diff --git a/CHANGELOG.md b/CHANGELOG.md index 5bf8e14e03..45c4b5a1a8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ * Fixed a bug in `PermissionsReader` in PHP 7.3 * Fixed `session_store_active` language option (#3464) * Fixed deprecated warnings on `ArrayAccess` in PHP 8.1 + * Fixed XSS detection with `:` # v1.7.23 ## 09/29/2021 diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php index 55aa54593c..fe259d8ba9 100644 --- a/system/src/Grav/Common/Security.php +++ b/system/src/Grav/Common/Security.php @@ -203,7 +203,7 @@ public static function detectXss($string, array $options = null): ?string $string = preg_replace('!(�+[0-9]+)!u', '$1;', $string); // Decode entities - $string = html_entity_decode($string, ENT_NOQUOTES, 'UTF-8'); + $string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, 'UTF-8'); // Strip whitespace characters $string = preg_replace('!\s!u', '', $string);