moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-04 16:36:37 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-68066 output: Apply disable lambda rendering to Mustache renderer

Browse source
This commit is contained in:
Michael Hawkins 2022-08-19 14:34:09 +08:00 committed by Jun Pataleta
parent fcbb645671
commit c43123adde
3 changed files with 11 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

3
lib/mustache/readme_moodle.txt
View file

@ -17,3 +17,6 @@ Local changes:
Note: All this changes need to be reviewed on every upgrade and, if they have Note: All this changes need to be reviewed on every upgrade and, if they have
been already applied upstream for the release being used, can be removed been already applied upstream for the release being used, can be removed
from the list. If still not available upstream, they will need to be re-applied. from the list. If still not available upstream, they will need to be re-applied.
1) If the relevant pull request has not been accepted yet, apply the following commit, so we are able to disable unnecessary rendering:
https://github.com/bobthecow/mustache.php/pull/402/commits/db771014c7e346438f68077813ebdda3fdae12df#

5
lib/outputrenderers.php
View file

@ -135,7 +135,10 @@ class renderer_base {
// Don't allow the JavaScript helper to be executed from within another // Don't allow the JavaScript helper to be executed from within another
// helper. If it's allowed it can be used by users to inject malicious // helper. If it's allowed it can be used by users to inject malicious
// JS into the page. // JS into the page.
'disallowednestedhelpers' => ['js'])); 'disallowednestedhelpers' => ['js'],
// Disable lambda rendering - content in helpers is already rendered, no need to render it again.
'disable_lambda_rendering' => true,
));
} }

25
lib/tests/core_renderer_template_exploit_test.php
View file

@ -88,7 +88,7 @@ class core_renderer_template_exploit_test extends \advanced_testcase {
'test1' => $norender, 'test1' => $norender,
], ],
'js' => 'some nasty JS', 'js' => 'some nasty JS',
'expected' => 'core, move, some text', 'expected' => 'core, move, some text {{}}',
'include' => false 'include' => false
], ],
'js helper not nested' => [ 'js helper not nested' => [
@ -131,7 +131,7 @@ class core_renderer_template_exploit_test extends \advanced_testcase {
'testpix' => $singlerender 'testpix' => $singlerender
], ],
'js' => 'some nasty JS', 'js' => 'some nasty JS',
'expected' => 'core, move,', 'expected' => 'core, move, {{}}',
'include' => false 'include' => false
], ],
'js in context double depth with single render' => [ 'js in context double depth with single render' => [
@ -147,7 +147,7 @@ class core_renderer_template_exploit_test extends \advanced_testcase {
'testpix' => $singlerender 'testpix' => $singlerender
], ],
'js' => 'some nasty JS', 'js' => 'some nasty JS',
'expected' => 'core, move, {{#js}} some nasty JS {{/js}}', 'expected' => 'core, move, {{second}}',
'include' => false 'include' => false
], ],
'js in context double depth with recursive render' => [ 'js in context double depth with recursive render' => [
@ -267,24 +267,7 @@ class core_renderer_template_exploit_test extends \advanced_testcase {
'testpix' => $singlerender 'testpix' => $singlerender
], ],
'js' => 'some nasty JS', 'js' => 'some nasty JS',
'expected' => 'core, move,', 'expected' => 'core, move, {{> test2}}',
'include' => false
],
'partial double nested with js from context single render' => [
'templates' => [
'test' => '{{#testpix}} core, move, {{foo}}{{/testpix}}',
'test2' => '{{#js}} some nasty JS {{/js}}',
],
'torender' => 'test',
'context' => [
'foo' => '{{{bar}}}',
'bar' => '{{> test2}}'
],
'helpers' => [
'testpix' => $singlerender
],
'js' => 'some nasty JS',
'expected' => 'core, move, {{> test2}}',
'include' => false 'include' => false
], ],
'partial double nested with js from context recursive render' => [ 'partial double nested with js from context recursive render' => [