mirror of
https://github.com/getgrav/grav.git
synced 2026-07-06 08:08:59 +02:00
Add isindex to XSS dangerous tags (CVE-2023-31506 / GHSA-h85h-xm8x-vfw7)
The original CVE-2023-31506 fix missed the deprecated <isindex> HTML tag, which can still be used for XSS via event handlers like onmouseover. The <isindex> tag is deprecated in HTML5 and has no legitimate modern use.
This commit is contained in:
@@ -31,6 +31,7 @@ xss_dangerous_tags:
|
||||
- bgsound
|
||||
- title
|
||||
- base
|
||||
- isindex
|
||||
uploads_dangerous_extensions:
|
||||
- php
|
||||
- php2
|
||||
|
||||
Reference in New Issue
Block a user