From 4b4da5bee78b4241654571e1698eec0d42d79dc9 Mon Sep 17 00:00:00 2001
From: JediKev <kevin@enhancesoft.com>
Date: Wed, 6 Oct 2021 22:29:48 +0000
Subject: [PATCH] xss: Stored XSS/Domain Whitelist Bypass

This mitigates a vulnerability reported by haxatron on
[huntr.dev](https://huntr.dev/) where one can bypass the Domain Whitelist
and potentially store XSS via iFrame tags. This adds a new section to the
iFrame REGEX that checks for `@` and denies the iFrame if exists.
---
 include/class.format.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/class.format.php b/include/class.format.php
index e8f4a7c54b..30442e7467 100644
--- a/include/class.format.php
+++ b/include/class.format.php
@@ -341,7 +341,7 @@ function safe_html($html, $options=array()) {
             $config['elements'] = '*+iframe';
             $config['spec'] = 'iframe=-*,height,width,type,style,src(match="`^(https?:)?//(www\.)?('
                 .implode('|', $whitelist)
-                .')/?`i"),frameborder'.($options['spec'] ? '; '.$options['spec'] : '').',allowfullscreen';
+                .')/?([^@]*)$`i"),frameborder'.($options['spec'] ? '; '.$options['spec'] : '').',allowfullscreen';
         }
 
         return Format::html($html, $config);