diff --git a/CHANGES.md b/CHANGES.md index 45927d418..dc563a0ab 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -69,6 +69,7 @@ Changes in 9.0 - Fix Improper Access Control security issue: add random string to photo file name in TipMessage.fnc.php, Transcripts.fnc.php, PrintClassPictures.php, Student.php, User.php & General_Info.inc.php, thanks to @dungtuanha - Fix stored XSS security issue: decode HTML entities from URL in PreparePHP_SELF.fnc.php, thanks to @khanhchauminh - Fix stored XSS security issue: remove inline JS from URL in PreparePHP_SELF.fnc.php, thanks to @intrapus +- Fix stored XSS security issue: add semicolon to HTML entity so it can be decoded in PreparePHP_SELF.fnc.php, thanks to @intrapus - Accessibility: add hidden input label using .a11y-hidden class in ReportCardComments.php, StudentFields.php & Grades/TeacherCompletion.php - Accessibility: add select label in Eligibility/TeacherCompletion.php, Student.php, StudentList.php, MassDrops.php & MassSchedule.php - Two Lists on same page: export only first, no search in Eligibility/Student.php diff --git a/functions/PreparePHP_SELF.fnc.php b/functions/PreparePHP_SELF.fnc.php index 94376276c..2c6224d2d 100644 --- a/functions/PreparePHP_SELF.fnc.php +++ b/functions/PreparePHP_SELF.fnc.php @@ -173,8 +173,25 @@ function RedirectURL( $remove ) */ function URLEscape( $string ) { + $fixed_entities_string = preg_replace_callback( + // Match both decimal & hex code (although hex codes can contain a-f letters). + // Should be enough as the alphabet hex codes only have numbers. + "/(&#x?[0-9]+;?)/i", + function( $match ) { + if ( mb_substr( $match[1], -1 ) !== ';' ) + { + // Fix stored XSS security issue: add semicolon to HTML entity so it can be decoded. + // @link https://www.php.net/manual/en/function.html-entity-decode.php#104617 + $match[1] .= ';'; + } + + return $match[1]; + }, + $string + ); + // Fix stored XSS security issue: decode HTML entities from URL. - $decoded_string = html_entity_decode( (string) $string ); + $decoded_string = html_entity_decode( (string) $fixed_entities_string ); $remove = [ // Fix stored XSS security issue: remove inline JS from URL.