Fix stored XSS security issue: do not allow unsanitized HTML

francoisjacquet · Apr 26, 2022 · 90842ca · 90842ca
1 parent be5bf17
commit 90842ca
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -3,7 +3,7 @@
 
 Changes in 8.9.5
 ----------------
-- Fix stored XSS security issue: do not allow unsanitized XML in FileUpload.fnc.php, thanks to @nhienit2010
+- Fix stored XSS security issue: do not allow unsanitized XML & HTML in FileUpload.fnc.php, thanks to @nhienit2010
 - Fix stored XSS security issue: escape HTML attribute in StudentAssignments.fnc.php, thanks to @dungtuanha
 
 Changes in 8.9.4

diff --git a/ProgramFunctions/FileUpload.fnc.php b/ProgramFunctions/FileUpload.fnc.php
@@ -839,11 +839,11 @@ function FileExtensionWhiteList() {
 		'.msg',
 		'.vcf',
 		// Web.
-		// @since 8.9.5 Fix stored XSS security issue: do not allow unsanitized XML
+		// @since 8.9.5 Fix stored XSS security issue: do not allow unsanitized XML & HTML
 		// '.xml',
-		'.xhtml',
-		'.html',
-		'.htm',
+		// '.xhtml',
+		// '.html',
+		// '.htm',
 		'.css',
 		'.rss',
 		// Compressed.