XCOMMONS-2634: Disallow form-related tags in HTML sanitizer

xwiki · Mar 1, 2023 · 99484d4 · 99484d4
1 parent 55d83c9
commit 99484d4
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 5 deletions.
diff --git a/...ons-core/xwiki-commons-xml/src/main/java/org/xwiki/xml/internal/html/HTMLDefinitions.java b/...ons-core/xwiki-commons-xml/src/main/java/org/xwiki/xml/internal/html/HTMLDefinitions.java
@@ -60,16 +60,17 @@ public class HTMLDefinitions
      */
     public HTMLDefinitions()
     {
+        // Compared to DOMPurify, this disallows form-related tags as they can be dangerous in the context of XWiki.
         this.htmlTags = new HashSet<>(
             Arrays.asList("a", "abbr", "acronym", "address", "area", "article", "aside", "audio", "b", "bdi", "bdo",
-                "big", "blink", "blockquote", "body", "br", "button", "canvas", "caption", "center", "cite", "code",
+                "big", "blink", "blockquote", "body", "br", "canvas", "caption", "center", "cite", "code",
                 "col", "colgroup", "content", "data", "datalist", "dd", "decorator", "del", "details", "dfn", "dialog",
-                "dir", "div", "dl", "dt", "element", "em", "fieldset", "figcaption", "figure", "font", "footer", "form",
-                "h1", "h2", "h3", "h4", "h5", "h6", "head", "header", "hgroup", "hr", "html", "i", "img", "input",
+                "dir", "div", "dl", "dt", "element", "em", "fieldset", "figcaption", "figure", "font", "footer",
+                "h1", "h2", "h3", "h4", "h5", "h6", "head", "header", "hgroup", "hr", "html", "i", "img",
                 "ins", "kbd", "label", "legend", "li", "main", "map", "mark", "marquee", "menu", "menuitem", "meter",
                 "nav", "nobr", "ol", "optgroup", "option", "output", "p", "picture", "pre", "progress", "q", "rp", "rt",
-                "ruby", "s", "samp", "section", "select", "shadow", "small", "source", "spacer", "span", "strike",
-                "strong", "style", "sub", "summary", "sup", "table", "tbody", "td", "template", "textarea", "tfoot",
+                "ruby", "s", "samp", "section", "shadow", "small", "source", "spacer", "span", "strike",
+                "strong", "style", "sub", "summary", "sup", "table", "tbody", "td", "template", "tfoot",
                 "th", "thead", "time", "tr", "track", "tt", "u", "ul", "var", "video", "wbr"));
 
         // Attributes that are in general allowed. Note that "target" is not generally safe, but XWiki contains code

diff --git a/...commons-xml/src/test/java/org/xwiki/xml/internal/html/SecureHTMLElementSanitizerTest.java b/...commons-xml/src/test/java/org/xwiki/xml/internal/html/SecureHTMLElementSanitizerTest.java
@@ -25,6 +25,7 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.CsvSource;
+import org.junit.jupiter.params.provider.ValueSource;
 import org.xwiki.test.annotation.BeforeComponent;
 import org.xwiki.test.annotation.ComponentList;
 import org.xwiki.test.junit5.mockito.ComponentTest;
@@ -88,6 +89,13 @@ void forbiddenTags()
         assertFalse(this.secureHTMLElementSanitizer.isElementAllowed(HTMLConstants.TAG_A));
     }
 
+    @ParameterizedTest
+    @ValueSource(strings = { "form", "input", "select", "textarea", "button" })
+    void formTags(String tagName)
+    {
+        assertFalse(this.secureHTMLElementSanitizer.isElementAllowed(tagName));
+    }
+
     @Test
     void forbiddenAttributes()
     {