From 3e7e3de554ac35653bf1a094d4694a8c43ccf289 Mon Sep 17 00:00:00 2001 From: hannes Date: Wed, 13 Jan 2016 16:01:27 +0000 Subject: [PATCH] don't allow cdata elements in purified html --- lib/util.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/util.php b/lib/util.php index 1d973d7100..156a40a5cb 100644 --- a/lib/util.php +++ b/lib/util.php @@ -581,7 +581,8 @@ function common_purify($html) $config = array('safe' => 1, // means that elements=* means elements=*-applet-embed-iframe-object-script or so 'elements' => '*', - 'deny_attribute' => 'id,style,on*'); + 'deny_attribute' => 'id,style,on*', + 'cdata' => 1); // Remove more elements than what the 'safe' filter gives (elements must be '*' before this) // http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s3.6 @@ -2458,4 +2459,4 @@ function html_sprintf() function _ve($var) { return var_export($var, true); -} +} \ No newline at end of file