From 8f7ab86413840151a98e6997c6370b70ac16d48d Mon Sep 17 00:00:00 2001
From: Cameron <e107inc@gmail.com>
Date: Mon, 12 Apr 2021 11:13:37 -0700
Subject: [PATCH] Fixes #4486 - Invalid attributes not being fully filtered.

---
 e107_handlers/e_parse_class.php       | 3 +--
 e107_tests/tests/unit/e_parseTest.php | 8 +++++++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/e107_handlers/e_parse_class.php b/e107_handlers/e_parse_class.php
index 34f64cb4e..865f2a107 100644
--- a/e107_handlers/e_parse_class.php
+++ b/e107_handlers/e_parse_class.php
@@ -4955,6 +4955,7 @@ class e_parse
 				continue;
 			}
 
+			$removeAttributes = array();
 			foreach($node->attributes as $attr)
 			{
 				$name = $attr->nodeName;
@@ -4962,8 +4963,6 @@ class e_parse
 
 				$allow = isset($this->allowedAttributes[$tag]) ? $this->allowedAttributes[$tag] : $this->allowedAttributes['default'];
 
-				$removeAttributes = array();
-
 				if(!in_array($name, $allow))
 				{
 
diff --git a/e107_tests/tests/unit/e_parseTest.php b/e107_tests/tests/unit/e_parseTest.php
index d53d47d8b..741456990 100644
--- a/e107_tests/tests/unit/e_parseTest.php
+++ b/e107_tests/tests/unit/e_parseTest.php
@@ -2635,7 +2635,13 @@ Your browser does not support the audio tag.
 				14 => array(
                     'html'      => '<script>alert(1)</script>', // test removal of 'script' tags
                     'expected'  => ''
-                )
+                ),
+
+                15  => array(
+                    'html'  => '<iframe width="640" height="360" frameborder="0" allowfullscreen src="http://nowhere.com" this-attribute-should-be-removed="value1" this-attribute-should-also-be-removed="value2"></iframe>',
+                    'expected'  => '<iframe width="640" height="360" frameborder="0" allowfullscreen="" src="http://nowhere.com"></iframe>'
+
+				),
 
 
 			);