mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-08-03 21:27:25 +02:00
Code Issues Releases Wiki Activity

Fixes #4486 - Invalid attributes not being fully filtered.

Browse Source
This commit is contained in:
Cameron
2021-04-12 11:13:37 -07:00
parent 444d8d6dc0
commit 8f7ab86413
2 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
e107_handlers/e_parse_class.php
View File

@@ -4955,6 +4955,7 @@ class e_parse
continue; continue;
} }
$removeAttributes = array();
foreach($node->attributes as $attr) foreach($node->attributes as $attr)
{ {
$name = $attr->nodeName; $name = $attr->nodeName;
@@ -4962,8 +4963,6 @@ class e_parse
$allow = isset($this->allowedAttributes[$tag]) ? $this->allowedAttributes[$tag] : $this->allowedAttributes['default']; $allow = isset($this->allowedAttributes[$tag]) ? $this->allowedAttributes[$tag] : $this->allowedAttributes['default'];
$removeAttributes = array();
if(!in_array($name, $allow)) if(!in_array($name, $allow))
{ {

8
e107_tests/tests/unit/e_parseTest.php
View File

@@ -2635,7 +2635,13 @@ Your browser does not support the audio tag.
14 => array( 14 => array(
'html' => '<script>alert(1)</script>', // test removal of 'script' tags 'html' => '<script>alert(1)</script>', // test removal of 'script' tags
'expected' => '' 'expected' => ''
) ),
15 => array(
'html' => '<iframe width="640" height="360" frameborder="0" allowfullscreen src="http://nowhere.com" this-attribute-should-be-removed="value1" this-attribute-should-also-be-removed="value2"></iframe>',
'expected' => '<iframe width="640" height="360" frameborder="0" allowfullscreen="" src="http://nowhere.com"></iframe>'
),
); );