46643: Exercise: Stored XSS with TinyMCE/Rich Text Editor (RTE) input

Signed-off-by: Releasemanager <webmaster@ilias.de>

Author: alex40724

components/ILIAS/Exercise/Assignment/class.ilExAssignment.php

@@ -341,6 +341,10 @@ public function getInstruction(): string
     public function getInstructionPresentation(): string
     {
         $inst = $this->getInstruction();
+
+        $purifier = new ilExcInstructionPurifier();
+        $inst = $purifier->purify($inst);
+
         if (trim($inst)) {
             $is_html = (strlen($inst) != strlen(strip_tags($inst)));
             if (!$is_html) {

components/ILIAS/Exercise/Assignment/class.ilExAssignmentListTextTableGUI.php

@@ -26,6 +26,7 @@
 class ilExAssignmentListTextTableGUI extends ilTable2GUI
 {
     protected SubmissionManager $subm;
+    protected \ILIAS\Exercise\InternalGUIService $gui;
     protected ilExAssignment $ass;
     protected bool $show_peer_review;
     protected ilExPeerReview $peer_review;
@@ -45,6 +46,8 @@ public function __construct(
         $lng = $DIC->language();
 
         $this->subm = $DIC->exercise()->internal()->domain()->submission($a_ass->getId());
+        $this->gui = $DIC->exercise()->internal()->gui();
+
         $this->ass = $a_ass;
         $this->show_peer_review = $a_show_peer_review;
         $this->setId("excassltxt" . $this->ass->getId());
@@ -105,7 +108,7 @@ protected function parse(): void
                     "uid" => $file["user_id"],
                     "uname" => ilUserUtil::getNamePresentation($file["user_id"]),
                     "udate" => $file["ts"],
-                    "utext" => ilRTE::_replaceMediaObjectImageSrc($file["atext"], 1) // mob id to mob src
+                    "utext" => $this->gui->getUIUtil()->formatTextInput($file["atext"]) // mob id to mob src
                 );
 
                 if (isset($peer_data[$file["user_id"]])) {
@@ -161,6 +164,6 @@ protected function fillRow(array $a_set): void
             "USER_DATE",
             ilDatePresentation::formatDate(new ilDate($a_set["udate"], IL_CAL_DATETIME))
         );
-        $this->tpl->setVariable("USER_TEXT", nl2br($a_set["utext"]));
+        $this->tpl->setVariable("USER_TEXT", $a_set["utext"]);
     }
 }

components/ILIAS/Exercise/PeerReview/class.ilExPeerReviewGUI.php

@@ -934,7 +934,7 @@ protected function getSubmissionContent(
         if ($sub) {
             if (trim($sub->getText()) !== '' && trim($sub->getText()) !== '0') {
                 // mob id to mob src
-                return nl2br(ilRTE::_replaceMediaObjectImageSrc($sub->getText(), 1));
+                return $this->gui->getUIUtil()->formatTextInput($sub->getText());
             }
         }
         return "";

components/ILIAS/Exercise/Service/classes/UIUtil.php

@@ -35,6 +35,8 @@ public function __construct(
 
     public function formatTextInput(string $text): string
     {
+        $purifier = new \ilExcTextSubmissionPurifier();
+        $text = $purifier->purify($text);
         $text = \ilRTE::_replaceMediaObjectImageSrc($text, 1);
         if (!str_contains($text, "<p>")) {
             $text = nl2br($text);

components/ILIAS/Exercise/classes/BackgroundTasks/class.ilExerciseManagementCollectFilesJob.php

@@ -561,8 +561,10 @@ protected function collectAssignmentData(int $assignment_id): void
                     //Get the submission Text
                     if (!in_array($assignment_type, $this->ass_types_with_files)) {
                         foreach ($submissions as $sub) {
+                            $purifier = new ilExcTextSubmissionPurifier();
+                            $atext = $purifier->purify($sub->getText());
                             $this->excel->setCell($row, self::SUBMISSION_DATE_COLUMN, $sub->getTimestamp());
-                            $this->excel->setCell($row, self::FIRST_DEFAULT_SUBMIT_COLUMN, $sub->getText());
+                            $this->excel->setCell($row, self::FIRST_DEFAULT_SUBMIT_COLUMN, $atext);
                         }
                     } else {
                         $col = self::FIRST_DEFAULT_SUBMIT_COLUMN;

components/ILIAS/Exercise/classes/class.ilExcTextSubmissionPurifier.php

@@ -0,0 +1,50 @@
+<?php
+
+/**
+ * This file is part of ILIAS, a powerful learning management system
+ * published by ILIAS open source e-Learning e.V.
+ *
+ * ILIAS is licensed with the GPL-3.0,
+ * see https://www.gnu.org/licenses/gpl-3.0.en.html
+ * You should have received a copy of said license along with the
+ * source code, too.
+ *
+ * If this is not the case or you just want to try ILIAS, you'll find
+ * us at:
+ * https://www.ilias.de
+ * https://github.com/ILIAS-eLearning
+ *
+ *********************************************************************/
+
+declare(strict_types=1);
+
+class ilExcTextSubmissionPurifier extends ilHtmlPurifierAbstractLibWrapper
+{
+    // corresponds to "mini" tagset of ilTextAreaInputGUI
+    protected const TAGSET = ["strong", "em", "u", "ol", "li", "ul", "blockquote", "a", "p", "span", "br"];
+
+    public function __construct()
+    {
+        parent::__construct();
+    }
+
+    protected function getPurifierConfigInstance(): HTMLPurifier_Config
+    {
+        $config = HTMLPurifier_Config::createDefault();
+        $config->set('HTML.DefinitionID', 'ilias exercise instruction');
+        $config->set('HTML.DefinitionRev', 1);
+        $config->set('Cache.SerializerPath', ilHtmlPurifierAbstractLibWrapper::_getCacheDirectory());
+        $config->set('HTML.Doctype', 'XHTML 1.0 Strict');
+
+        $tags = ilObjAdvancedEditing::_getUsedHTMLTags("exc_ass");
+        $tags = $this->makeElementListTinyMceCompliant($tags);
+        $config->set('HTML.AllowedElements', $this->removeUnsupportedElements($tags));
+        $config->set('HTML.ForbiddenAttributes', 'div@style');
+
+        if ($def = $config->maybeGetRawHTMLDefinition()) {
+            $def->addAttribute('a', 'target', 'Enum#_blank,_self,_target,_top');
+        }
+
+        return $config;
+    }
+}

components/ILIAS/Exercise/classes/class.ilExerciseManagementGUI.php

@@ -590,7 +590,6 @@ public function listTextAssignmentObject(): void
     {
         $this->initFilter();
         $this->setBackToMembers();
-
         /** @var $button_print \ILIAS\UI\Component\Component */
         $button_print = $this->ui_factory->button()->standard($this->lng->txt('print'), "#")
             ->withOnLoadCode(function ($id) {

components/ILIAS/Exercise/classes/class.ilObjExercise.php

@@ -441,7 +441,8 @@ public function sendAssignment(ilExAssignment $a_ass, array $a_members): void
 
         // body
 
-        $body = $a_ass->getInstruction();
+        $purifier = new ilExcInstructionPurifier();
+        $body = $purifier->purify($a_ass->getInstruction());
         $body .= "\n\n";
 
         $body .= $lng->txt("exc_edit_until") . ": ";