Skip to content

Commit

Permalink
Merge branch 'hotfix/31-xss-bypass'
Browse files Browse the repository at this point in the history
  • Loading branch information
@darylldoyle
darylldoyle committed Oct 21, 2019
2 parents 83f1bbc + 38767c1 commit 51ca4b7
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 1 deletion.
2 changes: 1 addition & 1 deletion src/Sanitizer.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ class Sanitizer
/**
* Regex to catch script and data values in attributes
*/
const SCRIPT_REGEX = '/(?:\w+script|data):/xi';
const SCRIPT_REGEX = '/(?:\w+script|data)(?:\s)?:/xi';

/**
* @var \DOMDocument
Expand Down
2 changes: 2 additions & 0 deletions tests/data/hrefCleanOne.svg
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 2 additions & 0 deletions tests/data/hrefTestOne.svg
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

1 comment on commit 51ca4b7

@larowlan
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will there be a new tag for this as we'd like to update downstream to pin to versions with this fix

thanks in advance

Please sign in to comment.