Skip to content
Permalink
Browse files
xss: Stored XSS/Domain Whitelist Bypass
This mitigates a vulnerability reported by haxatron on
[huntr.dev](https://huntr.dev/) where one can bypass the Domain Whitelist
and potentially store XSS via iFrame tags. This adds a new section to the
iFrame REGEX that checks for `@` and denies the iFrame if exists.
  • Loading branch information
JediKev committed Oct 7, 2021
1 parent e90d3be commit 4b4da5bee78b4241654571e1698eec0d42d79dc9
Showing 1 changed file with 1 addition and 1 deletion.
@@ -341,7 +341,7 @@ function safe_html($html, $options=array()) {
$config['elements'] = '*+iframe';
$config['spec'] = 'iframe=-*,height,width,type,style,src(match="`^(https?:)?//(www\.)?('
.implode('|', $whitelist)
.')/?`i"),frameborder'.($options['spec'] ? '; '.$options['spec'] : '').',allowfullscreen';
.')/?([^@]*)$`i"),frameborder'.($options['spec'] ? '; '.$options['spec'] : '').',allowfullscreen';
}

return Format::html($html, $config);

0 comments on commit 4b4da5b

Please sign in to comment.