diff --git a/src/Forms/HTMLEditor/HTMLEditorSanitiser.php b/src/Forms/HTMLEditor/HTMLEditorSanitiser.php index b35fcf19af4..a075d98fa9d 100644 --- a/src/Forms/HTMLEditor/HTMLEditorSanitiser.php +++ b/src/Forms/HTMLEditor/HTMLEditorSanitiser.php @@ -347,9 +347,9 @@ public function sanitise(HTMLValue $html) } // Matches "javascript:" with any arbitrary linebreaks inbetween the characters. - $regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/i'; + $regex = '/^\s*' . implode('\s*', str_split('javascript:')) . '/i'; // Strip out javascript execution in href or src attributes. - foreach (['src', 'href'] as $dangerAttribute) { + foreach (['src', 'href', 'data'] as $dangerAttribute) { if ($el->hasAttribute($dangerAttribute)) { if (preg_match($regex, $el->getAttribute($dangerAttribute))) { $el->removeAttribute($dangerAttribute); diff --git a/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php b/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php index 14f6771a583..3d5c3d5c684 100644 --- a/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php +++ b/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php @@ -104,6 +104,30 @@ public function testSanitisation() '', 'Mixed case javascript in the src attribute of an iframe is completely removed' ], + [ + 'iframe[src]', + "", + '', + 'Javascript with tab elements the src attribute of an iframe is completely removed' + ], + [ + 'object[data]', + '', + '', + 'Object with OK content in the data attribute is retained' + ], + [ + 'object[data]', + '', + '', + 'Object with dangerous content in data attribute is completely removed' + ], + [ + 'img[src]', + '', + '', + 'XSS vulnerable attributes starting with on or style are removed via configuration' + ], ]; $config = HTMLEditorConfig::get('htmleditorsanitisertest');