diff --git a/SoObjects/SOGo/NSString+Utilities.m b/SoObjects/SOGo/NSString+Utilities.m index c8b63383f..9f07c246f 100644 --- a/SoObjects/SOGo/NSString+Utilities.m +++ b/SoObjects/SOGo/NSString+Utilities.m @@ -901,11 +901,9 @@ static int cssEscapingCount; NSString *result, *text; NSScanner *theScanner; NSError *error; - NSRegularExpression *regex; text = nil; error = nil; - regex = nil; result = [NSString stringWithString: self]; if (stripHTMLCode) { @@ -925,48 +923,51 @@ static int cssEscapingCount; } else { // Clean XSS // Examples of injection : https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html#xss-locator-polygot - result = [self stringByReplacingOccurrencesOfString:@"" withString:@""]; - // Remove javascript: - regex = [NSRegularExpression regularExpressionWithPattern:@"j[\\s\\u200B \\\\0]*a[\\s\\u200B \\\\0]*v[\\s\\u200B \\\\0]*a[\\s\\u200B \\\\0]*s[\\s\\u200B \\\\0]*c[\\s\\u200B \\\\0]*r[\\s\\u200B \\\\0]*i[\\s\\u200B \\\\0]*p[\\s\\u200B \\\\0]*t[\\s\\u200B \\\\0]*:" - options: NSRegularExpressionCaseInsensitive error:&error]; - result = [regex stringByReplacingMatchesInString:result options:0 range:NSMakeRange(0, [result length]) withTemplate:@""]; + // NSRegularExpression is not implemented in old GNUStep versions (ubuntu trusty) + if (NSClassFromString(@"NSRegularExpression")) { + NSRegularExpression *regex = nil; - // Remove vbscript: - regex = [NSRegularExpression regularExpressionWithPattern:@"v[\\s\\u200B \\\\0]*b[\\s\\u200B \\\\0]*s[\\s\\u200B \\\\0]*r[\\s\\u200B \\\\0]*i[\\s\\u200B \\\\0]*p[\\s\\u200B \\\\0]*t[\\s\\u200B \\\\0]*:" - options: NSRegularExpressionCaseInsensitive error:&error]; - result = [regex stringByReplacingMatchesInString:result options:0 range:NSMakeRange(0, [result length]) withTemplate:@""]; + // Remove javascript: + regex = [NSRegularExpression regularExpressionWithPattern:@"j[\\s\\u200B \\\\0]*a[\\s\\u200B \\\\0]*v[\\s\\u200B \\\\0]*a[\\s\\u200B \\\\0]*s[\\s\\u200B \\\\0]*c[\\s\\u200B \\\\0]*r[\\s\\u200B \\\\0]*i[\\s\\u200B \\\\0]*p[\\s\\u200B \\\\0]*t[\\s\\u200B \\\\0]*:" + options: NSRegularExpressionCaseInsensitive error:&error]; + result = [regex stringByReplacingMatchesInString:result options:0 range:NSMakeRange(0, [result length]) withTemplate:@""]; - // Remove livescript: - regex = [NSRegularExpression regularExpressionWithPattern:@"l[\\s\\u200B \\\\0]*i[\\s\\u200B \\\\0]*v[\\s\\u200B \\\\0]*e[\\s\\u200B \\\\0]*s[\\s\\u200B \\\\0]*c[\\s\\u200B \\\\0]*r[\\s\\u200B \\\\0]*i[\\s\\u200B \\\\0]*p[\\s\\u200B \\\\0]*t[\\s\\u200B \\\\0]*:" - options: NSRegularExpressionCaseInsensitive error:&error]; - result = [regex stringByReplacingMatchesInString:result options:0 range:NSMakeRange(0, [result length]) withTemplate:@""]; + // Remove vbscript: + regex = [NSRegularExpression regularExpressionWithPattern:@"v[\\s\\u200B \\\\0]*b[\\s\\u200B \\\\0]*s[\\s\\u200B \\\\0]*r[\\s\\u200B \\\\0]*i[\\s\\u200B \\\\0]*p[\\s\\u200B \\\\0]*t[\\s\\u200B \\\\0]*:" + options: NSRegularExpressionCaseInsensitive error:&error]; + result = [regex stringByReplacingMatchesInString:result options:0 range:NSMakeRange(0, [result length]) withTemplate:@""]; - // Remove