From 75b74c4ab30583fc8ec709f8f33faa8417b3bf88 Mon Sep 17 00:00:00 2001
From: Andy Miller <rhuk@mac.com>
Date: Mon, 30 Nov 2020 16:10:56 -0700
Subject: [PATCH 1/2] XSS fix for grav-ghsa-cvmr-6428-87w9

---
 system/src/Grav/Common/Security.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php
index 0f6109795..b53165d34 100644
--- a/system/src/Grav/Common/Security.php
+++ b/system/src/Grav/Common/Security.php
@@ -133,7 +133,7 @@ class Security
         // Set the patterns we'll test against
         $patterns = [
             // Match any attribute starting with "on" or xmlns
-            'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])(\son|\sxmlns)[a-z].*=>?#iUu',
+            'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])([\s\/]on|\sxmlns)[a-z].*=>?#iUu',
 
             // Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols
             'invalid_protocols' => '#(' . implode('|', $invalid_protocols) . '):.*?#iUu',

From 24b52c77fede73ba72eb6848dde31b0e26c19afc Mon Sep 17 00:00:00 2001
From: Andy Miller <rhuk@mac.com>
Date: Mon, 30 Nov 2020 16:13:51 -0700
Subject: [PATCH 2/2] update changelog

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 66c667762..83c56fd43 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@
 1. [](#bugfix)
     * Fixed hardcoded system folder in blueprints, config and language streams
     * Added `.htaccess` rule to block attempts to use Twig in the request URL
+    * Fix for XSS advisory [GHSA-cvmr-6428-87w9](https://github.com/getgrav/grav/security/advisories/GHSA-cvmr-6428-87w9)
 
 # v1.6.28
 ## 10/07/2020