From 5a20626d91ce3f3f77aceb60ee08ba73fd83ce16 Mon Sep 17 00:00:00 2001 From: ryuring Date: Sun, 1 Oct 2023 11:49:38 +0900 Subject: [PATCH] =?UTF-8?q?=E3=83=A1=E3=83=BC=E3=83=AB=E3=81=A8=E3=83=96?= =?UTF-8?q?=E3=83=AD=E3=82=B0=E3=81=AE=E8=AA=AC=E6=98=8E=E6=96=87=E3=81=AB?= =?UTF-8?q?=E3=81=A4=E3=81=84=E3=81=A6=20script=20=E3=82=BF=E3=82=B0?= =?UTF-8?q?=E3=82=92=E9=99=A4=E5=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/Baser/Lib/BcUtil.php | 19 ++++++++++++++ .../Plugin/Blog/View/Helper/BlogHelper.php | 2 +- .../Plugin/Mail/View/Helper/MailHelper.php | 2 +- lib/Baser/Test/Case/Lib/BcUtilTest.php | 25 +++++++++++++++++++ 4 files changed, 46 insertions(+), 2 deletions(-) diff --git a/lib/Baser/Lib/BcUtil.php b/lib/Baser/Lib/BcUtil.php index 8aacd81a0a..f5582eb076 100644 --- a/lib/Baser/Lib/BcUtil.php +++ b/lib/Baser/Lib/BcUtil.php @@ -520,4 +520,23 @@ public static function getAdminPrefix() return Configure::read('BcAuthPrefix.admin.alias'); } + /** + * 文字列よりスクリプトタグを除去する + * + * @param string $value + * @return string + */ + public static function stripScriptTag($value) + { + $allows = [ + 'a', 'abbr', 'address', 'area', 'b', 'blockquote', 'body', 'br', 'button', 'caption', 'cite', 'code', + 'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'fieldset', 'form', 'h1', 'h2', 'h3', + 'h4', 'h5', 'h6', 'hr', 'i', 'iframe', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'link', + 'map', 'meta', 'noscript', 'object', 'ol', 'optgroup', 'option', 'p', 'pre', 'q', 'samp', 'select', + 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', + 'title', 'tr', 'ul', 'var', 'style' + ]; + return strip_tags($value, '<' . implode('><', $allows) . '>'); + } + } diff --git a/lib/Baser/Plugin/Blog/View/Helper/BlogHelper.php b/lib/Baser/Plugin/Blog/View/Helper/BlogHelper.php index ae1dd85cad..05b5ab4323 100755 --- a/lib/Baser/Plugin/Blog/View/Helper/BlogHelper.php +++ b/lib/Baser/Plugin/Blog/View/Helper/BlogHelper.php @@ -197,7 +197,7 @@ public function getTitle() */ public function getDescription() { - return $this->blogContent['description']; + return BcUtil::stripScriptTag($this->blogContent['description']); } /** diff --git a/lib/Baser/Plugin/Mail/View/Helper/MailHelper.php b/lib/Baser/Plugin/Mail/View/Helper/MailHelper.php index e9e33dbc05..fed6183766 100755 --- a/lib/Baser/Plugin/Mail/View/Helper/MailHelper.php +++ b/lib/Baser/Plugin/Mail/View/Helper/MailHelper.php @@ -158,7 +158,7 @@ public function getMailTemplates($siteId = 0) */ public function getDescription() { - return preg_replace('/(.*?)<\/script>/', '', $this->mailContent['description']); + return BcUtil::stripScriptTag($this->mailContent['description']); } /** diff --git a/lib/Baser/Test/Case/Lib/BcUtilTest.php b/lib/Baser/Test/Case/Lib/BcUtilTest.php index 6111f9b73c..16e274703e 100644 --- a/lib/Baser/Test/Case/Lib/BcUtilTest.php +++ b/lib/Baser/Test/Case/Lib/BcUtilTest.php @@ -481,4 +481,29 @@ public function getSubDomainDataProvider() ]; } + /** + * test stripScriptTag + * @return void + * @dataProvider stripScriptTagDataProvider + */ + public function testStripScriptTag($content, $expect) + { + $result = BcUtil::stripScriptTag($content); + $this->assertEquals($expect, $result, 'scriptタグを削除できません。'); + } + + public function stripScriptTagDataProvider() + { + return [ + [ + 'content' => '', + 'expect' => 'hoge' + ], + [ + 'content' => 'hoge', + 'expect' => 'hogehoge' + ] + ]; + } + }