From 21dc2f75fc02669cb47fa364e306ab1989f5f473 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Jacquet?=
 <francoisjacquet@users.noreply.github.com>
Date: Fri, 29 Apr 2022 17:30:53 +0200
Subject: [PATCH] Fix stored XSS security issue: remove inline JS from URL

---
 CHANGES.md                        | 1 +
 functions/PreparePHP_SELF.fnc.php | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/CHANGES.md b/CHANGES.md
index 55a3b0382..76f5a378c 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -6,6 +6,7 @@ Changes in 8.9.5
 - Fix stored XSS security issue: do not allow unsanitized XML & HTML in FileUpload.fnc.php, thanks to @nhienit2010
 - Fix stored XSS security issue: escape HTML attribute in StudentAssignments.fnc.php, thanks to @dungtuanha
 - Use big random number for parent password generation in NotifyParents.php & CreateParents.php, thanks to @intrapus
+- Fix stored XSS security issue: remove inline JS from URL in PreparePHP_SELF.fnc.php, thanks to @intrapus
 
 Changes in 8.9.4
 ----------------
diff --git a/functions/PreparePHP_SELF.fnc.php b/functions/PreparePHP_SELF.fnc.php
index 205b061dd..863e04e10 100644
--- a/functions/PreparePHP_SELF.fnc.php
+++ b/functions/PreparePHP_SELF.fnc.php
@@ -193,6 +193,8 @@ function URLEscape( $string )
 		'%23',
 		'%5B',
 		'%5D',
+		// Fix stored XSS security issue: remove inline JS from URL.
+		'javascript:',
 	];
 
 	$replacements = [
@@ -215,6 +217,7 @@ function URLEscape( $string )
 		'#',
 		'[',
 		']',
+		'',
 	];
 
 	return str_replace(