Fixed XSS check not detecting escaped &#58

getgrav · Jan 18, 2022 · 6f2fa93 · 6f2fa93
1 parent 6106122
commit 6f2fa93
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,8 @@
     * Added twig tag for links: `{% link icon 'theme://images/favicon.png' priority: 20 with { type: 'image/png' } %}`
     * Added `HtmlBlock` support for `{% style %}`, `{% script %}` and `{% link %}` tags
     * Support for page-level `redirect_default_route` frontmatter header override
+3. [](#bugfix)
+    * Fixed XSS check not detecting escaped `&#58`
 
 # v1.7.27.1
 ## 01/12/2022

diff --git a/composer.lock b/composer.lock
diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php
@@ -214,7 +214,7 @@ public static function detectXss($string, array $options = null): ?string
             'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])([\s\/]on|\sxmlns)[a-z].*=>?#iUu',
 
             // Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols
-            'invalid_protocols' => '#(' . implode('|', array_map('preg_quote', $invalid_protocols, ['#'])) . '):\S.*?#iUu',
+            'invalid_protocols' => '#(' . implode('|', array_map('preg_quote', $invalid_protocols, ['#'])) . ')(:|\&\#58)\S.*?#iUu',
 
             // Match -moz-bindings
             'moz_binding' => '#-moz-binding[a-z\x00-\x20]*:#u',