Permalink

Browse files

Fixed entity sanitization for XSS detection

• Loading branch information

w00fz committed

Feb 23, 2022

1 parent b992d7f commit 3dd0cabeac9835fe64dcb4b68c658b39f1f6be2f

Showing with 2 additions and 1 deletion.

1. +1 −0 CHANGELOG.md
2. +1 −1 system/src/Grav/Common/Security.php

@@ -8,6 +8,7 @@

* Fixed `’mbstring’ extension is not loaded` error, use Polyfill instead [#3504](https://github.com/getgrav/grav/pull/3504)

* Fixed new `Utils::pathinfo()` and `Utils::basename()` being too strict for legacy use [#3542](https://github.com/getgrav/grav/issues/3542)

* Fixed non-standard video html atributes generated by `{{ media.html() }}` [#3540](https://github.com/getgrav/grav/issues/3540)

* Fixed entity sanitization for XSS detection

v1.7.30

02/07/2022

@@ -200,7 +200,7 @@ public static function detectXss($string, array $options = null): ?string

}, $string);

// Clean up entities

$string = preg_replace('!(&#0+[0-9]+)!u’, '$1;’, $string);

$string = preg_replace('!(&#[0-9]+)!u’, '$1;’, $string);

// Decode entities

$string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, ‘UTF-8’);

0 comments on commit 3dd0cab

Please sign in to comment.