From 1e0f5f00890f751e84d67be4f139dd7f00faa5f3 Mon Sep 17 00:00:00 2001 From: smizrahi Date: Tue, 22 Nov 2022 10:09:41 +0100 Subject: [PATCH] fix(security): Security fix for WSTG-INPV-02. Add XSS protection on folders and mail title / content --- SoObjects/SOGo/NSString+Utilities.m | 78 +++++++++++++++++------------ 1 file changed, 47 insertions(+), 31 deletions(-) diff --git a/SoObjects/SOGo/NSString+Utilities.m b/SoObjects/SOGo/NSString+Utilities.m index 9f07c246f..92fb50a4c 100644 --- a/SoObjects/SOGo/NSString+Utilities.m +++ b/SoObjects/SOGo/NSString+Utilities.m @@ -898,35 +898,49 @@ static int cssEscapingCount; */ - (NSString *) stringWithoutHTMLInjection: (BOOL)stripHTMLCode { - NSString *result, *text; - NSScanner *theScanner; - NSError *error; + // NSRegularExpression is not implemented in old GNUStep versions (ubuntu trusty) + if (NSClassFromString(@"NSRegularExpression")) { + NSString *result, *text; + NSScanner *theScanner; + NSError *error; + NSUInteger numberOfMatches; + NSRegularExpression *regex; - text = nil; - error = nil; - result = [NSString stringWithString: self]; + text = nil; + error = nil; + result = [NSString stringWithString: self]; + regex = nil; - if (stripHTMLCode) { - // Author : https://www.codercrunch.com/question/1251681838/how-remove-html-tags-string-ios - theScanner = [NSScanner scannerWithString: result]; - while ([theScanner isAtEnd] == NO) { - // find start of tag - [theScanner scanUpToString: @"<" intoString: NULL]; - // find end of tag - [theScanner scanUpToString: @">" intoString: &text]; - // replace the found tag with a space - //(you can filter multi-spaces out later if you wish) - result = [result stringByReplacingOccurrencesOfString: - [NSString stringWithFormat: @"%@>", text] - withString: @" "]; - } - } else { - // Clean XSS - // Examples of injection : https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html#xss-locator-polygot - - // NSRegularExpression is not implemented in old GNUStep versions (ubuntu trusty) - if (NSClassFromString(@"NSRegularExpression")) { - NSRegularExpression *regex = nil; + if (stripHTMLCode) { + // Author : https://www.codercrunch.com/question/1251681838/how-remove-html-tags-string-ios + theScanner = [NSScanner scannerWithString: result]; + while ([theScanner isAtEnd] == NO) { + // find start of tag + [theScanner scanUpToString: @"<" intoString: NULL]; + // find end of tag + [theScanner scanUpToString: @">" intoString: &text]; + + // Check that text is not ", text] + withString: @" "]; + } + } + } + } else { + // Clean XSS + // Examples of injection : https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html#xss-locator-polygot // Remove javascript: regex = [NSRegularExpression regularExpressionWithPattern:@"j[\\s\\u200B \\\\0]*a[\\s\\u200B \\\\0]*v[\\s\\u200B \\\\0]*a[\\s\\u200B \\\\0]*s[\\s\\u200B \\\\0]*c[\\s\\u200B \\\\0]*r[\\s\\u200B \\\\0]*i[\\s\\u200B \\\\0]*p[\\s\\u200B \\\\0]*t[\\s\\u200B \\\\0]*:" @@ -967,10 +981,12 @@ static int cssEscapingCount; regex = [NSRegularExpression regularExpressionWithPattern:@"onmouseover=" options: NSRegularExpressionCaseInsensitive error:&error]; result = [regex stringByReplacingMatchesInString:result options:0 range:NSMakeRange(0, [result length]) withTemplate:@"onmouseo***="]; - } - } - - return result; + } + + return result; + } else { + return self; + } } @end