Merge pull request from GHSA-xw2r-f8xv-c8xp

add missing html attributes to be filtered against XSS
matthieu-rolland · Aug 7, 2023 · fee6b0a · fee6b0a
2 parents 70f0344 + e3c71f2
commit fee6b0a
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/classes/Validate.php b/classes/Validate.php
@@ -512,6 +512,7 @@ public static function isCleanHtml($html, $allow_iframe = false)
         $events .= '|ondragleave|ondragover|ondragstart|ondrop|onerrorupdate|onfilterchange|onfinish|onfocusin|onfocusout|onhashchange|onhelp|oninput|onlosecapture|onmessage|onmouseup|onmovestart';
         $events .= '|onoffline|ononline|onpaste|onpropertychange|onreadystatechange|onresizeend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onsearch|onselectionchange';
         $events .= '|onselectstart|onstart|onstop|onanimationcancel|onanimationend|onanimationiteration|onanimationstart';
+        $events .= '|onpointerover|onpointerenter|onpointerdown|onpointermove|onpointerup|onpointerout|onpointerleave|onpointercancel|ongotpointercapture|onlostpointercapture';
 
         if (preg_match('/<[\s]*script/ims', $html) || preg_match('/(' . $events . ')[\s]*=/ims', $html) || preg_match('/.*script\:/ims', $html)) {
             return false;