From fe13856769492a9bf584c824843153864cf8c725 Mon Sep 17 00:00:00 2001
From: Steve Boyd <emteknetnz@gmail.com>
Date: Mon, 21 Nov 2022 13:06:40 +1300
Subject: [PATCH] [CVE-2022-37429] Sanitise XSS

---
 src/Forms/HTMLEditor/HTMLEditorSanitiser.php  |  4 ++--
 .../HTMLEditor/HTMLEditorSanitiserTest.php    | 24 +++++++++++++++++++
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/src/Forms/HTMLEditor/HTMLEditorSanitiser.php b/src/Forms/HTMLEditor/HTMLEditorSanitiser.php
index b35fcf19a..a075d98fa 100644
--- a/src/Forms/HTMLEditor/HTMLEditorSanitiser.php
+++ b/src/Forms/HTMLEditor/HTMLEditorSanitiser.php
@@ -347,9 +347,9 @@ class HTMLEditorSanitiser
                 }
 
                 // Matches "javascript:" with any arbitrary linebreaks inbetween the characters.
-                $regex = '/^\s*' . implode('\v*', str_split('javascript:')) . '/i';
+                $regex = '/^\s*' . implode('\s*', str_split('javascript:')) . '/i';
                 // Strip out javascript execution in href or src attributes.
-                foreach (['src', 'href'] as $dangerAttribute) {
+                foreach (['src', 'href', 'data'] as $dangerAttribute) {
                     if ($el->hasAttribute($dangerAttribute)) {
                         if (preg_match($regex, $el->getAttribute($dangerAttribute))) {
                             $el->removeAttribute($dangerAttribute);
diff --git a/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php b/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
index 14f6771a5..3d5c3d5c6 100644
--- a/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
+++ b/tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php
@@ -104,6 +104,30 @@ class HTMLEditorSanitiserTest extends FunctionalTest
                 '<iframe></iframe>',
                 'Mixed case javascript in the src attribute of an iframe is completely removed'
             ],
+            [
+                'iframe[src]',
+                "<iframe src=\"java\tscript:alert(0);\"></iframe>",
+                '<iframe></iframe>',
+                'Javascript with tab elements the src attribute of an iframe is completely removed'
+            ],
+            [
+                'object[data]',
+                '<object data="OK"></object>',
+                '<object data="OK"></object>',
+                'Object with OK content in the data attribute is retained'
+            ],
+            [
+                'object[data]',
+                '<object data=javascript:alert()>',
+                '<object></object>',
+                'Object with dangerous content in data attribute is completely removed'
+            ],
+            [
+                'img[src]',
+                '<img src="https://owasp.org/myimage.jpg" style="url:xss" onerror="alert(1)">',
+                '<img src="https://owasp.org/myimage.jpg">',
+                'XSS vulnerable attributes starting with on or style are removed via configuration'
+            ],
         ];
 
         $config = HTMLEditorConfig::get('htmleditorsanitisertest');