Merge pull request #751 from shinya/eccube-2.17.2-p2

Patch/2.17.2-p2
EC-CUBE · Aug 17, 2023 · 6c9dbc1 · 6c9dbc1
2 parents 073dbc8 + 4bfdc5a
commit 6c9dbc1
Show file tree

Hide file tree

Showing 3 changed files with 105 additions and 7 deletions.
diff --git a/data/class/SC_Initial.php b/data/class/SC_Initial.php
@@ -35,7 +35,7 @@ class SC_Initial
     public function __construct()
     {
         /** EC-CUBEのバージョン */
-        define('ECCUBE_VERSION', '2.17.2-p1');
+        define('ECCUBE_VERSION', '2.17.2-p2');
     }
 
     /**

diff --git a/data/smarty_extends/modifier.script_escape.php b/data/smarty_extends/modifier.script_escape.php
@@ -9,12 +9,36 @@ function smarty_modifier_script_escape($value)
 {
     if (is_array($value)) return $value;
 
-    $pattern = "/<script.*?>|<\/script>|javascript:|<svg.*(onload|onerror).*?>|<img.*(onload|onerror).*?>|<body.*onload.*?>|<iframe.*?>|<object.*?>|<embed.*?>|<.*onmouse.*?>|(\"|').*(onmouse|onerror|onload|onclick).*=.*(\"|').*/i";
+    $pattern = "<script.*?>|<\/script>|javascript:|<svg.*(onload|onerror).*?>|<img.*(onload|onerror).*?>|<body.*onload.*?>|<iframe.*?>|<object.*?>|<embed.*?>|";
+
+    // 追加でサニタイズするイベント一覧
+    $escapeEvents = array(
+        'onmouse',
+        'onclick',
+        'onblur',
+        'onfocus',
+        'onresize',
+        'onscroll',
+        'ondblclick',
+        'onchange',
+        'onselect',
+        'onsubmit',
+        'onkey',
+    );
+
+    // イベント毎の正規表現を生成
+    $generateHtmlTagPatterns = array_map(function($str) {
+        return "<(\w+)([^>]*\s)?\/?".$str."[^>]*>";
+    }, $escapeEvents);
+    $pattern .= implode("|", $generateHtmlTagPatterns)."|";
+    $pattern .= "(\"|').*(onerror|onload|".implode("|", $escapeEvents).").*=.*(\"|').*";
+
+    // 正規表現をまとめる
+    $attributesPattern = "/${pattern}/i";
+
+    // 置き換える文字列
     $convert = '#script tag escaped#';
 
-    if (preg_match_all($pattern, $value, $matches)) {
-        return preg_replace($pattern, $convert, $value);
-    } else {
-        return $value;
-    }
+    // マッチしたら文字列を置き換える
+    return preg_replace($attributesPattern, $convert, $value);
 }
diff --git a/tests/class/modifier/Modifier_ScriptEscapeTest.php b/tests/class/modifier/Modifier_ScriptEscapeTest.php
@@ -0,0 +1,74 @@
+<?php
+require 'data/smarty_extends/modifier.script_escape.php';
+
+/**
+ *
+ */
+class Modifier_ScriptEscapeTest extends PHPUnit_Framework_TestCase
+{
+    public function scriptEscapeProvider()
+    {
+        return array(
+            array('<script type="text/javascript"></script>'),
+            array('<svg onload="alert(1)">test</svg>'),
+            array('<img onload="alert(1)">test</img>'),
+            array('<body onload="alert(1)">test</body>'),
+            array('<iframe></iframe>'),
+            array('<object></object>'),
+            array('<embed>'),
+            array('\"onclick=\"alert(1)\"'),
+            array('<p onclick="alert(1)">test</p>'),
+            array('<p onsubmit="alert(1)">test</p>'),
+            array('<p style="" onclick="alert(1)">test</p>'),
+            array('<input type="button"onfocus="alert(1)">'),
+            array('<input type="button" onblur="alert(1)">'),
+            array('<input onfocus="alert(1)" type="button">'),
+            array('<body onresize="alert(1)">'),
+            array('<div onscroll="alert(1)">'),
+            array('<div>javascript:test()</div>'),
+            array('<input type="button" ondblclick="alert(1)">'),
+            array('<input type="text" onchange="alert(1);">'),
+            array('<input type="text" onselect="alert(1);">'),
+            array('<form onsubmit="alert(1);">'),
+            array('<input type="button" onkeydown="alert(1)">'),
+            array('<input type="button" onkeypress="alert(1)">'),
+            array('<input type="button" onkeyup="alert(1)">'),
+            array('<input type=\"button\"\nonclick=\"alert(1)\">'),
+            array('<div/onscroll="alert(1)">'),
+        );
+    }
+
+    public function scriptNoEscapeProvider()
+    {
+        return array(
+            array('<p>test</p>'),
+            array('<input type="button">'),
+            array('<p>onclick</p>'),
+            array('<div>test</div>'),
+            array('<textarea>onclick="alert(1)";</textarea>'),
+            array('<p>onclick="\ntest();"</p>'),
+            array('<onclock'),
+            array('<oncl\nick'),
+        );
+    }
+
+    /**
+     * @dataProvider scriptEscapeProvider
+     */
+    public function testメールテンプレート_エスケープされる($value)
+    {
+        $ret = smarty_modifier_script_escape($value);
+        $pattern = "/#script tag escaped#/";
+        $this->assertRegExp($pattern, $ret);
+    }
+
+    /**
+     * @dataProvider scriptNoEscapeProvider
+     */
+    public function testメールテンプレート_エスケープされない($value)
+    {
+        $ret = smarty_modifier_script_escape($value);
+        $pattern = "/#script tag escaped#/";
+        $this->assertNotRegExp($pattern, $ret);
+    }
+}