Fixed XSS check not detecting escaped &#58

2025-02-20 19:56:53 +01:00 · 2022-01-18 12:34:52 +02:00 · 2022-01-18 12:34:52 +02:00 · 6f2fa9311a
commit 6f2fa9311a
parent 61061220d7
3 changed files with 9 additions and 7 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -7,6 +7,8 @@
    * Added twig tag for links: `{% link icon 'theme://images/favicon.png' priority: 20 with { type: 'image/png' } %}`
    * Added `HtmlBlock` support for `{% style %}`, `{% script %}` and `{% link %}` tags
    * Support for page-level `redirect_default_route` frontmatter header override
+3. [](#bugfix)
+    * Fixed XSS check not detecting escaped `&#58`

 # v1.7.27.1
 ## 01/12/2022
--- a/composer.lock
+++ b/composer.lock
@ -4641,16 +4641,16 @@
        },
        {
            "name": "phpstan/phpstan",
-            "version": "1.4.0",
+            "version": "1.4.1",
            "source": {
                "type": "git",
                "url": "https://github.com/phpstan/phpstan.git",
-                "reference": "72b04d97b5e6e60a081f17c416fef35bd521120b"
+                "reference": "5bd02c86beb4c024dd4662b6443f5d5332a0ae12"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/phpstan/phpstan/zipball/72b04d97b5e6e60a081f17c416fef35bd521120b",
-                "reference": "72b04d97b5e6e60a081f17c416fef35bd521120b",
+                "url": "https://api.github.com/repos/phpstan/phpstan/zipball/5bd02c86beb4c024dd4662b6443f5d5332a0ae12",
+                "reference": "5bd02c86beb4c024dd4662b6443f5d5332a0ae12",
                "shasum": ""
            },
            "require": {
@ -4681,7 +4681,7 @@
            "description": "PHPStan - PHP Static Analysis Tool",
            "support": {
                "issues": "https://github.com/phpstan/phpstan/issues",
-                "source": "https://github.com/phpstan/phpstan/tree/1.4.0"
+                "source": "https://github.com/phpstan/phpstan/tree/1.4.1"
            },
            "funding": [
                {
@ -4701,7 +4701,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2022-01-14T15:58:47+00:00"
+            "time": "2022-01-17T16:35:17+00:00"
        },
        {
            "name": "phpstan/phpstan-deprecation-rules",
--- a/system/src/Grav/Common/Security.php
+++ b/system/src/Grav/Common/Security.php
@ -214,7 +214,7 @@ class Security
            'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])([\s\/]on|\sxmlns)[a-z].*=>?#iUu',

            // Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols
-            'invalid_protocols' => '#(' . implode('|', array_map('preg_quote', $invalid_protocols, ['#'])) . '):\S.*?#iUu',
+            'invalid_protocols' => '#(' . implode('|', array_map('preg_quote', $invalid_protocols, ['#'])) . ')(:|\&\#58)\S.*?#iUu',

            // Match -moz-bindings
            'moz_binding' => '#-moz-binding[a-z\x00-\x20]*:#u',