mirror of
https://github.com/getgrav/grav.git
synced 2026-03-01 18:11:25 +01:00
a4c3a3af6d
The original CVE-2023-31506 fix missed the deprecated <isindex> HTML tag, which can still be used for XSS via event handlers like onmouseover. The <isindex> tag is deprecated in HTML5 and has no legitimate modern use.
51 lines
643 B
YAML
51 lines
643 B
YAML
xss_whitelist:
|
|
- admin.super
|
|
xss_enabled:
|
|
on_events: true
|
|
invalid_protocols: true
|
|
moz_binding: true
|
|
html_inline_styles: true
|
|
dangerous_tags: true
|
|
xss_invalid_protocols:
|
|
- javascript
|
|
- livescript
|
|
- vbscript
|
|
- mocha
|
|
- feed
|
|
- data
|
|
xss_dangerous_tags:
|
|
- applet
|
|
- meta
|
|
- xml
|
|
- blink
|
|
- link
|
|
- style
|
|
- script
|
|
- embed
|
|
- object
|
|
- iframe
|
|
- frame
|
|
- frameset
|
|
- ilayer
|
|
- layer
|
|
- bgsound
|
|
- title
|
|
- base
|
|
- isindex
|
|
uploads_dangerous_extensions:
|
|
- php
|
|
- php2
|
|
- php3
|
|
- php4
|
|
- php5
|
|
- phar
|
|
- phtml
|
|
- html
|
|
- htm
|
|
- shtml
|
|
- shtm
|
|
- js
|
|
- exe
|
|
sanitize_svg: true
|
|
salt: SbmgUJQ62MqNc0
|