Merge pull request #6057 from BookStackApp/v25-12

V25.12 changes v3

Author: ssddanbrown

app/Entities/Controllers/PageRevisionController.php

@@ -12,6 +12,8 @@
 use BookStack\Facades\Activity;
 use BookStack\Http\Controller;
 use BookStack\Permissions\Permission;
+use BookStack\Util\HtmlContentFilter;
+use BookStack\Util\HtmlContentFilterConfig;
 use BookStack\Util\SimpleListOptions;
 use Illuminate\Http\Request;
 use Ssddanbrown\HtmlDiff\Diff;
@@ -101,12 +103,15 @@ public function changes(string $bookSlug, string $pageSlug, int $revisionId)
 
         $prev = $revision->getPreviousRevision();
         $prevContent = $prev->html ?? '';
-        $diff = Diff::excecute($prevContent, $revision->html);
+
+        // TODO - Refactor PageContent so we can de-dupe these steps
+        $rawDiff = Diff::excecute($prevContent, $revision->html);
+        $filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
+        $filter = new HtmlContentFilter($filterConfig);
+        $diff = $filter->filterString($rawDiff);
 
         $page->fill($revision->toArray());
-        // TODO - Refactor PageContent so we don't need to juggle this
-        $page->html = $revision->html;
-        $page->html = (new PageContent($page))->render();
+        $page->html = '';
         $this->setPageTitle(trans('entities.pages_revision_named', ['pageName' => $page->getShortName()]));
 
         return view('pages.revision', [

app/Http/Controller.php

@@ -167,14 +167,26 @@ protected function getImageValidationRules(): array
 
     /**
      * Redirect to the URL provided in the request as a '_return' parameter.
-     * Will check that the parameter leads to a URL under the root path of the system.
+     * Will check that the parameter leads to a URL under the same origin as the application.
      */
     protected function redirectToRequest(Request $request): RedirectResponse
     {
         $basePath = url('/');
         $returnUrl = $request->input('_return') ?? $basePath;
 
-        if (!str_starts_with($returnUrl, $basePath)) {
+        // Only allow use of _return on requests where we expect CSRF to be active
+        // to prevent it potentially being used as an open redirect
+        $allowedMethods = ['POST', 'PUT', 'PATCH', 'DELETE'];
+        if (!in_array($request->getMethod(), $allowedMethods)) {
+            return redirect($basePath);
+        }
+
+        $intendedUrl = parse_url($returnUrl);
+        $baseUrl = parse_url($basePath);
+        $isSameOrigin = ($intendedUrl['host'] ?? '') === ($baseUrl['host'] ?? '')
+            && ($intendedUrl['scheme'] ?? '') === ($baseUrl['scheme'] ?? '')
+            && ($intendedUrl['port'] ?? 0) === ($baseUrl['port'] ?? 0);
+        if (!$isSameOrigin) {
             return redirect($basePath);
         }