Merge pull request #3222 from Roardom/bbcode-improvements

HDVinnie · web-flow · commit 0356b4cd6da7 · 2025-01-19T23:01:33.000-05:00
(Update) Remove XSS cleaner and remove XSS vulnerabilities
diff --git a/app/Helpers/Bbcode.php b/app/Helpers/Bbcode.php
@@ -153,7 +153,7 @@ class Bbcode
             'block'       => true,
         ],
         'namedquote' => [
-            'openBbcode'  => '/^\[quote=([^<>"]*?)\]/i',
+            'openBbcode'  => '/^\[quote=(.*?)\]/i',
             'closeBbcode' => '[/quote]',
             'openHtml'    => '<blockquote><i class="fas fa-quote-left"></i> <cite>Quoting $1:</cite><p>',
             'closeHtml'   => '</p></blockquote>',
@@ -278,6 +278,9 @@ class Bbcode
      */
     public function parse(?string $source, bool $replaceLineBreaks = true): string
     {
+        $source ??= '';
+        $source = htmlspecialchars($source, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
+
         // Replace all void elements since they don't have closing tags
         $source = str_replace('[*]', '<li>', (string) $source);
         $source = str_replace('[hr]', '<hr>', $source);
@@ -320,7 +323,7 @@ public function parse(?string $source, bool $replaceLineBreaks = true): string
             $source ?? ''
         );
         $source = preg_replace_callback(
-            '/\[video="youtube"]([a-z0-9_-]{11})\[\/video]/i',
+            '/\[video=&quot;youtube&quot;]([a-z0-9_-]{11})\[\/video]/i',
             static fn ($matches) => '<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/'.$matches[1].'?rel=0" allow="autoplay; encrypted-media" allowfullscreen></iframe>',
             $source ?? ''
         );
diff --git a/app/Helpers/Linkify.php b/app/Helpers/Linkify.php
@@ -27,7 +27,14 @@ public function linky(string $text): string
         $validator = new Validator(
             false, // bool - if should use top level domain to match urls without scheme
             [],    // string[] - array of blacklisted schemes
-            [],    // string[] - array of whitelisted schemes
+            [
+                'http',
+                'https',
+                'irc',
+                'ftp',
+                'sftp',
+                'magnet',
+            ],    // string[] - array of whitelisted schemes
             true   // bool - if should match emails (if match by TLD set to "false" - will match only "mailto" urls)
         );
 
diff --git a/app/Http/Livewire/BbcodeInput.php b/app/Http/Livewire/BbcodeInput.php
@@ -18,7 +18,6 @@
 
 use App\Helpers\Bbcode;
 use Livewire\Component;
-use voku\helper\AntiXSS;
 
 class BbcodeInput extends Component
 {
@@ -39,13 +38,13 @@ final public function mount(string $name, string $label, bool $required = false,
         $this->name = $name;
         $this->label = $label;
         $this->isRequired = $required;
-        $this->contentBbcode = $content === null ? (old($name) ?? '') : htmlspecialchars_decode($content);
+        $this->contentBbcode = $content ?? old($name) ?? '';
     }
 
     final public function updatedIsPreviewEnabled(): void
     {
         if ($this->isPreviewEnabled) {
-            $this->contentHtml = (new Bbcode())->parse(htmlspecialchars((new AntiXSS())->xss_clean($this->contentBbcode), ENT_NOQUOTES));
+            $this->contentHtml = (new Bbcode())->parse($this->contentBbcode);
         }
     }
 
diff --git a/app/Http/Resources/ChatMessageResource.php b/app/Http/Resources/ChatMessageResource.php
@@ -19,7 +19,6 @@
 use App\Helpers\Bbcode;
 use hdvinnie\LaravelJoyPixels\LaravelJoyPixels;
 use Illuminate\Http\Resources\Json\JsonResource;
-use voku\helper\AntiXSS;
 
 /**
  * @mixin \App\Models\Message
@@ -33,17 +32,14 @@ class ChatMessageResource extends JsonResource
      */
     public function toArray($request): array
     {
-        $emojiOne = app()->make(LaravelJoyPixels::class);
+        $emojiOne = new LaravelJoyPixels();
 
         $bbcode = new Bbcode();
+        $logger = $bbcode->parse($this->message);
+        $logger = $emojiOne->toImage($logger);
 
         if ($this->user_id == 1) {
-            $logger = $bbcode->parse('<div class="align-left"><div class="chatTriggers">'.$this->message.'</div></div>');
-            $logger = $emojiOne->toImage($logger);
             $logger = str_replace('a href="/#', 'a trigger="bot" class="chatTrigger" href="/#', $logger);
-        } else {
-            $logger = $bbcode->parse('<div class="align-left">'.$this->message.'</div>');
-            $logger = $emojiOne->toImage($logger);
         }
 
         return [
@@ -52,7 +48,7 @@ public function toArray($request): array
             'user'       => new ChatUserResource($this->whenLoaded('user')),
             'receiver'   => new ChatUserResource($this->whenLoaded('receiver')),
             'chatroom'   => new ChatRoomResource($this->whenLoaded('chatroom')),
-            'message'    => (new AntiXSS())->xss_clean($logger),
+            'message'    => $logger,
             'created_at' => $this->created_at->toIso8601String(),
             'updated_at' => $this->updated_at->toIso8601String(),
         ];
diff --git a/app/Models/Article.php b/app/Models/Article.php
@@ -21,7 +21,6 @@
 use App\Traits\Auditable;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\Article.
@@ -69,14 +68,6 @@ public function comments(): \Illuminate\Database\Eloquent\Relations\MorphMany
         return $this->morphMany(Comment::class, 'commentable');
     }
 
-    /**
-     * Set The Articles Content After Its Been Purified.
-     */
-    public function setContentAttribute(?string $value): void
-    {
-        $this->attributes['content'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Content And Return Valid HTML.
      */
diff --git a/app/Models/Comment.php b/app/Models/Comment.php
@@ -23,7 +23,6 @@
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\Comment.
@@ -111,14 +110,6 @@ public function scopeParent(Builder $builder): void
         $builder->whereNull('parent_id');
     }
 
-    /**
-     * Set The Articles Content After Its Been Purified.
-     */
-    public function setContentAttribute(?string $value): void
-    {
-        $this->attributes['content'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Content And Return Valid HTML.
      */
diff --git a/app/Models/Message.php b/app/Models/Message.php
@@ -19,7 +19,6 @@
 use App\Helpers\Bbcode;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\Message.
@@ -91,14 +90,6 @@ public function chatroom(): \Illuminate\Database\Eloquent\Relations\BelongsTo
         return $this->belongsTo(Chatroom::class);
     }
 
-    /**
-     * Set The Chat Message After Its Been Purified.
-     */
-    public function setMessageAttribute(string $value): void
-    {
-        $this->attributes['message'] = htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Content And Return Valid HTML.
      */
diff --git a/app/Models/Note.php b/app/Models/Note.php
@@ -20,7 +20,6 @@
 use App\Traits\Auditable;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\Note.
@@ -79,14 +78,6 @@ public function staffuser(): \Illuminate\Database\Eloquent\Relations\BelongsTo
         ]);
     }
 
-    /**
-     * Set Message After It's Been Purified.
-     */
-    public function setMessageAttribute(?string $value): void
-    {
-        $this->attributes['message'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Message And Return Valid HTML.
      */
diff --git a/app/Models/Playlist.php b/app/Models/Playlist.php
@@ -21,7 +21,6 @@
 use App\Traits\Auditable;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\Playlist.
@@ -78,14 +77,6 @@ public function comments(): \Illuminate\Database\Eloquent\Relations\MorphMany
         return $this->morphMany(Comment::class, 'commentable');
     }
 
-    /**
-     * Set The Playlists Description After It's Been Purified.
-     */
-    public function setDescriptionAttribute(?string $value): void
-    {
-        $this->attributes['description'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Description And Return Valid HTML.
      */
diff --git a/app/Models/Post.php b/app/Models/Post.php
@@ -21,7 +21,6 @@
 use App\Traits\Auditable;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\Post.
@@ -156,14 +155,6 @@ public function scopeAuthorized(
         );
     }
 
-    /**
-     * Set The Posts Content After Its Been Purified.
-     */
-    public function setContentAttribute(?string $value): void
-    {
-        $this->attributes['content'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Content And Return Valid HTML.
      */
diff --git a/app/Models/PrivateMessage.php b/app/Models/PrivateMessage.php
@@ -20,7 +20,6 @@
 use App\Helpers\Linkify;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\PrivateMessage.
@@ -64,14 +63,6 @@ public function conversation(): \Illuminate\Database\Eloquent\Relations\BelongsT
         return $this->belongsTo(Conversation::class);
     }
 
-    /**
-     * Set The PM Message After Its Been Purified.
-     */
-    public function setMessageAttribute(string $value): void
-    {
-        $this->attributes['message'] = htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Content And Return Valid HTML.
      */
diff --git a/app/Models/TicketNote.php b/app/Models/TicketNote.php
@@ -18,7 +18,6 @@
 
 use App\Helpers\Linkify;
 use Illuminate\Database\Eloquent\Model;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\TicketNote.
@@ -59,14 +58,6 @@ public function ticket(): \Illuminate\Database\Eloquent\Relations\BelongsTo
         return $this->belongsTo(Ticket::class);
     }
 
-    /**
-     * Set Message After It's Been Purified.
-     */
-    public function setMessageAttribute(?string $value): void
-    {
-        $this->attributes['message'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Message And Return Valid HTML.
      */
diff --git a/app/Models/Torrent.php b/app/Models/Torrent.php
@@ -29,7 +29,6 @@
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Eloquent\SoftDeletes;
 use Laravel\Scout\Searchable;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\Torrent.
@@ -751,14 +750,6 @@ public function trump(): \Illuminate\Database\Eloquent\Relations\HasOne
         return $this->hasOne(TorrentTrump::class);
     }
 
-    /**
-     * Set The Torrents Description After Its Been Purified.
-     */
-    public function setDescriptionAttribute(?string $value): void
-    {
-        $this->attributes['description'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Description And Return Valid HTML.
      */
diff --git a/app/Models/TorrentRequest.php b/app/Models/TorrentRequest.php
@@ -21,7 +21,6 @@
 use App\Traits\Auditable;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\TorrentRequest.
@@ -215,14 +214,6 @@ public function claim(): \Illuminate\Database\Eloquent\Relations\HasOne
         return $this->hasOne(TorrentRequestClaim::class, 'request_id');
     }
 
-    /**
-     * Set The Requests Description After Its Been Purified.
-     */
-    public function setDescriptionAttribute(?string $value): void
-    {
-        $this->attributes['description'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Description And Return Valid HTML.
      */
diff --git a/app/Models/User.php b/app/Models/User.php
@@ -28,7 +28,6 @@
 use Illuminate\Foundation\Auth\User as Authenticatable;
 use Illuminate\Notifications\Notifiable;
 use Laravel\Fortify\TwoFactorAuthenticatable;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\User.
@@ -1181,14 +1180,6 @@ public function getFormattedBufferAttribute(): string
         return StringHelper::formatBytes($bytes);
     }
 
-    /**
-     * Set The Users Signature After It's Been Purified.
-     */
-    public function setSignatureAttribute(?string $value): void
-    {
-        $this->attributes['signature'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Returns the HTML of the user's signature.
      */
@@ -1199,14 +1190,6 @@ public function getSignatureHtmlAttribute(): string
         return (new Linkify())->linky($bbcode->parse($this->signature));
     }
 
-    /**
-     * Set The Users About Me After It's Been Purified.
-     */
-    public function setAboutAttribute(?string $value): void
-    {
-        $this->attributes['about'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse About Me And Return Valid HTML.
      */
diff --git a/composer.json b/composer.json
@@ -41,7 +41,6 @@
         "spatie/ssl-certificate": "^2.6.8",
         "symfony/dom-crawler": "^6.4.16",
         "theodorejb/polycast": "dev-master",
-        "voku/anti-xss": "^4.1.42",
         "vstelmakh/url-highlight": "^3.1.1"
     },
     "require-dev": {
diff --git a/database/migrations/2024_07_03_085223_htmlspecialchars_decode_bbcode.php b/database/migrations/2024_07_03_085223_htmlspecialchars_decode_bbcode.php
diff --git a/phpstan-baseline.neon b/phpstan-baseline.neon

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,6 @@`
`18`	`18`
`19`	`19`	`use App\Helpers\Bbcode;`
`20`	`20`	`use Livewire\Component;`
`21`		`-use voku\helper\AntiXSS;`
`22`	`21`
`23`	`22`	`class BbcodeInput extends Component`
`24`	`23`	`{`
`@@ -39,13 +38,13 @@ final public function mount(string $name, string $label, bool $required = false,`
`39`	`38`	`$this->name = $name;`
`40`	`39`	`$this->label = $label;`
`41`	`40`	`$this->isRequired = $required;`
`42`		`- $this->contentBbcode = $content === null ? (old($name) ?? '') : htmlspecialchars_decode($content);`
	`41`	`+ $this->contentBbcode = $content ?? old($name) ?? '';`
`43`	`42`	`}`
`44`	`43`
`45`	`44`	`final public function updatedIsPreviewEnabled(): void`
`46`	`45`	`{`
`47`	`46`	`if ($this->isPreviewEnabled) {`
`48`		`- $this->contentHtml = (new Bbcode())->parse(htmlspecialchars((new AntiXSS())->xss_clean($this->contentBbcode), ENT_NOQUOTES));`
	`47`	`+ $this->contentHtml = (new Bbcode())->parse($this->contentBbcode);`
`49`	`48`	`}`
`50`	`49`	`}`
`51`	`50`