We build. You grow.
Get best community software hereStart a social network, a fan-site, an education project with oxwall - free opensource community software
Stored XSS on 1.8.4 Blog Section | Forum
I have found a pretty awesome and straight forward solution to this, but I would like to say that I am just an OxWall user and not one of their dev's. I just have php experience and am getting into the oxwall system for customization and I am providing this for those who are interested or not willing to wait for the REAL dev's to fix these issues. With that being said, it is fairly easy to mitigate this in a much more comprehensive manner.
I started with checking out voku/Anti-XSS
but I think we should probably incorporate this eventually in place of custom html escaping: http://htmlpurifier.org/ (Not sure of licensing)
I'm a big fan of incorporating open source everywhere possible and the main reason I went with Anti-XSS is that it's MIT licensed
So, to make this at easy and as painless as possible, we're going to use composer to install what we need and make it super easy on us.
Go to your php.ini or dump phpinfo() and see what directory is being used for your include directory:
include_path = ".:/usr/share/php
You'll want to install the composer vendor directory into that include directory, but it's best to start in your home directory to prevent permission issues, but just Follow This to Install Composer
Use composer to grab everything for anti-xss (This can also be used to grab all sorta of PHP libs like Facebook Graph API):
php composer.phar require voku/anti-xss
Composer creates a vendor directory in your ~/composer/(vendor)
Move that to your php include directory: cp -R vendor/ /usr/share/php
or whatever your php include directory might be or you want to use... (there are other ways to include this as well)
Now for the edits...Edit with your favorite editor:
ow_plugins/forum/bol/forum_service.php
At the very top you're going to require the composer autoload script:
<?php
require 'vendor/autoload.php';
Now there are just a few edits to kill this in the forums:
We need to edit addPost(), editPost(), editTopic(), addTopic()... And probably more, but we'll start with these.
public function addPost( FORUM_BOL_Topic $topicDto, array $data ) {
$antixss = new voku\helper\AntiXSS;
$postDto->text = $antixss->xss_clean(UTIL_HtmlTag::stripJs(UTIL_HtmlTag::stripTags($data['text'], array('form', 'input', 'button'), null, true)));
public function editPost( $userId, array $data, FORUM_BOL_Post $postDto ) {
$antixss = new voku\helper\AntiXSS;
$postDto->text = $antixss->xss_clean(UTIL_HtmlTag::stripJs(UTIL_HtmlTag::stripTags($data['text'], array('form', 'input', 'button'), null, true)));
public function editTopic($userId, array $data, FORUM_BOL_Topic $topicDto, FORUM_BOL_Post $postDto, FORUM_BOL_Section $forumSection, FORUM_BOL_Group $forumGroup) {
$antixss = new voku\helper\AntiXSS;
$postDto->text = $antixss->xss_clean(UTIL_HtmlTag::stripJs(UTIL_HtmlTag::stripTags(trim($data['text']), array('form', 'input', 'button'), null, true)));
public function addTopic( $forumGroup, $isHidden, $userId, array $data, $forumSection = null ) {
.........
$antixss = new voku\helper\AntiXSS;
$postDto->text =$antixss->xss_clean(UTIL_HtmlTag::stripJs(UTIL_HtmlTag::stripTags($data['text'], array('form', 'input', 'button'), null, true)));
Strips that shit out completely including "javascript:", but probably protects against a hell of a lot more (check out Anti-XSS)
Now just remove the previous mitigation I mentioned for removing href entirely and your linking works again, but without XSS.
ow_libraries/vendor/
with OW_DIR_LIB
Going to test and update this post
Update:
So you can include all of this in ow_libraries/vendor directory to stay more uniform with OxWall Development, although you are not able to debug as easily through the CLI since the OW Directory paths in config.php aren't being utilized when running through the cli, but this is probably what oxwall devs would prefer.
I am not going to go about how to do this part though, because it is more complex by dealing with composer, its autoload, and permissions so this will be reserved for incorporating this or another fix into the repositories by the devs when they make an official decision as they will likely want to include it under ow_utilities. The problem is solved in a fairly easy manner without the need for all of this, but it is very possible to include Anti-XSS in with the ow_libraries to be more uniform with their programming style and conventions:
require_once OW_DIR_LIB . '/vendor/autoload.php';
Thanks again for helping so much on this! Securify Lab
Incorporated properly in the ow_libraries path and ready for your tests
This is mitigated the same way for Blogs as well: https://dev.vixiv.net/blogs (and production)
If you want to test that on dev as well...
LeaderThis is the place you are looking for:
ow_system_plugins\base\bol\text_format_service.php
You can sanitize the html inside the method "processWsForOutput", add your code just before the "return $text;"
If you do it in there, it applies to all the default wysiwyg textareas, that way the changes applies for all the plugins and the core too.
If you want, you can contribute in the github project directly, the oxwall team rarely read the topics in this forum, all the changes and help is better to do it directly on github.
http://www.github.com/oxwall/oxwall
I'm not an oxwall team member either, just another volunteer.
Senior Developer
Leader
Sure, PM me anytime. If your question can help others we can discuss it in the forum too, you can ask anything you want.
Senior Developer
