public/tt-rss
1
0
Fork 0
mirror of https://git.tt-rss.org/git/tt-rss.git synced 2025-12-25 08:31:29 +00:00
Code Issues Releases Wiki Activity

Merge branch 'patch-strip-harmful-tags' into 'master'

Browse Source 
Remove href attribute if it executes JavaScript.

Security update to prevent A tags with a `javascript:` href from actually executing the JavaScript.

See merge request !31
This commit is contained in:
Andrew Dolgov
2016-08-07 22:21:45 +03:00
parent 4800746386 d8b0f06705
commit 3b4d9619e9
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
include/functions2.php
View File

@@ -1064,6 +1064,10 @@
array_push($attrs_to_remove, $attr);
}
if ($attr->nodeName == 'href' && stripos($attr->value, 'javascript:') === 0) {
array_push($attrs_to_remove, $attr);
}
if (in_array($attr->nodeName, $disallowed_attributes)) {
array_push($attrs_to_remove, $attr);
}