Merge pull request #10585 from creative-commoners/pulls/4.11/cve-2022-37430

Sanitise mixed case javascript

src/Forms/HTMLEditor/HTMLEditorSanitiser.php

@@ -347,7 +347,7 @@ class HTMLEditorSanitiser
                 }
 
                 // Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
-                $regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/';
+                $regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/i';
                 // Strip out javascript execution in href or src attributes.
                 foreach (['src', 'href'] as $dangerAttribute) {
                     if ($el->hasAttribute($dangerAttribute)) {

tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php

@@ -98,6 +98,12 @@ class HTMLEditorSanitiserTest extends FunctionalTest
                 '<iframe></iframe>',
                 'Javascript in the src attribute of an iframe is completely removed'
             ],
+            [
+                'iframe[src]',
+                '<iframe src="jAvAsCrIpT:alert(0);"></iframe>',
+                '<iframe></iframe>',
+                'Mixed case javascript in the src attribute of an iframe is completely removed'
+            ],
         ];
 
         $config = HTMLEditorConfig::get('htmleditorsanitisertest');