valvin
/
ttrss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'patch-strip-harmful-tags' into 'master' 

Remove href attribute if it executes JavaScript.

Security update to prevent A tags with a `javascript:` href from actually executing the JavaScript.

See merge request !31
This commit is contained in:
Andrew Dolgov 2016-08-07 22:21:45 +03:00
parent 4800746386 d8b0f06705
commit 3b4d9619e9
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
include/functions2.php
View File

@ -1064,6 +1064,10 @@
array_push($attrs_to_remove, $attr); array_push($attrs_to_remove, $attr);
} }
if ($attr->nodeName == 'href' && stripos($attr->value, 'javascript:') === 0) {
array_push($attrs_to_remove, $attr);
}
if (in_array($attr->nodeName, $disallowed_attributes)) { if (in_array($attr->nodeName, $disallowed_attributes)) {
array_push($attrs_to_remove, $attr); array_push($attrs_to_remove, $attr);
} }