInUrl($input, $expected)
     public function escapeDataProvider()
     {
         return [
+            [
+                '0',
+                '0',
+            ],
             [
                 'javascript%3Aalert%28String.fromCharCode%280x78%29%2BString.'
                 . 'fromCharCode%280x73%29%2BString.fromCharCode%280x73%29%29',

Original file line number	Diff line number	Diff line change
`@@ -343,6 +343,10 @@ public function testEscapeXssInUrl($input, $expected)`
`343`	`343`	`public function escapeDataProvider()`
`344`	`344`	`{`
`345`	`345`	`return [`
	`346`	`+ [`
	`347`	`+ '0',`
	`348`	`+ '0',`
	`349`	`+ ],`
`346`	`350`	`[`
`347`	`351`	`'javascript%3Aalert%28String.fromCharCode%280x78%29%2BString.'`
`348`	`352`	`. 'fromCharCode%280x73%29%2BString.fromCharCode%280x73%29%29',`