fixes #GHSA-f8v5-jmfh-pr69

getgrav · May 6, 2024 · b6bba9e · b6bba9e
1 parent 77adfcb
commit b6bba9e
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php
@@ -225,7 +225,7 @@ public static function detectXss($string, array $options = null): ?string
         // Set the patterns we'll test against
         $patterns = [
             // Match any attribute starting with "on" or xmlns
-            'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])([\s\/]on|\sxmlns)[a-z].*=>?#iUu',
+            'on_events' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(on[a-z]+|xmlns)\s*=[\s|\'\"].*[\s|\'\"]>#iUu',
 
             // Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols
             'invalid_protocols' => '#(' . implode('|', array_map('preg_quote', $invalid_protocols, ['#'])) . ')(:|\&\#58)\S.*?#iUu',
@@ -279,6 +279,7 @@ public static function cleanDangerousTwig(string $string): string
             'twig.getFunction',
             'core.setEscaper',
             'twig.safe_functions',
+            'read_file',
         ];
         $string = preg_replace('/(({{\s*|{%\s*)[^}]*?(' . implode('|', $bad_twig) . ')[^}]*?(\s*}}|\s*%}))/i', '{# $1 #}', $string);
         return $string;