Skip to content

Commit

Permalink
Fix stored XSS security issue: remove inline JS from URL
Browse files Browse the repository at this point in the history
  • Loading branch information
@francoisjacquet
francoisjacquet committed Apr 29, 2022
1 parent 1e1c7fc commit 21dc2f7
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGES.md
View file
Expand Up @@ -6,6 +6,7 @@ Changes in 8.9.5
- Fix stored XSS security issue: do not allow unsanitized XML & HTML in FileUpload.fnc.php, thanks to @nhienit2010
- Fix stored XSS security issue: escape HTML attribute in StudentAssignments.fnc.php, thanks to @dungtuanha
- Use big random number for parent password generation in NotifyParents.php & CreateParents.php, thanks to @intrapus
- Fix stored XSS security issue: remove inline JS from URL in PreparePHP_SELF.fnc.php, thanks to @intrapus

Changes in 8.9.4
----------------
Expand Down
3 changes: 3 additions & 0 deletions functions/PreparePHP_SELF.fnc.php
View file
Expand Up @@ -193,6 +193,8 @@ function URLEscape( $string )
'%23',
'%5B',
'%5D',
// Fix stored XSS security issue: remove inline JS from URL.
'javascript:',
];

$replacements = [
Expand All @@ -215,6 +217,7 @@ function URLEscape( $string )
'#',
'[',
']',
'',
];

return str_replace(
Expand Down

0 comments on commit 21dc2f7

Please sign in to comment.