From 1c0ed43afa5dc14169e6aa693b38e1a2f7aecad9 Mon Sep 17 00:00:00 2001 From: Matias Griese Date: Wed, 30 Mar 2022 13:26:11 +0300 Subject: [PATCH] Fixed XSS check not detecting onX events without quotes --- CHANGELOG.md | 1 + system/src/Grav/Common/Security.php | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 59f4a11290..0c993524c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ * When saving yaml and markdown, create also a cached version of the file and recompile it in opcache 2. [](#bugfix) * Fixed missing changes in yaml & markdown files if saved multiple times during the same second because of a caching issue + * Fixed XSS check not detecting onX events without quotes # v1.7.32 ## 03/28/2022 diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php index 11153a625c..982618544f 100644 --- a/system/src/Grav/Common/Security.php +++ b/system/src/Grav/Common/Security.php @@ -219,7 +219,8 @@ public static function detectXss($string, array $options = null): ?string $string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, 'UTF-8'); // Strip whitespace characters - $string = preg_replace('!\s!u', '', $string); + $string = preg_replace('!\s!u', ' ', $string); + $stripped = preg_replace('!\s!u', '', $string); // Set the patterns we'll test against $patterns = [ @@ -242,7 +243,7 @@ public static function detectXss($string, array $options = null): ?string // Iterate over rules and return label if fail foreach ($patterns as $name => $regex) { if (!empty($enabled_rules[$name])) { - if (preg_match($regex, $string) || preg_match($regex, $orig)) { + if (preg_match($regex, $string) || preg_match($regex, $stripped) || preg_match($regex, $orig)) { return $name; } }