webapp/bookstack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-07-31 15:24:31 +03:00
Code Activity

Hardened page content script escaping

Browse Source 
Increased range of tests to cover.

Fixes #1531
This commit is contained in:
Dan Brown
2019-07-10 20:17:22 +01:00
parent a602cdf401
commit c732970f6e
2 changed files with 50 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/Entities/Repos/EntityRepo.php
View File

@ -760,13 +760,13 @@ class EntityRepo
$xPath = new DOMXPath($doc);
// Remove standard script tags
$scriptElems = $xPath->query('//body//*//script');
$scriptElems = $xPath->query('//script');
foreach ($scriptElems as $scriptElem) {
$scriptElem->parentNode->removeChild($scriptElem);
}
// Remove 'on*' attributes
$onAttributes = $xPath->query('//body//*/@*[starts-with(name(), \'on\')]');
$onAttributes = $xPath->query('//@*[starts-with(name(), \'on\')]');
foreach ($onAttributes as $attr) {
/** @var \DOMAttr $attr*/
$attrName = $attr->nodeName;