[PHP] DOMElement - attributes and namespace
Here's my function -
private function filterAttributes($node) {
// filters the attribute names and content
$attributes = $node-attributes;
foreach ($attributes as $attribute) {
// allow colon as it is used in namespace attributes -
// needs to be tested though, may require different handling??
// I should get a MathML document and try it out.
$pattern = '/[^a-z0-9:-]+/i';
$clean = strtolower(preg_replace($pattern,'',$attribute-name));
if (strcmp($clean,$attribute-name) != 0) {
$this-policyReport(Invalid Attribute Name);
}
$saniAtt[] = $clean;
if (strcmp($clean,value) != 0) {
if ($clean == src) {
$saniVal[] = $this-obfus($attribute-value,1);
} elseif ($clean == data) {
$saniVal[] = $this-obfus($attribute-value,1);
} elseif ($clean == code) {
$saniVal[] = $this-obfus($attribute-value,1);
} else {
$saniVal[] = $this-obfus($attribute-value);
}
} else {
// do not alter value attributes
$saniVal[] = $attribute-value;
}
$oldAtt[] = $attribute-name;
}
if (isset($oldAtt)) {
for ($i=0; $isizeof($oldAtt);$i++) {
$node-removeAttribute($oldAtt[$i]);
}
}
if (isset($saniAtt)) {
for ($i=0; $isizeof($saniAtt);$i++) {
$check = . $saniAtt[$i] . ;
if (substr_count($this-blacklist, $check) == 0) {
$node-setAttribute($saniAtt[$i],$saniVal[$i]);
} else {
$string = Blacklisted Event Attribute: . $saniAtt[$i];
$this-policyReport($string);
}
}
}
}
(entire class here - http://www.clfsrpm.net/xss/cspfilter_class.phps)
Here's the problem -
$attributes = $node-attributes;
creates a list that has both regular attributes and namespaced
attributes. But I don't know how to programatically tell them apart.
Here's the problem - when the attribute involves a namespace, IE xml:lang -
$node-removeAttribute($oldAtt[$i]);
doesn't remove it.
$node-setAttribute($saniAtt[$i],$saniVal[$i]);
creates a new attribute WITHOUT the namespace.
So if we have
xml:lang=something
after the function is run, the result is that there is an additional
attribute lang=filtered something
but xml:lang remains with the unfiltered attribute content.
If I knew a way to tell whether or not an attribute was namespaced I
could deal with it by using the correct $node-removeAttributeNS and
$node-setAttributeNS for those attributes, but I don't know how to tell
them apart programatically.
It seems that $attribute-name when the attribute is foo:bar will just
return bar, and I can't tell if it was originally foo:bar, xml:bar,
freak:bar, or just plain bar.
The extremely sparse documentation in the php manual on this area isn't
exactly helping me figure it out.
Any help would be appreciated.
To see the problem -
http://www.clfsrpm.net/xss/dom_script_test.php
Put
p xml:bar = javascript:something elseA Paragraph/p
into the textarea and hit submit - and you'll see what the function does
with the attribute.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] DOMElement - attributes and namespace
Michael A. Peters wrote: Here's the problem - $attributes = $node-attributes; creates a list that has both regular attributes and namespaced attributes. But I don't know how to programatically tell them apart. http://phpbuilder.com/manual/en/class.domattr.php What would be really nice is if I could do $attribute-namespace the same way I could do $attribute-name and $attribute-value That would easily allow me to solve the problem. Is there a reason why that isn't part of the DOMAttr class? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] DOMElement - attributes and namespace
Michael A. Peters wrote: Michael A. Peters wrote: Here's the problem - $attributes = $node-attributes; creates a list that has both regular attributes and namespaced attributes. But I don't know how to programatically tell them apart. http://phpbuilder.com/manual/en/class.domattr.php What would be really nice is if I could do $attribute-namespace the same way I could do $attribute-name and $attribute-value That would easily allow me to solve the problem. Is there a reason why that isn't part of the DOMAttr class? I found a dirty fix - it works but isn't proper. I think this is a bug in either $node-elements or DOMAttr Either the first needs to provide a way to tell what is before the : when a : exists in an attribute name or the second needs to either provide it in DOMAttr-name or provide another way to access what (if anything) is before a semicolon. At some point I'll get the guts to report it as a bug just to be told it isn't a bug with the standard response that says it isn't a bug and absolutely no explanation as to why. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] DOMElement - attributes and namespace
Michael A. Peters wrote: At some point I'll get the guts to report it as a bug just to be told it isn't a bug with the standard response that says it isn't a bug and absolutely no explanation as to why. Bug ID 47747 Clear demonstration test case - http://www.clfsrpm.net/bugs/domattr.phps http://www.clfsrpm.net/bugs/domattr.php I'll wait to see what they say, but if anyone knows how to get the xml:lang from the attribute list w/o knowing it is xml: - I would really like to know. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] DOMElement - attributes and namespace
Michael A. Peters wrote: Michael A. Peters wrote: At some point I'll get the guts to report it as a bug just to be told it isn't a bug with the standard response that says it isn't a bug and absolutely no explanation as to why. Bug ID 47747 Clear demonstration test case - http://www.clfsrpm.net/bugs/domattr.phps http://www.clfsrpm.net/bugs/domattr.php I'll wait to see what they say, but if anyone knows how to get the xml:lang from the attribute list w/o knowing it is xml: - I would really like to know. It was my misunderstanding. Properly fixing my code to deal with it is a PITA but is doable. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
