Skip to content
Permalink
Browse files
strip script tags from XSLT block stylesheets
  • Loading branch information
Guite committed Sep 20, 2021
1 parent a43c7bd commit bc5a435e82ca005e51c990a9b348492039570425
Showing with 8 additions and 0 deletions.
  1. +1 −0 CHANGELOG-3.0.md
  2. +7 −0 src/system/BlocksModule/Block/XsltBlock.php
@@ -8,6 +8,7 @@
- Fixes:
- [CoreBundle] More robust autoloader detection.
- [CoreBundle] Add `flex-wrap` class to pagination for responsive behaviour ([bs#23504](https://github.com/twbs/bootstrap/issues/23504)).
- [Blocks] Strip script tags from XSLT block stylesheets.
- [Categories] Sanitize context menu in admin category list.
- [Theme] Fix resolving assets location on Windows if Zikula is installed in a sub directory (#4480).
- [Permissions] Correctly handle non-existing username during permission testing.
@@ -38,6 +38,13 @@ public function display(array $properties): string
} else {
$doc->loadXML($properties['stylecontents']);
}

// remove scripts
$scriptTags = $doc->getElementsByTagName('script');
foreach ($scriptTags as $scriptTag) {
$scriptTag->parentNode->removeChild($scriptTag);
}

$xsl->importStyleSheet($doc);

// load xml source

0 comments on commit bc5a435

Please sign in to comment.