Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fixed XSS check not detecting onX events without quotes
  • Loading branch information
mahagr committed Mar 30, 2022
1 parent a092aed commit 1c0ed43
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Expand Up @@ -5,6 +5,7 @@
* When saving yaml and markdown, create also a cached version of the file and recompile it in opcache
2. [](#bugfix)
* Fixed missing changes in yaml & markdown files if saved multiple times during the same second because of a caching issue
* Fixed XSS check not detecting onX events without quotes

# v1.7.32
## 03/28/2022
Expand Down
5 changes: 3 additions & 2 deletions system/src/Grav/Common/Security.php
Expand Up @@ -219,7 +219,8 @@ public static function detectXss($string, array $options = null): ?string
$string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, 'UTF-8');

// Strip whitespace characters
$string = preg_replace('!\s!u', '', $string);
$string = preg_replace('!\s!u', ' ', $string);
$stripped = preg_replace('!\s!u', '', $string);

// Set the patterns we'll test against
$patterns = [
Expand All @@ -242,7 +243,7 @@ public static function detectXss($string, array $options = null): ?string
// Iterate over rules and return label if fail
foreach ($patterns as $name => $regex) {
if (!empty($enabled_rules[$name])) {
if (preg_match($regex, $string) || preg_match($regex, $orig)) {
if (preg_match($regex, $string) || preg_match($regex, $stripped) || preg_match($regex, $orig)) {
return $name;
}
}
Expand Down

0 comments on commit 1c0ed43

Please sign in to comment.