From 75b74c4ab30583fc8ec709f8f33faa8417b3bf88 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 30 Nov 2020 16:10:56 -0700 Subject: [PATCH] XSS fix for grav-ghsa-cvmr-6428-87w9 --- system/src/Grav/Common/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php index 0f6109795..b53165d34 100644 --- a/system/src/Grav/Common/Security.php +++ b/system/src/Grav/Common/Security.php @@ -133,7 +133,7 @@ class Security // Set the patterns we'll test against $patterns = [ // Match any attribute starting with "on" or xmlns - 'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])(\son|\sxmlns)[a-z].*=>?#iUu', + 'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])([\s\/]on|\sxmlns)[a-z].*=>?#iUu', // Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols 'invalid_protocols' => '#(' . implode('|', $invalid_protocols) . '):.*?#iUu',