From 276fa927c0c86add2ad50ea52a4da8f4e74e5d0b Mon Sep 17 00:00:00 2001
From: Oscar Recio <oscar.recio@interactiv4.com>
Date: Mon, 18 Nov 2024 13:33:10 +0100
Subject: [PATCH 1/2] Update ConfigurableWYSIWYGValidator.php

---
 .../Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/internal/Magento/Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php b/lib/internal/Magento/Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php
index b1009b946c6a3..bf4e9567e1273 100644
--- a/lib/internal/Magento/Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php
+++ b/lib/internal/Magento/Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php
@@ -19,7 +19,7 @@ class ConfigurableWYSIWYGValidator implements WYSIWYGValidatorInterface
      * @var string
      */
     private static string $xssFiltrationPattern =
-        '/((javascript(\\\\x3a|:|%3A))|(data(\\\\x3a|:|%3A))|(vbscript:)|(script)|(alert\())|'
+        '/((javascript(\\\\x3a|:|%3A))|(data(\\\\x3a|:|%3A))|(vbscript:)|(script\b)|(alert\())|'
         . '((\\\\x6A\\\\x61\\\\x76\\\\x61\\\\x73\\\\x63\\\\x72\\\\x69\\\\x70\\\\x74(\\\\x3a|:|%3A))|'
         . '(\\\\x64\\\\x61\\\\x74\\\\x61(\\\\x3a|:|%3A)))/i';
 

From 39fb5034bf427ac698e87574bc593831148e2620 Mon Sep 17 00:00:00 2001
From: Ihor Sviziev <ihor.sviziev@ven.com>
Date: Tue, 19 Nov 2024 12:06:17 +0100
Subject: [PATCH 2/2] xssFiltrationPattern boundary script tag restriction

Cover case with a unit test
---
 .../Validator/HTML/ConfigurableWYSIWYGValidatorTest.php  | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lib/internal/Magento/Framework/Test/Unit/Validator/HTML/ConfigurableWYSIWYGValidatorTest.php b/lib/internal/Magento/Framework/Test/Unit/Validator/HTML/ConfigurableWYSIWYGValidatorTest.php
index cbc8b27bd2eeb..38dced3daf9b8 100644
--- a/lib/internal/Magento/Framework/Test/Unit/Validator/HTML/ConfigurableWYSIWYGValidatorTest.php
+++ b/lib/internal/Magento/Framework/Test/Unit/Validator/HTML/ConfigurableWYSIWYGValidatorTest.php
@@ -166,6 +166,15 @@ public static function getConfigurations(): array
                 [],
                 ['div' => ['src' => false]]
             ],
+            'valid-allowed-tag-with-script-in-class-name' => [
+                ['div'],
+                ['class', 'src'],
+                [],
+                '<div class="product-description">this is a product description</div>',
+                true,
+                [],
+                ['div' => ['src' => false]]
+            ],
             'invalid-allowed-tag-attributes' => [
                 ['a'],
                 ['href'],