From 2b5420ee7d6ea29c1096e8aad952dda83862ef08 Mon Sep 17 00:00:00 2001
From: Steve Boyd <emteknetnz@gmail.com>
Date: Tue, 23 Aug 2022 15:36:48 +1200
Subject: [PATCH] [CVE-2022-37430] Sanitise mixed case javascript

---
 src/Forms/HTMLEditor/HTMLEditorSanitiser.php           | 2 +-
 tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/Forms/HTMLEditor/HTMLEditorSanitiser.php b/src/Forms/HTMLEditor/HTMLEditorSanitiser.php
index 09ff3e8a4..b35fcf19a 100644
--- a/src/Forms/HTMLEditor/HTMLEditorSanitiser.php
+++ b/src/Forms/HTMLEditor/HTMLEditorSanitiser.php
@@ -347,7 +347,7 @@ class HTMLEditorSanitiser
                 }
 
                 // Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
-                $regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/';
+                $regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/i';
                 // Strip out javascript execution in href or src attributes.
                 foreach (['src', 'href'] as $dangerAttribute) {
                     if ($el->hasAttribute($dangerAttribute)) {
diff --git a/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php b/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
index 4b3695274..14f6771a5 100644
--- a/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
+++ b/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
@@ -98,6 +98,12 @@ class HTMLEditorSanitiserTest extends FunctionalTest
                 '<iframe></iframe>',
                 'Javascript in the src attribute of an iframe is completely removed'
             ],
+            [
+                'iframe[src]',
+                '<iframe src="jAvAsCrIpT:alert(0);"></iframe>',
+                '<iframe></iframe>',
+                'Mixed case javascript in the src attribute of an iframe is completely removed'
+            ],
         ];
 
         $config = HTMLEditorConfig::get('htmleditorsanitisertest');