eessppeelllloo/grav
1
0
Fork 0
mirror of https://github.com/getgrav/grav.git synced 2025-12-05 15:29:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

fixes #GHSA-f8v5-jmfh-pr69

Browse Source
This commit is contained in:
Andy Miller
2024-05-06 12:48:45 +01:00
parent 77adfcb831
commit b6bba9eb99
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
system/src/Grav/Common/Security.php
View File

@@ -225,7 +225,7 @@ class Security
// Set the patterns we'll test against
$patterns = [
// Match any attribute starting with "on" or xmlns
'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])([\s\/]on|\sxmlns)[a-z].*=>?#iUu',
'on_events' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(on[a-z]+|xmlns)\s*=[\s|\'\"].*[\s|\'\"]>#iUu',
// Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols
'invalid_protocols' => '#(' . implode('|', array_map('preg_quote', $invalid_protocols, ['#'])) . ')(:|\&\#58)\S.*?#iUu',
@@ -279,6 +279,7 @@ class Security
'twig.getFunction',
'core.setEscaper',
'twig.safe_functions',
'read_file',
];
$string = preg_replace('/(({{\s*|{%\s*)[^}]*?(' . implode('|', $bad_twig) . ')[^}]*?(\s*}}|\s*%}))/i', '{# $1 #}', $string);
return $string;