From 53bef264e7046cb9f20c1bb18d8bf869be99446e Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 30 Nov 2020 16:11:22 -0700 Subject: [PATCH] XSS fix for grav-ghsa-cvmr-6428-87w9 --- system/src/Grav/Common/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php index ce15bf8c2..ede8741ab 100644 --- a/system/src/Grav/Common/Security.php +++ b/system/src/Grav/Common/Security.php @@ -207,7 +207,7 @@ class Security // Set the patterns we'll test against $patterns = [ // Match any attribute starting with "on" or xmlns - 'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])(\son|\sxmlns)[a-z].*=>?#iUu', + 'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])([\s\/]on|\sxmlns)[a-z].*=>?#iUu', // Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols 'invalid_protocols' => '#(' . implode('|', array_map('preg_quote', $invalid_protocols, ['#'])) . '):.*?#iUu',