strip script tags from XSLT block stylesheets

zikula · Sep 20, 2021 · bc5a435 · bc5a435
1 parent a43c7bd
commit bc5a435
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/CHANGELOG-3.0.md b/CHANGELOG-3.0.md
@@ -8,6 +8,7 @@
 - Fixes:
   - [CoreBundle] More robust autoloader detection.
   - [CoreBundle] Add `flex-wrap` class to pagination for responsive behaviour ([bs#23504](https://github.com/twbs/bootstrap/issues/23504)).
+  - [Blocks] Strip script tags from XSLT block stylesheets.
   - [Categories] Sanitize context menu in admin category list.
   - [Theme] Fix resolving assets location on Windows if Zikula is installed in a sub directory (#4480).
   - [Permissions] Correctly handle non-existing username during permission testing.

diff --git a/src/system/BlocksModule/Block/XsltBlock.php b/src/system/BlocksModule/Block/XsltBlock.php
@@ -38,6 +38,13 @@ public function display(array $properties): string
         } else {
             $doc->loadXML($properties['stylecontents']);
         }
+
+        // remove scripts
+        $scriptTags = $doc->getElementsByTagName('script');
+        foreach ($scriptTags as $scriptTag) {
+            $scriptTag->parentNode->removeChild($scriptTag);
+        }
+
         $xsl->importStyleSheet($doc);
 
         // load xml source