hotline #47362 fix javascript injection in meta:description when accessing cms/viewarticle

f8a87795 · Laurent · d236103f · f8a87795 · f8a87795 · f8a87795
Commit f8a87795 authored 8 years ago by Laurent
--- a/VERSIONS_HOTLINE/47362
+++ b/VERSIONS_HOTLINE/47362
+ - ticket #47362 : correction de l'injection de javascript dans la balise meta:description sur visualisation d'un article contenant du javascript
\ No newline at end of file
--- a/library/Class/ScriptLoader.php
+++ b/library/Class/ScriptLoader.php
@@ -791,7 +791,8 @@ class Class_ScriptLoader {
  public function addCmsMeta($article) {
    $this->_metas[] = '<meta property="og:title" content="' .  $article->getTitre() . '" />';
    $this->_metas[] = '<meta property="og:image" content="' .  $article->getFirstImageAbsoluteURL() . '" />';
-    $this->_metas[] = '<meta property="og:description" content="' .  strip_tags($article->getSummary()) . '" />';
+    $description = trim(strip_tags(preg_replace('/<script.*<\/script>/i', '', $article->getSummary())));
+    $this->_metas[] = '<meta property="og:description" content="' .  $description  . '" />';
    return $this;
  }


--- a/tests/application/modules/opac/controllers/CmsControllerTest.php
+++ b/tests/application/modules/opac/controllers/CmsControllerTest.php
@@ -803,7 +803,7 @@ abstract class CmsControllerWithFeteDeLaFriteTestCase extends AbstractController
    $article= $this->fixture('Class_Article',
                             ['id' =>224,
                              'titre' => 'La fête de la frite',
-                              'contenu' => '<div><img src="userfiles/image/foo.jpg" /><p>Une fête appétissante</p></div>',
+                              'contenu' => '<div><img src="userfiles/image/foo.jpg" /><p>Une fête appétissante</p><script>$(test)</script></div>',
                              'events_debut' => '2011-09-03 12:00',
                              'events_fin' => '2011-10-05 16:00',
                              'tags' => 'Tout public;Concert',