From bc5a435e82ca005e51c990a9b348492039570425 Mon Sep 17 00:00:00 2001
From: Axel Guckelsberger <info@guite.de>
Date: Mon, 20 Sep 2021 11:23:29 +0200
Subject: [PATCH] strip script tags from XSLT block stylesheets

---
 CHANGELOG-3.0.md                            | 1 +
 src/system/BlocksModule/Block/XsltBlock.php | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/CHANGELOG-3.0.md b/CHANGELOG-3.0.md
index 6545b6420f..65b26c3cd8 100644
--- a/CHANGELOG-3.0.md
+++ b/CHANGELOG-3.0.md
@@ -8,6 +8,7 @@
 - Fixes:
   - [CoreBundle] More robust autoloader detection.
   - [CoreBundle] Add `flex-wrap` class to pagination for responsive behaviour ([bs#23504](https://github.com/twbs/bootstrap/issues/23504)).
+  - [Blocks] Strip script tags from XSLT block stylesheets.
   - [Categories] Sanitize context menu in admin category list.
   - [Theme] Fix resolving assets location on Windows if Zikula is installed in a sub directory (#4480).
   - [Permissions] Correctly handle non-existing username during permission testing.
diff --git a/src/system/BlocksModule/Block/XsltBlock.php b/src/system/BlocksModule/Block/XsltBlock.php
index 10f3d28900..d194b3d0aa 100644
--- a/src/system/BlocksModule/Block/XsltBlock.php
+++ b/src/system/BlocksModule/Block/XsltBlock.php
@@ -38,6 +38,13 @@ public function display(array $properties): string
         } else {
             $doc->loadXML($properties['stylecontents']);
         }
+
+        // remove scripts
+        $scriptTags = $doc->getElementsByTagName('script');
+        foreach ($scriptTags as $scriptTag) {
+            $scriptTag->parentNode->removeChild($scriptTag);
+        }
+
         $xsl->importStyleSheet($doc);
 
         // load xml source