indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Detect encoded script markup

merge-requests/30/head
Bob Mottram 2021-05-19 12:29:37 +01:00
parent 39c798c157
commit fd30083696
2 changed files with 33 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
tests.py
View File

@ -2268,6 +2268,11 @@ def testDangerousMarkup():
'.innerHTML = "evil";</script></p>' '.innerHTML = "evil";</script></p>'
assert(dangerousMarkup(content, allowLocalNetworkAccess)) assert(dangerousMarkup(content, allowLocalNetworkAccess))
content = '<p>This is a valid-looking message. But wait... ' + \
'&lt;script&gt;document.getElementById("concentrated")' + \
'.innerHTML = "evil";&lt;/script&gt;</p>'
assert(dangerousMarkup(content, allowLocalNetworkAccess))
content = '<p>This html contains more than you expected... ' + \ content = '<p>This html contains more than you expected... ' + \
'<script language="javascript">document.getElementById("abc")' + \ '<script language="javascript">document.getElementById("abc")' + \
'.innerHTML = "def";</script></p>' '.innerHTML = "def";</script></p>'
@ -3646,8 +3651,6 @@ def testSpoofGeolocation() -> None:
"%Y-%m-%d %H:%M") "%Y-%m-%d %H:%M")
coords = spoofGeolocation('', 'new york, usa', currTime, coords = spoofGeolocation('', 'new york, usa', currTime,
decoySeed, citiesList) decoySeed, citiesList)
#coords = spoofGeolocation('', 'berlin, germany', currTime,
# decoySeed, citiesList)
longitude = coords[1] longitude = coords[1]
if coords[3] == 'W': if coords[3] == 'W':
longitude = -coords[1] longitude = -coords[1]

52
utils.py
View File

@ -663,32 +663,36 @@ def getLocalNetworkAddresses() -> []:
def dangerousMarkup(content: str, allowLocalNetworkAccess: bool) -> bool: def dangerousMarkup(content: str, allowLocalNetworkAccess: bool) -> bool:
"""Returns true if the given content contains dangerous html markup """Returns true if the given content contains dangerous html markup
""" """
if '<' not in content: separators = (['<', '>'], ['&lt;', '&gt;'])
return False for separatorStyle in separators:
if '>' not in content: startChar = separatorStyle[0]
return False endChar = separatorStyle[1]
contentSections = content.split('<') if startChar not in content:
invalidPartials = ()
if not allowLocalNetworkAccess:
invalidPartials = getLocalNetworkAddresses()
invalidStrings = ('script', 'canvas', 'style', 'abbr',
'frame', 'iframe', 'html', 'body',
'hr', 'allow-popups', 'allow-scripts')
for markup in contentSections:
if '>' not in markup:
continue continue
markup = markup.split('>')[0].strip() if endChar not in content:
for partialMatch in invalidPartials: continue
if partialMatch in markup: contentSections = content.split(startChar)
return True invalidPartials = ()
if ' ' not in markup: if not allowLocalNetworkAccess:
for badStr in invalidStrings: invalidPartials = getLocalNetworkAddresses()
if badStr in markup: invalidStrings = ('script', 'canvas', 'style', 'abbr',
return True 'frame', 'iframe', 'html', 'body',
else: 'hr', 'allow-popups', 'allow-scripts')
for badStr in invalidStrings: for markup in contentSections:
if badStr + ' ' in markup: if endChar not in markup:
continue
markup = markup.split(endChar)[0].strip()
for partialMatch in invalidPartials:
if partialMatch in markup:
return True return True
if ' ' not in markup:
for badStr in invalidStrings:
if badStr in markup:
return True
else:
for badStr in invalidStrings:
if badStr + ' ' in markup:
return True
return False return False