Fixed XSS check not detecting onX events without quotes

2025-10-26 07:56:07 +01:00 · 2022-03-30 13:26:11 +03:00
parent a092aed4ed
commit 1c0ed43afa
2 changed files with 4 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
    * When saving yaml and markdown, create also a cached version of the file and recompile it in opcache
 2. [](#bugfix)
    * Fixed missing changes in yaml & markdown files if saved multiple times during the same second because of a caching issue
+    * Fixed XSS check not detecting onX events without quotes

 # v1.7.32
 ## 03/28/2022
--- a/system/src/Grav/Common/Security.php
+++ b/system/src/Grav/Common/Security.php
@@ -219,7 +219,8 @@ class Security
        $string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, 'UTF-8');

        // Strip whitespace characters
-        $string = preg_replace('!\s!u', '', $string);
+        $string = preg_replace('!\s!u', ' ', $string);
+        $stripped = preg_replace('!\s!u', '', $string);

        // Set the patterns we'll test against
        $patterns = [
@@ -242,7 +243,7 @@ class Security
        // Iterate over rules and return label if fail
        foreach ($patterns as $name => $regex) {
            if (!empty($enabled_rules[$name])) {
-                if (preg_match($regex, $string) || preg_match($regex, $orig)) {
+                if (preg_match($regex, $string) || preg_match($regex, $stripped) || preg_match($regex, $orig)) {
                    return $name;
                }
            }