修复 XSS 注入漏洞

summerblue · Mar 6, 2022 · 31cb5e3 · 31cb5e3
1 parent 31cdeeb
commit 31cb5e3
Show file tree

Hide file tree

Showing 4 changed files with 169 additions and 1 deletion.
diff --git a/app/Observers/TopicObserver.php b/app/Observers/TopicObserver.php
@@ -11,6 +11,8 @@ class TopicObserver
 {
     public function saving(Topic $topic)
     {
+        $topic->body = clean($topic->body, 'user_topic_body');
+
         $topic->excerpt = make_excerpt($topic->body);
     }
 }
diff --git a/composer.json b/composer.json
@@ -12,6 +12,7 @@
         "laravel/sanctum": "^2.14.1",
         "laravel/tinker": "^2.7",
         "mews/captcha": "~3.0",
+        "mews/purifier": "~3.3",
         "overtrue/laravel-lang": "~6.0",
         "summerblue/laravel-active": "9.*"
     },

diff --git a/composer.lock b/composer.lock
diff --git a/config/purifier.php b/config/purifier.php
@@ -0,0 +1,18 @@
+<?php
+
+return [
+    'encoding'         => 'UTF-8',
+    'finalize'         => true,
+    'ignoreNonStrings' => false,
+    'cachePath'        => storage_path('app/purifier'),
+    'cacheFileMode'    => 0755,
+    'settings'         => [
+        'user_topic_body' => [
+            'HTML.Doctype'             => 'XHTML 1.0 Transitional',
+            'HTML.Allowed'             => 'div,b,strong,i,em,a[href|title],ul,ol,ol[start],li,p[style],br,span[style],img[width|height|alt|src],*[style|class],pre,hr,code,h2,h3,h4,h5,h6,blockquote,del,table,thead,tbody,tr,th,td',
+            'CSS.AllowedProperties'    => 'font,font-size,font-weight,font-style,margin,width,height,font-family,text-decoration,padding-left,color,background-color,text-align',
+            'AutoFormat.AutoParagraph' => true,
+            'AutoFormat.RemoveEmpty'   => true,
+        ],
+    ],
+];