Allowed attributes style in AntiXss::class. (#139)

php-forge · Nov 8, 2023 · c3eda15 · c3eda15
1 parent a8dd639
commit c3eda15
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/src/Helper/Encode.php b/src/Helper/Encode.php
@@ -80,6 +80,7 @@ private static function cleanXSS(string $content): string|array
         $antiXss = new AntiXSS();
 
         $antiXss->removeEvilHtmlTags(['button', 'form', 'input', 'select', 'svg', 'textarea']);
+        $antiXss->removeEvilAttributes(['style']);
 
         return $antiXss->xss_clean($content);
     }

diff --git a/tests/Helper/EncodeTest.php b/tests/Helper/EncodeTest.php
@@ -56,6 +56,10 @@ public function testSantizeXSS(): void
             '<textarea></textarea>',
             Encode::santizeXSS('<textarea><script>alert("XSS")</script></textarea>'),
         );
+        $this->assertSame(
+            '<input type="text" value="test" style="padding-left:20px" oinvalid=""  />',
+            Encode::santizeXSS('<input type="text" value="test" style="padding-left:20px" oinvalid="" onfocus="alert(\'XSS\')" />'),
+        );
     }
 
     /**