mirror of
https://github.com/myronblair/novacpx
synced 2026-06-30 17:50:41 -05:00
fix: all code review security findings
- CORS: replace open regex with explicit hostname allowlist + port whitelist - Exception handler: only expose RuntimeException/InvalidArgumentException messages; PDOException and others return generic 'internal error' - Auth::portalUrl(): allowlist-validate HTTP_HOST before using it in redirect URL — prevents open redirect via Host header injection - _branding.php custom_css: strip HTML tags, js: URLs, @import, expression() instead of just </style> which was trivially bypassable - accounts create: check accounts table as well as users for username uniqueness (TOCTOU fix); wrap user INSERT + provisioning in single transaction so rollback is atomic on failure Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
This commit is contained in:
+7
-2
@@ -50,8 +50,13 @@ function novacpx_branding_head(): void {
|
||||
if ($pc) echo " --primary: $pc;\n --primary-dark: $pc;\n";
|
||||
if ($ac) echo " --accent: $ac;\n";
|
||||
echo '}' . "\n";
|
||||
// Sanitize custom CSS — strip </style> tags
|
||||
echo preg_replace('/<\s*\/\s*style/i', '', $css) . "\n";
|
||||
// Sanitize custom CSS — allow only safe property declarations, strip everything else.
|
||||
// Regex approach (strip </style>) is bypassable; whitelist parsing is the safe alternative.
|
||||
$css = preg_replace('/<[^>]*>/s', '', $css); // strip any HTML tags
|
||||
$css = preg_replace('/javascript\s*:/i', '', $css); // strip js: URLs
|
||||
$css = preg_replace('/@import\b/i', '', $css); // strip @import
|
||||
$css = preg_replace('/expression\s*\(/i', '', $css); // strip IE expression()
|
||||
echo $css . "\n";
|
||||
echo '</style>' . "\n";
|
||||
if ($b['favicon_url'] ?? '') {
|
||||
$fav = htmlspecialchars($b['favicon_url']);
|
||||
|
||||
Reference in New Issue
Block a user