diff --git a/src/Forms/HTMLEditor/HTMLEditorSanitiser.php b/src/Forms/HTMLEditor/HTMLEditorSanitiser.php
index 9cc194de1..1caff953e 100644
--- a/src/Forms/HTMLEditor/HTMLEditorSanitiser.php
+++ b/src/Forms/HTMLEditor/HTMLEditorSanitiser.php
@@ -345,6 +345,17 @@ class HTMLEditorSanitiser
foreach ($elementRule->attributesForced as $attr => $forced) {
$el->setAttribute($attr, $forced);
}
+
+ // Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
+ $regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/';
+ // Strip out javascript execution in href or src attributes.
+ foreach (['src', 'href'] as $dangerAttribute) {
+ if ($el->hasAttribute($dangerAttribute)) {
+ if (preg_match($regex, $el->getAttribute($dangerAttribute))) {
+ $el->removeAttribute($dangerAttribute);
+ }
+ }
+ }
}
if ($el->tagName === 'a' && $linkRelValue !== null) {
diff --git a/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php b/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
index 97da89c97..6c1ba3b0d 100644
--- a/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
+++ b/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
@@ -74,6 +74,30 @@ class HTMLEditorSanitiserTest extends FunctionalTest
'Test',
'noopener rel attribute is unchanged when link_rel_value is null'
],
+ [
+ 'a[href|target|rel]',
+ 'Test',
+ 'Test',
+ 'Javascript in the href attribute of a link is completely removed'
+ ],
+ [
+ 'a[href|target|rel]',
+ 'Test',
+ 'Test',
+ 'Javascript in the href attribute of a link is completely removed even for multiline markup'
+ ],
+ [
+ 'map[name],area[href|shape|coords]',
+ '',
+ '',
+ 'Javascript in the href attribute of a map\'s clickable area is completely removed'
+ ],
+ [
+ 'iframe[src]',
+ '',
+ '',
+ 'Javascript in the src attribute of an iframe is completely removed'
+ ],
];
$config = HTMLEditorConfig::get('htmleditorsanitisertest');