update: remove XSS cleaner and remove XSS vulnerabilities

We've been mostly relying on the 3rd party xss cleaner to make sure user submitted content is clean. This PR fixes up any leftover holes in the bbcode parser that allow xss vulnerabilities, and as a result, the 3rd party library isn't needed anymore. It cleans responsibly by first, running `htmlspecialchars()` over the content, followed by sanitizing the untrusted urls and whitelisting their protocol.

Author: Roardom

app/Helpers/Bbcode.php

@@ -153,7 +153,7 @@ class Bbcode
             'block'       => true,
         ],
         'namedquote' => [
-            'openBbcode'  => '/^\[quote=([^<>"]*?)\]/i',
+            'openBbcode'  => '/^\[quote=(.*?)\]/i',
             'closeBbcode' => '[/quote]',
             'openHtml'    => '<blockquote><i class="fas fa-quote-left"></i> <cite>Quoting $1:</cite><p>',
             'closeHtml'   => '</p></blockquote>',
@@ -278,6 +278,9 @@ class Bbcode
      */
     public function parse(?string $source, bool $replaceLineBreaks = true): string
     {
+        $source ??= '';
+        $source = htmlspecialchars($source, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
+
         // Replace all void elements since they don't have closing tags
         $source = str_replace('[*]', '<li>', (string) $source);
         $source = str_replace('[hr]', '<hr>', $source);
@@ -320,7 +323,7 @@ public function parse(?string $source, bool $replaceLineBreaks = true): string
             $source ?? ''
         );
         $source = preg_replace_callback(
-            '/\[video="youtube"]([a-z0-9_-]{11})\[\/video]/i',
+            '/\[video=&quot;youtube&quot;]([a-z0-9_-]{11})\[\/video]/i',
             static fn ($matches) => '<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/'.$matches[1].'?rel=0" allow="autoplay; encrypted-media" allowfullscreen></iframe>',
             $source ?? ''
         );

app/Helpers/Linkify.php

@@ -27,7 +27,14 @@ public function linky(string $text): string
         $validator = new Validator(
             false, // bool - if should use top level domain to match urls without scheme
             [],    // string[] - array of blacklisted schemes
-            [],    // string[] - array of whitelisted schemes
+            [
+                'http',
+                'https',
+                'irc',
+                'ftp',
+                'sftp',
+                'magnet',
+            ],    // string[] - array of whitelisted schemes
             true   // bool - if should match emails (if match by TLD set to "false" - will match only "mailto" urls)
         );
 

app/Http/Livewire/BbcodeInput.php

@@ -18,7 +18,6 @@
 
 use App\Helpers\Bbcode;
 use Livewire\Component;
-use voku\helper\AntiXSS;
 
 class BbcodeInput extends Component
 {
@@ -39,13 +38,13 @@ final public function mount(string $name, string $label, bool $required = false,
         $this->name = $name;
         $this->label = $label;
         $this->isRequired = $required;
-        $this->contentBbcode = $content === null ? (old($name) ?? '') : htmlspecialchars_decode($content);
+        $this->contentBbcode = $content ?? old($name) ?? '';
     }
 
     final public function updatedIsPreviewEnabled(): void
     {
         if ($this->isPreviewEnabled) {
-            $this->contentHtml = (new Bbcode())->parse(htmlspecialchars((new AntiXSS())->xss_clean($this->contentBbcode), ENT_NOQUOTES));
+            $this->contentHtml = (new Bbcode())->parse($this->contentBbcode);
         }
     }
 

app/Http/Resources/ChatMessageResource.php

@@ -19,7 +19,6 @@
 use App\Helpers\Bbcode;
 use hdvinnie\LaravelJoyPixels\LaravelJoyPixels;
 use Illuminate\Http\Resources\Json\JsonResource;
-use voku\helper\AntiXSS;
 
 /**
  * @mixin \App\Models\Message
@@ -33,17 +32,14 @@ class ChatMessageResource extends JsonResource
      */
     public function toArray($request): array
     {
-        $emojiOne = app()->make(LaravelJoyPixels::class);
+        $emojiOne = new LaravelJoyPixels();
 
         $bbcode = new Bbcode();
+        $logger = $bbcode->parse($this->message);
+        $logger = $emojiOne->toImage($logger);
 
         if ($this->user_id == 1) {
-            $logger = $bbcode->parse('<div class="align-left"><div class="chatTriggers">'.$this->message.'</div></div>');
-            $logger = $emojiOne->toImage($logger);
             $logger = str_replace('a href="/#', 'a trigger="bot" class="chatTrigger" href="/#', $logger);
-        } else {
-            $logger = $bbcode->parse('<div class="align-left">'.$this->message.'</div>');
-            $logger = $emojiOne->toImage($logger);
         }
 
         return [
@@ -52,7 +48,7 @@ public function toArray($request): array
             'user'       => new ChatUserResource($this->whenLoaded('user')),
             'receiver'   => new ChatUserResource($this->whenLoaded('receiver')),
             'chatroom'   => new ChatRoomResource($this->whenLoaded('chatroom')),
-            'message'    => (new AntiXSS())->xss_clean($logger),
+            'message'    => $logger,
             'created_at' => $this->created_at->toIso8601String(),
             'updated_at' => $this->updated_at->toIso8601String(),
         ];

app/Models/Article.php

@@ -21,7 +21,6 @@
 use App\Traits\Auditable;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\Article.
@@ -69,14 +68,6 @@ public function comments(): \Illuminate\Database\Eloquent\Relations\MorphMany
         return $this->morphMany(Comment::class, 'commentable');
     }
 
-    /**
-     * Set The Articles Content After Its Been Purified.
-     */
-    public function setContentAttribute(?string $value): void
-    {
-        $this->attributes['content'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Content And Return Valid HTML.
      */

app/Models/Comment.php

@@ -23,7 +23,6 @@
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\Comment.
@@ -111,14 +110,6 @@ public function scopeParent(Builder $builder): void
         $builder->whereNull('parent_id');
     }
 
-    /**
-     * Set The Articles Content After Its Been Purified.
-     */
-    public function setContentAttribute(?string $value): void
-    {
-        $this->attributes['content'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Content And Return Valid HTML.
      */

app/Models/Message.php

@@ -19,7 +19,6 @@
 use App\Helpers\Bbcode;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\Message.
@@ -91,14 +90,6 @@ public function chatroom(): \Illuminate\Database\Eloquent\Relations\BelongsTo
         return $this->belongsTo(Chatroom::class);
     }
 
-    /**
-     * Set The Chat Message After Its Been Purified.
-     */
-    public function setMessageAttribute(string $value): void
-    {
-        $this->attributes['message'] = htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Content And Return Valid HTML.
      */

app/Models/Note.php

@@ -20,7 +20,6 @@
 use App\Traits\Auditable;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\Note.
@@ -79,14 +78,6 @@ public function staffuser(): \Illuminate\Database\Eloquent\Relations\BelongsTo
         ]);
     }
 
-    /**
-     * Set Message After It's Been Purified.
-     */
-    public function setMessageAttribute(?string $value): void
-    {
-        $this->attributes['message'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Message And Return Valid HTML.
      */

app/Models/Playlist.php

@@ -21,7 +21,6 @@
 use App\Traits\Auditable;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\Playlist.
@@ -78,14 +77,6 @@ public function comments(): \Illuminate\Database\Eloquent\Relations\MorphMany
         return $this->morphMany(Comment::class, 'commentable');
     }
 
-    /**
-     * Set The Playlists Description After It's Been Purified.
-     */
-    public function setDescriptionAttribute(?string $value): void
-    {
-        $this->attributes['description'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Description And Return Valid HTML.
      */

app/Models/Post.php

@@ -21,7 +21,6 @@
 use App\Traits\Auditable;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\Post.
@@ -156,14 +155,6 @@ public function scopeAuthorized(
         );
     }
 
-    /**
-     * Set The Posts Content After Its Been Purified.
-     */
-    public function setContentAttribute(?string $value): void
-    {
-        $this->attributes['content'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Content And Return Valid HTML.
      */

app/Models/PrivateMessage.php

@@ -20,7 +20,6 @@
 use App\Helpers\Linkify;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\PrivateMessage.
@@ -64,14 +63,6 @@ public function conversation(): \Illuminate\Database\Eloquent\Relations\BelongsT
         return $this->belongsTo(Conversation::class);
     }
 
-    /**
-     * Set The PM Message After Its Been Purified.
-     */
-    public function setMessageAttribute(string $value): void
-    {
-        $this->attributes['message'] = htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Content And Return Valid HTML.
      */

app/Models/TicketNote.php

@@ -18,7 +18,6 @@
 
 use App\Helpers\Linkify;
 use Illuminate\Database\Eloquent\Model;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\TicketNote.
@@ -59,14 +58,6 @@ public function ticket(): \Illuminate\Database\Eloquent\Relations\BelongsTo
         return $this->belongsTo(Ticket::class);
     }
 
-    /**
-     * Set Message After It's Been Purified.
-     */
-    public function setMessageAttribute(?string $value): void
-    {
-        $this->attributes['message'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Message And Return Valid HTML.
      */

app/Models/Torrent.php

@@ -29,7 +29,6 @@
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Eloquent\SoftDeletes;
 use Laravel\Scout\Searchable;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\Torrent.
@@ -751,14 +750,6 @@ public function trump(): \Illuminate\Database\Eloquent\Relations\HasOne
         return $this->hasOne(TorrentTrump::class);
     }
 
-    /**
-     * Set The Torrents Description After Its Been Purified.
-     */
-    public function setDescriptionAttribute(?string $value): void
-    {
-        $this->attributes['description'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Description And Return Valid HTML.
      */

app/Models/TorrentRequest.php

@@ -21,7 +21,6 @@
 use App\Traits\Auditable;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\TorrentRequest.
@@ -215,14 +214,6 @@ public function claim(): \Illuminate\Database\Eloquent\Relations\HasOne
         return $this->hasOne(TorrentRequestClaim::class, 'request_id');
     }
 
-    /**
-     * Set The Requests Description After Its Been Purified.
-     */
-    public function setDescriptionAttribute(?string $value): void
-    {
-        $this->attributes['description'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse Description And Return Valid HTML.
      */

app/Models/User.php

@@ -28,7 +28,6 @@
 use Illuminate\Foundation\Auth\User as Authenticatable;
 use Illuminate\Notifications\Notifiable;
 use Laravel\Fortify\TwoFactorAuthenticatable;
-use voku\helper\AntiXSS;
 
 /**
  * App\Models\User.
@@ -1181,14 +1180,6 @@ public function getFormattedBufferAttribute(): string
         return StringHelper::formatBytes($bytes);
     }
 
-    /**
-     * Set The Users Signature After It's Been Purified.
-     */
-    public function setSignatureAttribute(?string $value): void
-    {
-        $this->attributes['signature'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Returns the HTML of the user's signature.
      */
@@ -1199,14 +1190,6 @@ public function getSignatureHtmlAttribute(): string
         return (new Linkify())->linky($bbcode->parse($this->signature));
     }
 
-    /**
-     * Set The Users About Me After It's Been Purified.
-     */
-    public function setAboutAttribute(?string $value): void
-    {
-        $this->attributes['about'] = $value === null ? null : htmlspecialchars((new AntiXSS())->xss_clean($value), ENT_NOQUOTES);
-    }
-
     /**
      * Parse About Me And Return Valid HTML.
      */

composer.json

@@ -41,7 +41,6 @@
         "spatie/ssl-certificate": "^2.6.8",
         "symfony/dom-crawler": "^6.4.16",
         "theodorejb/polycast": "dev-master",
-        "voku/anti-xss": "^4.1.42",
         "vstelmakh/url-highlight": "^3.1.1"
     },
     "require-dev": {