Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix stored XSS security issue: do not allow unsanitized HTML
  • Loading branch information
francoisjacquet committed Apr 26, 2022
1 parent be5bf17 commit 90842ca
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 5 deletions.
2 changes: 1 addition & 1 deletion CHANGES.md
Expand Up @@ -3,7 +3,7 @@

Changes in 8.9.5
----------------
- Fix stored XSS security issue: do not allow unsanitized XML in FileUpload.fnc.php, thanks to @nhienit2010
- Fix stored XSS security issue: do not allow unsanitized XML & HTML in FileUpload.fnc.php, thanks to @nhienit2010
- Fix stored XSS security issue: escape HTML attribute in StudentAssignments.fnc.php, thanks to @dungtuanha

Changes in 8.9.4
Expand Down
8 changes: 4 additions & 4 deletions ProgramFunctions/FileUpload.fnc.php
Expand Up @@ -839,11 +839,11 @@ function FileExtensionWhiteList() {
'.msg',
'.vcf',
// Web.
// @since 8.9.5 Fix stored XSS security issue: do not allow unsanitized XML
// @since 8.9.5 Fix stored XSS security issue: do not allow unsanitized XML & HTML
// '.xml',
'.xhtml',
'.html',
'.htm',
// '.xhtml',
// '.html',
// '.htm',
'.css',
'.rss',
// Compressed.
Expand Down

0 comments on commit 90842ca

Please sign in to comment.