Add isindex to XSS dangerous tags (CVE-2023-31506 / GHSA-h85h-xm8x-vfw7)

The original CVE-2023-31506 fix missed the deprecated <isindex> HTML tag,
which can still be used for XSS via event handlers like onmouseover.

The <isindex> tag is deprecated in HTML5 and has no legitimate modern use.
This commit is contained in:
Andy Miller
2025-11-29 21:07:23 -07:00
parent b7e1958a6e
commit a4c3a3af6d

View File

@@ -31,6 +31,7 @@ xss_dangerous_tags:
- bgsound
- title
- base
- isindex
uploads_dangerous_extensions:
- php
- php2