Headline
CVE-2022-0743: Fixed entity sanitization for XSS detection · getgrav/grav@3dd0cab
Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31.
Permalink
Browse files
Fixed entity sanitization for XSS detection
- Loading branch information
w00fz committed
Feb 23, 2022
1 parent b992d7f commit 3dd0cabeac9835fe64dcb4b68c658b39f1f6be2f
Showing with 2 additions and 1 deletion.
- +1 −0 CHANGELOG.md
- +1 −1 system/src/Grav/Common/Security.php
@@ -8,6 +8,7 @@
* Fixed `’mbstring’ extension is not loaded` error, use Polyfill instead [#3504](https://github.com/getgrav/grav/pull/3504)
* Fixed new `Utils::pathinfo()` and `Utils::basename()` being too strict for legacy use [#3542](https://github.com/getgrav/grav/issues/3542)
* Fixed non-standard video html atributes generated by `{{ media.html() }}` [#3540](https://github.com/getgrav/grav/issues/3540)
* Fixed entity sanitization for XSS detection
v1.7.30
02/07/2022
@@ -200,7 +200,7 @@ public static function detectXss($string, array $options = null): ?string
}, $string);
// Clean up entities
$string = preg_replace('!(�+[0-9]+)!u’, '$1;’, $string);
$string = preg_replace('!(&#[0-9]+)!u’, '$1;’, $string);
// Decode entities
$string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, ‘UTF-8’);
0 comments on commit 3dd0cab
Please sign in to comment.