fix: remove HTML event attributes

thorsten · Apr 13, 2023 · 5401ab7 · 5401ab7
1 parent a583317
commit 5401ab7
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/phpmyfaq/src/phpMyFAQ/Helper/FaqHelper.php b/phpmyfaq/src/phpMyFAQ/Helper/FaqHelper.php
@@ -18,6 +18,7 @@
 namespace phpMyFAQ\Helper;
 
 use DOMDocument;
+use DOMXPath;
 use Exception;
 use ParsedownExtra;
 use phpMyFAQ\Category;
@@ -245,6 +246,14 @@ public function cleanUpContent(string $content): string
             $scriptTags->item($i)->parentNode->removeChild($scriptTags->item($i));
         }
 
-        return preg_replace(['/\r/', '/\n/'], '', $document->saveHTML());
+        $xpath = new DOMXPath($document);
+        $onAttributes = $xpath->query("//*/@*[starts-with(name(), 'on')]");
+        foreach ($onAttributes as $onAttribute) {
+            $onAttribute->ownerElement->removeAttributeNode($onAttribute);
+        }
+
+        $body = $xpath->query('body')->item(0);
+
+        return preg_replace(['/\r/', '/\n/'], '', $document->saveHTML($body));
     }
 }
diff --git a/tests/phpMyFAQ/Helper/FaqHelperTest.php b/tests/phpMyFAQ/Helper/FaqHelperTest.php
@@ -62,8 +62,8 @@ public function testCreateFaqUrl(): void
 
     public function testCleanUpContent(): void
     {
-        $content = '<p>Some text <script>alert("Hello, world!");</script></p>';
-        $expectedOutput = '<p>Some text </p>';
+        $content = '<p>Some text <script>alert("Hello, world!");</script><img src=foo onerror=alert(document.cookie)></p>';
+        $expectedOutput = '<p>Some text <img src="foo"></p>';
 
         $actualOutput = $this->faqHelper->cleanUpContent($content);