From 90842ca1d30e2a3d52bcef024032f25d445c0edd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Jacquet?=
 <francoisjacquet@users.noreply.github.com>
Date: Tue, 26 Apr 2022 12:51:47 +0200
Subject: [PATCH] Fix stored XSS security issue: do not allow unsanitized HTML

---
 CHANGES.md                          | 2 +-
 ProgramFunctions/FileUpload.fnc.php | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index 4da0fe705..cff43ec6a 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -3,7 +3,7 @@
 
 Changes in 8.9.5
 ----------------
-- Fix stored XSS security issue: do not allow unsanitized XML in FileUpload.fnc.php, thanks to @nhienit2010
+- Fix stored XSS security issue: do not allow unsanitized XML & HTML in FileUpload.fnc.php, thanks to @nhienit2010
 - Fix stored XSS security issue: escape HTML attribute in StudentAssignments.fnc.php, thanks to @dungtuanha
 
 Changes in 8.9.4
diff --git a/ProgramFunctions/FileUpload.fnc.php b/ProgramFunctions/FileUpload.fnc.php
index eadc9a8b4..91c0acf60 100644
--- a/ProgramFunctions/FileUpload.fnc.php
+++ b/ProgramFunctions/FileUpload.fnc.php
@@ -839,11 +839,11 @@ function FileExtensionWhiteList() {
 		'.msg',
 		'.vcf',
 		// Web.
-		// @since 8.9.5 Fix stored XSS security issue: do not allow unsanitized XML
+		// @since 8.9.5 Fix stored XSS security issue: do not allow unsanitized XML & HTML
 		// '.xml',
-		'.xhtml',
-		'.html',
-		'.htm',
+		// '.xhtml',
+		// '.html',
+		// '.htm',
 		'.css',
 		'.rss',
 		// Compressed.