diff options
| author | Alexandre Alapetite <alexandre@alapetite.fr> | 2025-04-13 00:01:09 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-04-13 00:01:09 +0200 |
| commit | f58dea6a5abec4da2b14eb808221b3f28d6160d0 (patch) | |
| tree | 3fa5421631a0f833257fae999febc551e05ab0d2 | |
| parent | be73c6d6694beb6d68b90b6e59223a397676b303 (diff) | |
| download | freshrss-f58dea6a5abec4da2b14eb808221b3f28d6160d0.tar.gz freshrss-f58dea6a5abec4da2b14eb808221b3f28d6160d0.zip | |
SimplePie forbit formaction attribute (#7506)
Sanitize buttons with a form or formaction attribute.
| -rw-r--r-- | lib/lib_rss.php | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 4fb4fdef9..73e1c62f0 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -348,7 +348,8 @@ function customSimplePie(array $attributes = [], array $curl_options = []): \Sim ]); $simplePie->rename_attributes(['id', 'class']); $simplePie->strip_attributes(array_merge($simplePie->strip_attributes, [ - 'autoplay', 'class', 'onload', 'onunload', 'onclick', 'ondblclick', 'onmousedown', 'onmouseup', + 'autoplay', 'class', 'form', 'formaction', + 'onload', 'onunload', 'onclick', 'ondblclick', 'onmousedown', 'onmouseup', 'onmouseover', 'onmousemove', 'onmouseout', 'onfocus', 'onblur', 'onkeypress', 'onkeydown', 'onkeyup', 'onselect', 'onchange', 'seamless', 'sizes', 'srcdoc', 'srcset'])); $simplePie->add_attributes([ |