[CVE-2022-37430] Sanitise mixed case javascript

2022-08-23 15:36:48 +12:00 · 2022-08-23 15:36:48 +12:00 · 2b5420ee7d
parent a7c8ce8d0c
commit 2b5420ee7d
2 changed files with 7 additions and 1 deletions
--- a/src/Forms/HTMLEditor/HTMLEditorSanitiser.php
+++ b/src/Forms/HTMLEditor/HTMLEditorSanitiser.php
@ -347,7 +347,7 @@ class HTMLEditorSanitiser
                }

                // Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
-                $regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/';
+                $regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/i';
                // Strip out javascript execution in href or src attributes.
                foreach (['src', 'href'] as $dangerAttribute) {
                    if ($el->hasAttribute($dangerAttribute)) {
--- a/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
+++ b/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
@ -98,6 +98,12 @@ class HTMLEditorSanitiserTest extends FunctionalTest
                '<iframe></iframe>',
                'Javascript in the src attribute of an iframe is completely removed'
            ],
+            [
+                'iframe[src]',
+                '<iframe src="jAvAsCrIpT:alert(0);"></iframe>',
+                '<iframe></iframe>',
+                'Mixed case javascript in the src attribute of an iframe is completely removed'
+            ],
        ];

        $config = HTMLEditorConfig::get('htmleditorsanitisertest');