[CVE-2022-37430] Sanitise mixed case javascript

This commit is contained in:
Steve Boyd 2022-08-23 15:36:48 +12:00
parent a7c8ce8d0c
commit 2b5420ee7d
2 changed files with 7 additions and 1 deletions

View File

@ -347,7 +347,7 @@ class HTMLEditorSanitiser
}
// Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
$regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/';
$regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/i';
// Strip out javascript execution in href or src attributes.
foreach (['src', 'href'] as $dangerAttribute) {
if ($el->hasAttribute($dangerAttribute)) {

View File

@ -98,6 +98,12 @@ class HTMLEditorSanitiserTest extends FunctionalTest
'<iframe></iframe>',
'Javascript in the src attribute of an iframe is completely removed'
],
[
'iframe[src]',
'<iframe src="jAvAsCrIpT:alert(0);"></iframe>',
'<iframe></iframe>',
'Mixed case javascript in the src attribute of an iframe is completely removed'
],
];
$config = HTMLEditorConfig::get('htmleditorsanitisertest');