github-mirror/BookStack
2
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-06-02 15:35:18 +08:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Added togglable script escaping to page content

Browse Source 
Configurable via 'ALLOW_CONTENT_SCRIPTS' env variable.
Fixes #575
This commit is contained in:
Dan Brown
2018-03-17 15:51:40 +00:00
parent 0a1546daea
commit 1ad6fe1cbd
3 changed files with 51 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
app/Repos/EntityRepo.php
View File

@ -713,6 +713,10 @@ class EntityRepo
public function renderPage(Page $page, $ignorePermissions = false)
{
$content = $page->html;
if (!config('app.allow_content_scripts')) {
$content = $this->escapeScripts($content);
}
$matches = [];
preg_match_all("/{{@\s?([0-9].*?)}}/", $content, $matches);
if (count($matches[0]) === 0) {
@ -760,6 +764,24 @@ class EntityRepo
return $content;
}
/**
* Escape script tags within HTML content.
* @param string $html
* @return mixed
*/
protected function escapeScripts(string $html)
{
$scriptSearchRegex = '/<script.*?>.*?<\/script>/ms';
$matches = [];
preg_match_all($scriptSearchRegex, $html, $matches);
if (count($matches) === 0) return $html;
foreach ($matches[0] as $match) {
$html = str_replace($match, htmlentities($match), $html);
}
return $html;
}
/**
* Get the plain text version of a page's content.
* @param Page $page