Skip to content

Commit f2a4db9

Browse files
denisdulicidenisdulici
committed
improved xss patterns
1 parent bbe7bf4 commit f2a4db9

File tree

2 files changed

+19
-2
lines changed

2 files changed

+19
-2
lines changed

src/Abstracts/Middleware.php

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -175,6 +175,8 @@ public function match($pattern, $input)
175175
}
176176

177177
if (!is_array($input)) {
178+
$input = $this->prepareInput($input);
179+
178180
return preg_match($pattern, $input);
179181
}
180182

@@ -191,6 +193,8 @@ public function match($pattern, $input)
191193
continue;
192194
}
193195

196+
$value = $this->prepareInput($value);
197+
194198
if (!$result = preg_match($pattern, $value)) {
195199
continue;
196200
}
@@ -201,6 +205,11 @@ public function match($pattern, $input)
201205
return $result;
202206
}
203207

208+
public function prepareInput($value)
209+
{
210+
return $value;
211+
}
212+
204213
public function log()
205214
{
206215
$log = Log::create([

src/Config/firewall.php

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -374,11 +374,19 @@
374374

375375
'inputs' => [
376376
'only' => [], // i.e. 'first_name'
377-
'except' => ['password', 'password_confirmation'], // i.e. 'password'
377+
'except' => [], // i.e. 'password'
378378
],
379379

380380
'patterns' => [
381-
'#<[^>]*\w*\"?[^>]*>#is',
381+
// Evil starting attributes
382+
'#(<[^>]+[\x00-\x20\"\'\/])(form|formaction|on\w*|style|xmlns|xlink:href)[^>]*>?#iUu',
383+
384+
// javascript:, livescript:, vbscript:, mocha: protocols
385+
'!((java|live|vb)script|mocha|feed|data):(\w)*!iUu',
386+
'#-moz-binding[\x00-\x20]*:#u',
387+
388+
// Unneeded tags
389+
'#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>?#i'
382390
],
383391

384392
'auto_block' => [

0 commit comments

Comments
 (0)