github-mirror/BookStack
2
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-06-04 17:04:32 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added iframe JS and data url escaping

Browse Source 
Related to #1531
This commit is contained in:
Dan Brown
2019-08-06 21:08:24 +01:00
parent 4de719b325
commit 2955f414dd
2 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/Entities/Repos/EntityRepo.php
View File

@ -765,6 +765,12 @@ class EntityRepo
$scriptElem->parentNode->removeChild($scriptElem);
}
// Remove data or JavaScript iFrames
$badIframes = $xPath->query('//*[contains(@src, \'data:\')] | //*[contains(@src, \'javascript:\')]');
foreach ($badIframes as $badIframe) {
$badIframe->parentNode->removeChild($badIframe);
}
// Remove 'on*' attributes
$onAttributes = $xPath->query('//@*[starts-with(name(), \'on\')]');
foreach ($onAttributes as $attr) {