From afc69a3229bb6fe120b2c1ea27bc6f196ed7284d Mon Sep 17 00:00:00 2001
From: Matias Griese <matias@trilbymedia.com>
Date: Mon, 25 Oct 2021 20:37:59 +0300
Subject: [PATCH] Fixed XSS detection with `&colon;`

---
 CHANGELOG.md                        | 1 +
 system/src/Grav/Common/Security.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5bf8e14e03..45c4b5a1a8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@
     * Fixed a bug in `PermissionsReader` in PHP 7.3
     * Fixed `session_store_active` language option (#3464)
     * Fixed deprecated warnings on `ArrayAccess` in PHP 8.1
+    * Fixed XSS detection with `&colon;`
 
 # v1.7.23
 ## 09/29/2021
diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php
index 55aa54593c..fe259d8ba9 100644
--- a/system/src/Grav/Common/Security.php
+++ b/system/src/Grav/Common/Security.php
@@ -203,7 +203,7 @@ public static function detectXss($string, array $options = null): ?string
         $string = preg_replace('!(&#0+[0-9]+)!u', '$1;', $string);
 
         // Decode entities
-        $string = html_entity_decode($string, ENT_NOQUOTES, 'UTF-8');
+        $string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, 'UTF-8');
 
         // Strip whitespace characters
         $string = preg_replace('!\s!u', '', $string);