From 3dd0cabeac9835fe64dcb4b68c658b39f1f6be2f Mon Sep 17 00:00:00 2001
From: Djamil Legato <djamil@djamil.it>
Date: Wed, 23 Feb 2022 14:57:36 -0800
Subject: [PATCH] Fixed entity sanitization for XSS detection

---
 CHANGELOG.md                        | 1 +
 system/src/Grav/Common/Security.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index be63eea0e2..bb0adfc476 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@
     * Fixed `'mbstring' extension is not loaded` error, use Polyfill instead [#3504](https://github.com/getgrav/grav/pull/3504)
     * Fixed new `Utils::pathinfo()` and `Utils::basename()` being too strict for legacy use [#3542](https://github.com/getgrav/grav/issues/3542)
     * Fixed non-standard video html atributes generated by `{{ media.html() }}` [#3540](https://github.com/getgrav/grav/issues/3540)
+    * Fixed entity sanitization for XSS detection
 
 # v1.7.30
 ## 02/07/2022
diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php
index 017720ca89..01ea0f13c8 100644
--- a/system/src/Grav/Common/Security.php
+++ b/system/src/Grav/Common/Security.php
@@ -200,7 +200,7 @@ public static function detectXss($string, array $options = null): ?string
         }, $string);
 
         // Clean up entities
-        $string = preg_replace('!(&#0+[0-9]+)!u', '$1;', $string);
+        $string = preg_replace('!(&#[0-9]+)!u', '$1;', $string);
 
         // Decode entities
         $string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, 'UTF-8');