Fixed XSS detection with &colon;

2026-02-22 06:28:03 +01:00 · 2021-10-25 20:37:59 +03:00
parent 17dfd130b6
commit afc69a3229
2 changed files with 2 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@
    * Fixed a bug in `PermissionsReader` in PHP 7.3
    * Fixed `session_store_active` language option (#3464)
    * Fixed deprecated warnings on `ArrayAccess` in PHP 8.1
+    * Fixed XSS detection with `&colon;`

 # v1.7.23
 ## 09/29/2021
--- a/system/src/Grav/Common/Security.php
+++ b/system/src/Grav/Common/Security.php
@@ -203,7 +203,7 @@ class Security
        $string = preg_replace('!(&#0+[0-9]+)!u', '$1;', $string);

        // Decode entities
-        $string = html_entity_decode($string, ENT_NOQUOTES, 'UTF-8');
+        $string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, 'UTF-8');

        // Strip whitespace characters
        $string = preg_replace('!\s!u', '', $string);