From a4c3a3af6df764a3f2cfed5b5931493a95cc5248 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Sat, 29 Nov 2025 21:07:23 -0700 Subject: [PATCH] Add isindex to XSS dangerous tags (CVE-2023-31506 / GHSA-h85h-xm8x-vfw7) The original CVE-2023-31506 fix missed the deprecated HTML tag, which can still be used for XSS via event handlers like onmouseover. The tag is deprecated in HTML5 and has no legitimate modern use. --- system/config/security.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/system/config/security.yaml b/system/config/security.yaml index 1a00bfb0e..b596d0051 100644 --- a/system/config/security.yaml +++ b/system/config/security.yaml @@ -31,6 +31,7 @@ xss_dangerous_tags: - bgsound - title - base + - isindex uploads_dangerous_extensions: - php - php2