From 3e1b58176a3cc8a60f1dd7b5c9c2991809d3686b Mon Sep 17 00:00:00 2001
From: Axel Guckelsberger <info@guite.de>
Date: Mon, 20 Sep 2021 11:24:31 +0200
Subject: [PATCH] strip script tags from XSLT block stylesheets

---
 Block/XsltBlock.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Block/XsltBlock.php b/Block/XsltBlock.php
index e17e6c9..6d9876f 100644
--- a/Block/XsltBlock.php
+++ b/Block/XsltBlock.php
@@ -38,6 +38,13 @@ public function display(array $properties): string
         } else {
             $doc->loadXML($properties['stylecontents']);
         }
+
+        // remove scripts
+        $scriptTags = $doc->getElementsByTagName('script');
+        foreach ($scriptTags as $scriptTag) {
+            $scriptTag->parentNode->removeChild($scriptTag);
+        }
+
         $xsl->importStyleSheet($doc);
 
         // load xml source