security: patch Stored XSS in Blog/Pages and Fileeditor destructive ops bypass (reported by offset)

- Fix Stored XSS in Blog content: CustomRules::getClean() output now persisted
  on both create and update flows in Blog.php controller
- Fix Stored XSS in Pages content: identical html_purify bypass remediated
  in Pages.php controller for create and update endpoints
- Fix Fileeditor destructive operations extension bypass: dangerous-extension
  allowlist check extended to deleteFileOrFolder and renameFile operations
  so critical files (.env, composer.json, etc.) cannot be renamed or deleted
- Update CHANGELOG.md: add three security entries to [0.31.9.0] block,
  correct release date to 2026-05-08, add [0.31.9.0] reference link
- Update README.md: expand Security note with new Fileeditor and XSS details;
  update offset Hall of Fame entry with full vulnerability list (Apr-May 2026)

Author: bertugfahriozer

CHANGELOG.md

@@ -4,7 +4,7 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html) conventions adapted to the existing four-component version numbers.
 
-## [0.31.9.0] - 2026-05-01
+## [0.31.9.0] - 2026-05-08
 
 ### Security
 
@@ -15,6 +15,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)
 - **Fileeditor RCE Prevention:** Added `$dangerousExtensions` blacklist (`.php`, `.phtml`, `.phar`, `.htaccess`, etc.) to block creating, writing, or renaming executable files via the file editor. Added `file_exists()` overwrite protection for `createFile` and `realpath` boundary validation for `renameFile`.
 - **SQL Restore Hardening:** Implemented a SQL statement whitelist (`INSERT`, `CREATE TABLE`, `DROP TABLE`, etc.) and dangerous command blacklist (`LOAD_FILE`, `INTO OUTFILE`, `GRANT`, `xp_cmdshell`, etc.) in `DbBackup::restore()`. Added path traversal protection requiring backup files to reside within `WRITEPATH`.
 - **Hardcoded Credentials:** Removed plaintext passwords from `DevGate` configuration. Implemented `bcrypt` hashed passwords and enabled `$useHashedPasswords` by default to protect developer credentials.
+- **Stored XSS — Blog Content (reported by offset):** The `html_purify` custom validation rule was applied to the Blog content field but did not enforce sanitization during update operations, allowing authenticated authors to persist malicious scripts. Fixed by ensuring `CustomRules::getClean()` is invoked and its output persisted on both `create` and `update` flows in `Blog.php` controller.
+- **Stored XSS — Pages Content (reported by offset):** Identical bypass in the Pages module: the `html_purify` rule ran validation but the raw unsanitized value was written to the database on update. Fixed by enforcing `CustomRules::getClean()` output persistence in `Pages.php` controller for both creation and editing endpoints.
+- **Fileeditor Destructive Operations Extension Bypass (reported by offset):** The dangerous-extension blacklist was only enforced on `createFile`, `saveFile`, and `renameFile` but not on `deleteFileOrFolder` and `renameFile` when the target was a critical application file (e.g. `.env`, `composer.json`). Added an explicit extension allowlist check to all destructive operations (`deleteFileOrFolder`, `renameFile`) so that renaming or deleting files with critical extensions is blocked regardless of the operation type.
 
 ### Changed
 
@@ -311,6 +314,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)
 
 - Expanded database migrations and introduced new supporting libraries.
 
+[0.31.9.0]: https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.9.0
 [0.31.8.1]: https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.8.1
 [0.31.8.0]: https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.8.0
 [0.31.7.0]: https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.7.0

README.md

@@ -185,7 +185,7 @@ Standard CodeIgniter commands (`php spark db:seed`, `php spark key:generate`, et
 - `composer test` — runs PHPUnit.
 - The GitHub Actions workflow (`.github/workflows/docker-test.yaml`) automatically builds the Docker image and runs migrations on every push to `master`.
 - **Maintenance mode**: When `settings.maintenanceMode.scalar == 1`, the `Ci4ms` filter redirects visitors to `maintenance-mode`.
-- **Security**: `Fileeditor` enforces `realpath` guards and a dangerous extension blacklist (`.php`, `.phtml`, `.phar`, `.htaccess`) to prevent RCE. `Backup` restore uses SQL statement whitelist to block malicious queries (`LOAD_FILE`, `GRANT`, etc.). `HTMLPurifier` config is hardened against XSS bypass (`data:` URIs blocked, `CSS.Trusted` disabled). All `$_SERVER` reads replaced with CI4 `base_url()`/`site_url()` helpers. Configure `App.php::$proxyIPs` if behind Cloudflare/Nginx.
+- **Security**: `Fileeditor` enforces `realpath` guards and a dangerous extension blacklist (`.php`, `.phtml`, `.phar`, `.htaccess`) to prevent RCE; destructive operations (`deleteFileOrFolder`, `renameFile`) additionally validate against an extension allowlist to block renaming or deleting critical application files. `Backup` restore uses SQL statement whitelist to block malicious queries (`LOAD_FILE`, `GRANT`, etc.). `HTMLPurifier` config is hardened against XSS bypass (`data:` URIs blocked, `CSS.Trusted` disabled) and `CustomRules::getClean()` output is persisted on every `create` and `update` flow in Blog and Pages controllers to prevent Stored XSS. All `$_SERVER` reads replaced with CI4 `base_url()`/`site_url()` helpers. Configure `App.php::$proxyIPs` if behind Cloudflare/Nginx.
 
 ## Additional Docs
 
@@ -209,7 +209,7 @@ A huge thank you to the security researchers who have helped make **ci4ms** more
 | **[Hunter.](https://github.com/LAW6ZX7)** | Identified Critical Stored XSS in Backend & Blog modules allowing Session Hijacking. | Feb 2026 |
 | **[m1scher](https://github.com/m1scher)** | Assisted with vulnerability triaging and security testing. | Feb 2026 |
 | **[alpernae](https://github.com/alpernae)** | Assisted with vulnerability triaging and security testing. | Feb 2026 |
-| **[offset](https://github.com/offset)** | Identified Critical vulnerabilities including multiple Stored XSS, Authorization Bypass in Fileeditor, Install Guard Bypass, and CRLF Injection. | Apr 2026 |
+| **[offset](https://github.com/offset)** | Identified Critical vulnerabilities including multiple Stored XSS (Blog & Pages content via broken `html_purify` validation), Authorization Bypass in Fileeditor destructive operations (delete/rename extension allowlist missing), Install Guard Bypass, and CRLF Injection. | Apr – May 2026 |
 | **[fg0x0](https://github.com/fg0x0)** | Identified Critical Arbitrary File Write (Zip Slip RCE) vulnerabilities in Theme::upload and Backup::restore modules. | Apr 2026 |
 | **[0xAlchemist](https://github.com/bugmithlegend)** , **[peeefour](https://github.com/peeefour)** and **[DexterHK](https://github.com/DexterHK)** | Identified Critical Full Account Takeover and Privilege Escalation via Stored DOM Blind XSS in Backup Management (v2). | Apr 2026 |
 | **[dapickle](https://github.com/dapickle)** | Identified Critical Authenticated RCE in Theme installation, Arbitrary Database Table Drop in Theme module, and a Session Management Bypass. | Apr 2026 |

app/Common.php

@@ -14,8 +14,6 @@
  * @link: https://codeigniter4.github.io/CodeIgniter4/
  */
 
-use CodeIgniter\I18n\Time;
-
 if (!function_exists('clearFilter')) {
     /**
      * @param array $array
@@ -160,7 +158,7 @@ function menu($navigations, $parent = null)
                 }
                 $title = (str_starts_with($menu->title, 'Frontend.')) ? lang($menu->title) : esc($menu->title);
                 echo '>' . $title . '</a>';
-                
+
                 if ((bool)$menu->hasChildren === true) {
                     $menuClass = empty($menu->parent) ? 'dropdown-menu dropdown-menu-end' : 'dropdown-menu';
                     echo '<ul class="' . $menuClass . '" aria-labelledby="' . $dropdownId . '">';

app/Config/ContentSecurityPolicy.php

@@ -30,6 +30,11 @@ class ContentSecurityPolicy extends BaseConfig
      */
     public ?string $reportURI = null;
 
+    /**
+     * Specifies a reporting endpoint to which violation reports ought to be sent.
+     */
+    public ?string $reportTo = null;
+
     /**
      * Instructs user agents to rewrite URL schemes, changing
      * HTTP to HTTPS. This directive is for websites with
@@ -38,12 +43,12 @@ class ContentSecurityPolicy extends BaseConfig
     public bool $upgradeInsecureRequests = false;
 
     // -------------------------------------------------------------------------
-    // Sources allowed
+    // CSP DIRECTIVES SETTINGS
     // NOTE: once you set a policy to 'none', it cannot be further restricted
     // -------------------------------------------------------------------------
 
     /**
-     * Will default to self if not overridden
+     * Will default to `'self'` if not overridden
      *
      * @var list<string>|string|null
      */
@@ -54,32 +59,62 @@ class ContentSecurityPolicy extends BaseConfig
      *
      * @var list<string>|string
      */
-    public $scriptSrc = [
+    public $scriptSrc = 'self';
+
+    /**
+     * Specifies valid sources for JavaScript <script> elements.
+     *
+     * @var list<string>|string
+     */
+    public array|string $scriptSrcElem = 'self';
+
+    /**
+     * Specifies valid sources for JavaScript inline event
+     * handlers and JavaScript URLs.
+     *
+     * @var list<string>|string
+     */
+    public array|string $scriptSrcAttr = 'self';
+
+    /**
+     * Lists allowed stylesheets' URLs.
+     *
+     * @var list<string>|string
+     */
+    public array|string $styleSrc = [
         'self',
         'unsafe-inline',
-        'unsafe-eval'
+        'https://fonts.googleapis.com',
     ];
 
     /**
-     * Lists allowed stylesheets' URLs.
+     * Specifies valid sources for stylesheets <link> elements.
      *
      * @var list<string>|string
      */
-    public $styleSrc = [
+    public array|string $styleSrcElem = [
         'self',
-        'unsafe-inline',
-        'https://fonts.googleapis.com'
+        'https://fonts.googleapis.com',
     ];
 
+    /**
+     * Specifies valid sources for stylesheets inline
+     * style attributes and `<style>` elements.
+     *
+     * @var list<string>|string
+     */
+    public array|string $styleSrcAttr = ['self', 'unsafe-inline'];
+
     /**
      * Defines the origins from which images can be loaded.
      *
      * @var list<string>|string
      */
-    public $imageSrc = [
+    public array|string $imageSrc = [
         'self',
-        'data:',
-        'https://*'
+        'data:',        // base64 embedded images (elFinder thumbnails, captcha)
+        'blob:',        // elFinder file preview blobs
+        'https:',       // any HTTPS image (tightened from wildcard https://* to scheme-only)
     ];
 
     /**
@@ -96,7 +131,7 @@ class ContentSecurityPolicy extends BaseConfig
      *
      * @var list<string>|string
      */
-    public $childSrc = 'self';
+    public array|string $childSrc = ['self', 'blob:', 'data:'];
 
     /**
      * Limits the origins that you can connect to (via XHR,
@@ -111,10 +146,11 @@ class ContentSecurityPolicy extends BaseConfig
      *
      * @var list<string>|string
      */
-    public $fontSrc = [
+    public array|string $fontSrc = [
         'self',
         'https://fonts.gstatic.com',
-        'data:'
+        'https://fonts.gstatic.com/*',
+        'data:',
     ];
 
     /**
@@ -161,6 +197,11 @@ class ContentSecurityPolicy extends BaseConfig
      */
     public $manifestSrc;
 
+    /**
+     * @var list<string>|string
+     */
+    public array|string $workerSrc = [];
+
     /**
      * Limits the kinds of plugins a page may invoke.
      *
@@ -176,17 +217,17 @@ class ContentSecurityPolicy extends BaseConfig
     public $sandbox;
 
     /**
-     * Nonce tag for style
+     * Nonce placeholder for style tags.
      */
-    public string $styleNonceTag = '{csp-style-nonce}';
+    public string $styleNonceTag = '<?php echo csp_style_nonce(); ?>';
 
     /**
-     * Nonce tag for script
+     * Nonce placeholder for script tags.
      */
-    public string $scriptNonceTag = '{csp-script-nonce}';
+    public string $scriptNonceTag = '<?php echo csp_script_nonce(); ?>';
 
     /**
-     * Replace nonce tag automatically
+     * Replace nonce tag automatically?
      */
-    public bool $autoNonce = false;
+    public bool $autoNonce = true;
 }

app/Config/templates/default/DefaultConfig.php

@@ -0,0 +1,17 @@
+<?php
+
+namespace Config\templates\default;
+
+use CodeIgniter\Config\BaseConfig;
+
+class DefaultConfig extends BaseConfig
+{
+    public $csrfExcept = [
+        'forms/searchForm',
+        'commentCaptcha',
+        'newComment',
+        'repliesComment',
+        'loadMoreComments'
+    ];
+    public $filters = [];
+}