Added: new matching types.

Author: dave83649

src/Processor.php

@@ -348,6 +348,11 @@ public function matchParameterValue($match, $value)
             return @stripos($value, $matchValue) === false;
         }
 
+        // If a scalar contains single or double quotes.
+        if (($matchType == 'quotes' || $matchType == 'inline_js_xss') && is_scalar($value)) {
+            return @stripos($value, '"') !== false || @stripos($value, "'") !== false;
+        }
+
         // If a string matches a regular expression.
         if ($matchType == 'regex' && is_string($matchValue) && is_scalar($value)) {
             return @preg_match($matchValue, @urldecode($value)) === 1;
@@ -400,7 +405,7 @@ public function matchParameterValue($match, $value)
             }
 
             // We only care about the hostname.
-            $host = parse_url($value, PHP_URL_HOST);
+            $host = @parse_url($value, PHP_URL_HOST);
             if (!$host) {
                 return true;
             }
@@ -441,6 +446,24 @@ public function matchParameterValue($match, $value)
             return $this->matchParameterValue($match['match'], $contents);
         }
 
+        // If a scalar passes a run through wp_kses_post.
+        if ($matchType == 'general_xss' && is_scalar($value) && function_exists('wp_kses_post')) {
+            return $value != @wp_kses_post($value);
+        }
+
+        // If a scalar passes a run through inline_js_xss.
+        if ($matchType == 'inline_xss' && is_scalar($value)) {
+            if (@stripos($value, '"') === false && @stripos($value, "'") === false) {
+                return false;
+            }
+        
+            if (@stripos($value, '>') !== false || @stripos($value, '=') !== false) {
+                return true;
+            }
+        
+            return false;
+        }
+
         return false;
     }
 

tests/FirewallTest.php

@@ -376,5 +376,43 @@ function shortcode_parse_atts( $text ) {
         );
         $this->assertFalse($this->processor->launch(false));
         $this->alterPayload();
+
+        // Block a parameter from containing single or double quotes.
+        $this->setUpFirewallProcessor([$this->rules[21]]);
+        $this->alterPayload(
+            ['GET' => [
+            'search' => 'This is a valid string without quotes.'
+            ]]
+        );
+        $this->assertTrue($this->processor->launch(false));
+        $this->alterPayload();
+
+        $this->setUpFirewallProcessor([$this->rules[21]]);
+        $this->alterPayload(
+            ['GET' => [
+            'search' => 'This contains single \' and double " quotes.'
+            ]]
+        );
+        $this->assertFalse($this->processor->launch(false));
+        $this->alterPayload();
+
+        // Block a parameter from containing single or double quotes.
+        $this->setUpFirewallProcessor([$this->rules[22]]);
+        $this->alterPayload(
+            ['GET' => [
+            'search' => 'This is a valid search "string".'
+            ]]
+        );
+        $this->assertTrue($this->processor->launch(false));
+        $this->alterPayload();
+
+        $this->setUpFirewallProcessor([$this->rules[22]]);
+        $this->alterPayload(
+            ['GET' => [
+            'search' => '" onmouseover="alert(1)"'
+            ]]
+        );
+        $this->assertFalse($this->processor->launch(false));
+        $this->alterPayload();
     }
 }

tests/data/Rules.json

@@ -166,5 +166,21 @@
         "cat":"TEST",
         "type":"BLOCK",
         "type_params":null
+    },
+    {
+        "id":22,
+        "title":"Block search parameter containing single or double quotes.",
+        "rules":[{"parameter":"get.search","match":{"type":"quotes"}}],
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
+    },
+    {
+        "id":23,
+        "title":"Block search parameter containing an inline HTML injection.",
+        "rules":[{"parameter":"get.search","match":{"type":"inline_xss"}}],
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
     }
 ]