Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
sec(VTLIB) purify clean javascript in href
  • Loading branch information
joebordes committed Mar 20, 2023
1 parent 0624db6 commit aaaca69
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions include/utils/VtlibUtils.php
Expand Up @@ -480,6 +480,16 @@ function vtlib_purify($input, $ignore = false) {
}
} else { // Simple type
$value = $__htmlpurifier_instance->purify($input);
if (strpos($value, '<a') !== false && strpos($value, 'javascript') !== false) {
$dom = new DOMDocument;
$dom->loadHTML($value, LIBXML_HTML_NODEFDTD | LIBXML_HTML_NOIMPLIED);
foreach ($dom->getElementsByTagName('a') as $node) {
if ($node->hasAttribute('href') && !filter_var($node->getAttribute('href'), FILTER_VALIDATE_URL) !== false) {
$node->removeAttribute('href');
$value = trim($dom->saveHTML(), "\n");
}
}
}
}
}
}
Expand Down

0 comments on commit aaaca69

Please sign in to comment.