[Erp5-report] r36538 nicolas - /erp5/trunk/products/PortalTransforms/transforms/safe_html.py
nobody at svn.erp5.org
nobody at svn.erp5.org
Wed Jun 23 15:12:07 CEST 2010
Author: nicolas
Date: Wed Jun 23 15:12:06 2010
New Revision: 36538
URL: http://svn.erp5.org?rev=36538&view=rev
Log:
Backport http://dev.plone.org/archetypes/changeset/9449/Products.PortalTransforms/trunk/Products/PortalTransforms/transforms/safe_html.py
Improve patterns to detect embedded javascripts.
Modified:
erp5/trunk/products/PortalTransforms/transforms/safe_html.py
Modified: erp5/trunk/products/PortalTransforms/transforms/safe_html.py
URL: http://svn.erp5.org/erp5/trunk/products/PortalTransforms/transforms/safe_html.py?rev=36538&r1=36537&r2=36538&view=diff
==============================================================================
--- erp5/trunk/products/PortalTransforms/transforms/safe_html.py [utf8] (original)
+++ erp5/trunk/products/PortalTransforms/transforms/safe_html.py [utf8] Wed Jun 23 15:12:06 2010
@@ -74,12 +74,20 @@ msg_pat = """
"""
def hasScript(s):
- """ Dig out evil Java/VB script inside an HTML attribute """
-
- # look for "script" and "expression"
- javascript_pattern = re.compile("([\s\n]*?s[\s\n]*?c[\s\n]*?r[\s\n]*?i[\s\n]*?p[\s\n]*?t[\s\n]*?:)|([\s\n]*?e[\s\n]*?x[\s\n]*?p[\s\n]*?r[\s\n]*?e[\s\n]*?s[\s\n]*?s[\s\n]*?i[\s\n]*?o[\s\n]*?n)", re.DOTALL|re.IGNORECASE)
+ """
+ >>> hasScript('script:evil(1);')
+ True
+ >>> hasScript('expression:evil(1);')
+ True
+ >>> hasScript('http://foo.com/ExpressionOfInterest.doc')
+ False
+ """
s = decode_htmlentities(s)
- return javascript_pattern.findall(s)
+ s = ''.join(s.split()).lower()
+ for t in ('script:', 'expression:', 'expression('):
+ if t in s:
+ return True
+ return False
def decode_htmlentities(s):
""" XSS code can be hidden with htmlentities """
More information about the Erp5-report
mailing list