diff options
author | Andrew Dolgov <[email protected]> | 2016-08-07 22:21:45 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2016-08-07 22:21:45 +0300 |
commit | 3b4d9619e90659c16225595a4bbe9b1e6610eb43 (patch) | |
tree | 7fad819ac042937d5ce97880db69199b7fdb14f5 | |
parent | 48007463861d8db8b2b79c2f4f54e0564edb0ec0 (diff) | |
parent | d8b0f06705812ef9e4ee4b1943f53dd82743db19 (diff) |
Merge branch 'patch-strip-harmful-tags' into 'master'
Remove href attribute if it executes JavaScript.
Security update to prevent A tags with a `javascript:` href from actually executing the JavaScript.
See merge request !31
-rw-r--r-- | include/functions2.php | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/include/functions2.php b/include/functions2.php index aab73d342..dceea507e 100644 --- a/include/functions2.php +++ b/include/functions2.php @@ -1064,6 +1064,10 @@ array_push($attrs_to_remove, $attr); } + if ($attr->nodeName == 'href' && stripos($attr->value, 'javascript:') === 0) { + array_push($attrs_to_remove, $attr); + } + if (in_array($attr->nodeName, $disallowed_attributes)) { array_push($attrs_to_remove, $attr); } |