Merge branch 'fix/26763/2301' into '2301.0.x'

[26763] SECURITE - Il est possible d'injecter du code via la personnalisation du message de login See merge request maarch/MaarchParapheur!256

Merge branch 'fix/26763/2301' into '2301.0.x'
ba39ae43 · Joseph AKEL · 025b02b9 · 0b65c585 · ba39ae43 · ba39ae43
Commit ba39ae43 authored 1 year ago by Joseph AKEL
--- a/src/frontend/app/administration/customization/customization.component.ts
+++ b/src/frontend/app/administration/customization/customization.component.ts
@@ -112,7 +112,7 @@ export class CustomizationComponent implements OnInit, OnDestroy {
            base_url: `${this.functions.getBaseUrl().split('#')[0]}/tinymce/`,
            height: '200',
            suffix: '.min',
-            extended_valid_elements : 'tag,class',
+            extended_valid_elements : 'tag,class,script[src|async|defer|type|charset]',
            content_css: `${this.functions.getBaseUrl().split('#')[0]}/assets/custom_tinymce.css`,
            language: this.translate.instant('lang.langISO').replace('-', '_'),
            language_url: `../node_modules/tinymce-i18n/langs/${this.translate.instant('lang.langISO').replace('-', '_')}.js`,
@@ -120,7 +120,7 @@ export class CustomizationComponent implements OnInit, OnDestroy {
            statusbar: false,
            readonly: false,
            plugins: [
-                'autolink', 'table', 'code', 'noneditable', 'link'
+                'autolink', 'table', 'noneditable', 'link'
            ],
            noneditable_noneditable_class: 'mceNonEditable',
            table_toolbar: '',
@@ -133,7 +133,7 @@ export class CustomizationComponent implements OnInit, OnDestroy {
            forced_root_block : false,
            toolbar: 'undo redo | fontselect fontsizeselect | bold italic underline strikethrough forecolor backcolor | table maarch_b64image | \
        alignleft aligncenter alignright alignjustify \
-        bullist numlist outdent indent | removeformat | code link'
+        bullist numlist outdent indent | removeformat | link'
        };
        tinymce.init(param);
    }

--- a/src/frontend/app/service/auth.guard.ts
+++ b/src/frontend/app/service/auth.guard.ts
@@ -12,6 +12,7 @@ import { LocalStorageService } from './local-storage.service';
 import { AlertComponent } from '../plugins/alert.component';
 import { MatDialog } from '@angular/material/dialog';
 import { MenuController } from '@ionic/angular';
+import { FunctionsService } from './functions.service';

 @Injectable({
    providedIn: 'root'
@@ -26,6 +27,7 @@ export class AuthGuard implements CanActivate {
        public authService: AuthService,
        private localStorage: LocalStorageService,
        public dialog: MatDialog,
+        public functions: FunctionsService,
        private menu: MenuController) { }

    canActivate(route: ActivatedRouteSnapshot, state: RouterStateSnapshot): Observable<any> | boolean {
@@ -36,7 +38,7 @@ export class AuthGuard implements CanActivate {
            } else {
                return this.http.get('../rest/authenticationInformations').pipe(
                    map((data: any) => {
-                        this.authService.loginMessage = data.loginMessage;
+                        this.authService.loginMessage = this.functions.sanitizeHtml(data.loginMessage);
                        this.authService.authMode = data.connection;
                        this.authService.changeKey = data.changeKey;
                        this.authService.coreUrl = data.coreUrl;

--- a/src/frontend/app/service/functions.service.ts
+++ b/src/frontend/app/service/functions.service.ts
@@ -205,4 +205,50 @@ export class FunctionsService {
        const pattern = /^(?:http(s)?:\/\/)?[\w.-]+(?:\.[\w\.-]+)+[\w\-\._~:/?#[\]@!\$&'\(\)\*\+,;=.]+$/;
        return pattern.test(value);
    }
+
+    /**
+     * Sanitizes HTML content to remove all script elements, event attributes, and external script URLs.
+     * @param {string} html - The HTML content to be sanitized.
+     * @returns {string} - The sanitized HTML content without any scripts or related elements.
+    */
+    sanitizeHtml(html: string): string {
+        // Parse the input HTML string into a DOM object
+        const domParser = new DOMParser().parseFromString(html, 'text/html');
+
+        // Remove all <script> tags from the DOM
+        const scripts = domParser.querySelectorAll('script');
+        scripts.forEach((script: any) => {
+            script.remove();
+        });
+
+        // Remove event attributes (such as onclick, onerror, etc.) from all elements
+        const elementsWithEventAttributes = domParser.querySelectorAll('*');
+        elementsWithEventAttributes.forEach(element => {
+            element.removeAttribute('onabort');
+            element.removeAttribute('onblur');
+            element.removeAttribute('onchange');
+            element.removeAttribute('onclick');
+            element.removeAttribute('ondblclick');
+            element.removeAttribute('onerror');
+            element.removeAttribute('onfocus');
+            element.removeAttribute('onkeydown');
+            element.removeAttribute('onkeypress');
+            element.removeAttribute('onkeyup');
+            element.removeAttribute('onload');
+            element.removeAttribute('onmousedown');
+            element.removeAttribute('onmousemove');
+            element.removeAttribute('onmouseout');
+            element.removeAttribute('onmouseover');
+            element.removeAttribute('onmouseup');
+            element.removeAttribute('onreset');
+            element.removeAttribute('onresize');
+            element.removeAttribute('onscroll');
+            element.removeAttribute('onselect');
+            element.removeAttribute('onsubmit');
+            element.removeAttribute('onunload');
+        });
+
+        // Return the sanitized HTML content
+        return domParser.body.innerHTML;
+    }
 }