Anti XSS from external resources

Author: VINADES.,JSC

.htaccess

@@ -10,15 +10,15 @@
 
 RedirectMatch 404 ^.*\/(config|mainfile)\.php(.*)$
 
-ErrorDocument 400 /error.php?code=400&nvDisableRewriteCheck=1
-ErrorDocument 403 /error.php?code=403&nvDisableRewriteCheck=1
-ErrorDocument 404 /error.php?code=404&nvDisableRewriteCheck=1
-ErrorDocument 405 /error.php?code=405&nvDisableRewriteCheck=1
-ErrorDocument 408 /error.php?code=408&nvDisableRewriteCheck=1
-ErrorDocument 500 /error.php?code=500&nvDisableRewriteCheck=1
-ErrorDocument 502 /error.php?code=502&nvDisableRewriteCheck=1
-ErrorDocument 503 /error.php?code=503&nvDisableRewriteCheck=1
-ErrorDocument 504 /error.php?code=504&nvDisableRewriteCheck=1
+ErrorDocument 400 /error.php?code=400
+ErrorDocument 403 /error.php?code=403
+ErrorDocument 404 /error.php?code=404
+ErrorDocument 405 /error.php?code=405
+ErrorDocument 408 /error.php?code=408
+ErrorDocument 500 /error.php?code=500
+ErrorDocument 502 /error.php?code=502
+ErrorDocument 503 /error.php?code=503
+ErrorDocument 504 /error.php?code=504
 
 <IfModule mod_deflate.c>
   <FilesMatch "\.(css|js|xml|ttf)$">

admin/settings/security.php

@@ -62,6 +62,30 @@
     $array_config_global['two_step_verification'] = $nv_Request->get_int('two_step_verification', 'post', 0);
     $array_config_global['admin_2step_opt'] = $nv_Request->get_typed_array('admin_2step_opt', 'post', 'title', []);
     $array_config_global['admin_2step_default'] = $nv_Request->get_title('admin_2step_default', 'post', '');
+    $array_config_global['domains_restrict'] = (int) $nv_Request->get_bool('domains_restrict', 'post', false);
+
+    $domains = $nv_Request->get_textarea('domains_whitelist', '', NV_ALLOWED_HTML_TAGS, true);
+    $domains = explode('<br />', strip_tags($domains, '<br>'));
+
+    $array_config_global['domains_whitelist'] = [];
+    foreach ($domains as $domain) {
+        if (!empty($domain)) {
+            $domain = parse_url($domain);
+            if (is_array($domain)) {
+                if (sizeof($domain) == 1 and !empty($domain['path'])) {
+                    $domain['host'] = $domain['path'];
+                }
+                if (!isset($domain['scheme'])) {
+                    $domain['scheme'] = 'http';
+                }
+                $domain_name = nv_check_domain($domain['host']);
+                if (!empty($domain_name)) {
+                    $array_config_global['domains_whitelist'][] = $domain_name;
+                }
+            }
+        }
+    }
+    $array_config_global['domains_whitelist'] = empty($array_config_global['domains_whitelist']) ? '' : json_encode(array_unique($array_config_global['domains_whitelist']));
 
     if ($array_config_global['login_number_tracking'] < 1) {
         $array_config_global['login_number_tracking'] = 5;
@@ -126,6 +150,7 @@
     $array_config_define['nv_anti_iframe'] = NV_ANTI_IFRAME;
     $array_config_define['nv_allowed_html_tags'] = NV_ALLOWED_HTML_TAGS;
     $array_config_global['admin_2step_opt'] = empty($global_config['admin_2step_opt']) ? [] : explode(',', $global_config['admin_2step_opt']);
+    $array_config_global['domains_whitelist'] = empty($global_config['domains_whitelist']) ? '' : implode("\n", $global_config['domains_whitelist']);
 }
 
 $array_config_flood = [];
@@ -556,9 +581,11 @@
 $xtpl->assign('ANTI_IFRAME', $array_config_define['nv_anti_iframe'] ? ' checked="checked"' : '');
 
 $xtpl->assign('IS_LOGIN_BLOCKER', ($array_config_global['is_login_blocker']) ? ' checked="checked"' : '');
+$xtpl->assign('DOMAINS_RESTRICT', ($array_config_global['domains_restrict']) ? ' checked="checked"' : '');
 $xtpl->assign('LOGIN_NUMBER_TRACKING', $array_config_global['login_number_tracking']);
 $xtpl->assign('LOGIN_TIME_TRACKING', $array_config_global['login_time_tracking']);
 $xtpl->assign('LOGIN_TIME_BAN', $array_config_global['login_time_ban']);
+$xtpl->assign('DOMAINS_WHITELIST', $array_config_global['domains_whitelist']);
 
 foreach ($captcha_array as $gfx_chk_i => $gfx_chk_lang) {
     $array = array(

includes/core/admin_functions.php

@@ -145,7 +145,7 @@ function nv_save_file_config_global()
     $config_variable['error_send_email'] = $config_variable['error_send_email'];
 
     $config_name_array = ['file_allowed_ext', 'forbid_extensions', 'forbid_mimes', 'allow_sitelangs', 'allow_request_mods', 'config_sso'];
-    $config_name_json = ['crosssite_valid_domains', 'crosssite_valid_ips', 'crossadmin_valid_domains', 'crossadmin_valid_ips'];
+    $config_name_json = ['crosssite_valid_domains', 'crosssite_valid_ips', 'crossadmin_valid_domains', 'crossadmin_valid_ips', 'domains_whitelist'];
 
     foreach ($config_variable as $c_config_name => $c_config_value) {
         if (in_array($c_config_name, $config_name_array)) {

includes/language/en/admin_settings.php

@@ -50,6 +50,8 @@
 $lang_module['nv_allowed_html_tags'] = 'HTML code was approved in the system';
 $lang_module['nv_debug'] = 'Debug mode';
 $lang_module['nv_debug_help'] = 'If this option is enabled, the system will display errors to help developers easily check in the programming process. If your website is operating in a real environment, <strong>disable</strong> this option';
+$lang_module['domains_restrict'] = 'Limit domain names to dangerous HTML tags (iframe, object, embed...)';
+$lang_module['domains_whitelist'] = 'Trusted domain name (one domain per line). If enabled limit the domain name in the section above, the system will allow use of resources and links from these domains';
 $lang_module['captcha_type'] = 'Captcha type';
 $lang_module['captcha_type_0'] = 'Default captcha';
 $lang_module['captcha_type_1'] = 'Cool php captcha';

includes/language/fr/admin_settings.php

@@ -50,6 +50,8 @@
 $lang_module['nv_allowed_html_tags'] = 'Code HTML est accepté par le système';
 $lang_module['nv_debug'] = 'Mode développeur';
 $lang_module['nv_debug_help'] = 'Si cette option est activée, le système affichera des erreurs pour aider les développeurs à vérifier facilement le processus de programmation. Si votre site Web fonctionne dans un environnement réel, <strong>désactivez</strong> cette option.';
+$lang_module['domains_restrict'] = 'Limitez les noms de domaine aux balises HTML dangereuses (iframe, object, embed...)';
+$lang_module['domains_whitelist'] = 'Nom de domaine approuvé (un domaine par ligne). S\'il est activé, limitez le nom de domaine dans la section ci-dessus, le système autorisera l\'utilisation des ressources et des liens de ces domaines';
 $lang_module['captcha_type'] = 'Type de captcha';
 $lang_module['captcha_type_0'] = 'Défaut captcha';
 $lang_module['captcha_type_1'] = 'Bon php captcha';

includes/language/vi/admin_settings.php

@@ -52,6 +52,8 @@
 $lang_module['nv_allowed_html_tags'] = 'Mã HTML được chấp nhận sử dụng trong hệ thống';
 $lang_module['nv_debug'] = 'Chế độ nhà phát triển';
 $lang_module['nv_debug_help'] = 'Nếu bật tùy chọn này, hệ thống sẽ hiển thị các lỗi để giúp nhà phát triển dễ dàng kiểm tra trong quá trình lập trình. Nếu website đang hoạt động trên môi trường thật, bạn <strong>nên tắt</strong> tùy chọn này';
+$lang_module['domains_restrict'] = 'Giới hạn tên miền ở các thẻ HTML nguy hiểm (iframe, object, embed...)';
+$lang_module['domains_whitelist'] = 'Tên miền tin cậy (mỗi tên miền một dòng). Nếu kích hoạt giới hạn tên miền ở mục bên trên, hệ thống sẽ cho phép sử dụng tài nguyên, liên kết từ các tên miền này';
 
 $lang_module['captcha_type'] = 'Loại captcha';
 $lang_module['captcha_type_0'] = 'Captcha mặc định';

install/data.php

@@ -148,6 +148,8 @@
 $sql_create_table[] = "INSERT INTO " . NV_CONFIG_GLOBALTABLE . " (lang, module, config_name, config_value) VALUES ('sys', 'global', 'crossadmin_restrict', '1')";
 $sql_create_table[] = "INSERT INTO " . NV_CONFIG_GLOBALTABLE . " (lang, module, config_name, config_value) VALUES ('sys', 'global', 'crossadmin_valid_domains', '')";
 $sql_create_table[] = "INSERT INTO " . NV_CONFIG_GLOBALTABLE . " (lang, module, config_name, config_value) VALUES ('sys', 'global', 'crossadmin_valid_ips', '')";
+$sql_create_table[] = "INSERT INTO " . NV_CONFIG_GLOBALTABLE . " (lang, module, config_name, config_value) VALUES ('sys', 'global', 'domains_whitelist', '[\"youtube.com\",\"www.youtube.com\",\"google.com\",\"www.google.com\",\"drive.google.com\"]')";
+$sql_create_table[] = "INSERT INTO " . NV_CONFIG_GLOBALTABLE . " (lang, module, config_name, config_value) VALUES ('sys', 'global', 'domains_restrict', '1')";
 $sql_create_table[] = "INSERT INTO " . NV_CONFIG_GLOBALTABLE . " (lang, module, config_name, config_value) VALUES ('sys', 'define', 'nv_gfx_width', '150')";
 $sql_create_table[] = "INSERT INTO " . NV_CONFIG_GLOBALTABLE . " (lang, module, config_name, config_value) VALUES ('sys', 'define', 'nv_gfx_height', '40')";
 $sql_create_table[] = "INSERT INTO " . NV_CONFIG_GLOBALTABLE . " (lang, module, config_name, config_value) VALUES ('sys', 'define', 'nv_max_width', '1500')";

themes/admin_default/modules/settings/security.tpl

@@ -105,6 +105,18 @@
                                     <td><strong>{LANG.nv_allowed_html_tags}</strong></td>
                                     <td><textarea name="nv_allowed_html_tags" class="form-control" style="height: 100px" class="required">{NV_ALLOWED_HTML_TAGS}</textarea></td>
                                 </tr>
+                                <tr>
+                                    <td><strong>{LANG.domains_restrict}</strong></td>
+                                    <td>
+                                        <input type="checkbox" name="domains_restrict" value="1"{DOMAINS_RESTRICT}>
+                                    </td>
+                                </tr>
+                                <tr>
+                                    <td><strong>{LANG.domains_whitelist}</strong></td>
+                                    <td>
+                                        <textarea name="domains_whitelist" class="form-control" rows="5">{DOMAINS_WHITELIST}</textarea>
+                                    </td>
+                                </tr>
                             </tbody>
                             <tfoot>
                                 <tr>

vendor/vinades/nukeviet/Core/Request.php

@@ -135,6 +135,12 @@ class Request
         'base'
     ];
 
+    protected $remoteAttrCheck = [
+        'action' => ['form'],
+        'src' => ['iframe', 'embed'],
+        'data' => ['object']
+    ];
+
     /**
      * Các attr bị cấm, sẽ bị lọc bỏ.
      * - Tất cả các arrt bắt đầu bằng on
@@ -191,6 +197,9 @@ class Request
 
     protected $isIpValid = false;
 
+    protected $isRestrictDomain = true;
+    protected $validDomains = [];
+
     /**
      * @param array $config
      * @param string $ip Client IP
@@ -243,6 +252,9 @@ public function __construct($config, $ip)
             $this->validCrossIPs = !empty($config['crosssite_valid_ips']) ? ((array) $config['crosssite_valid_ips']) : [];
         }
 
+        $this->isRestrictDomain = !empty($config['domains_restrict']) ? true : false;
+        $this->validDomains = !empty($config['domains_whitelist']) ? ((array) $config['domains_whitelist']) : [];
+
         if (preg_match('#^(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])$#', $ip)) {
             $ip2long = ip2long($ip);
         } else {
@@ -724,6 +736,20 @@ private function filterAttr($attrSet, $tagName, &$isvalid)
                 ];
                 $value = preg_replace(array_values($search), array_keys($search), $value);
 
+                // Giới hạn link từ các tên miền bên ngoài
+                if ($this->isRestrictDomain and isset($this->remoteAttrCheck[$attrSubSet[0]]) and in_array($tagName, $this->remoteAttrCheck[$attrSubSet[0]])) {
+                    $url_info = parse_url($value);
+                    if (isset($url_info['host'])) {
+                        $domain = $url_info['host'];
+                        $callBack = function ($domain_allowed) use ($domain) {
+                            return preg_match('/^' . preg_quote($domain, '/') . '$/iu', $domain_allowed);
+                        };
+                        if (!array_filter($this->validDomains, $callBack)) {
+                            continue;
+                        }
+                    }
+                }
+
                 // Security remove object param tag
                 if ('param' == $tagName and 'name' == $attrSubSet[0] and preg_match('/^[\r\n\s\t]*(allowscriptaccess|allownetworking)/isu', strtolower($value))) {
                     return [];