From afc69a3229bb6fe120b2c1ea27bc6f196ed7284d Mon Sep 17 00:00:00 2001
From: Matias Griese <matias@trilbymedia.com>
Date: Mon, 25 Oct 2021 20:37:59 +0300
Subject: [PATCH 1/3] Fixed XSS detection with `&colon;`

---
 CHANGELOG.md                        | 1 +
 system/src/Grav/Common/Security.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5bf8e14e0..45c4b5a1a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@
     * Fixed a bug in `PermissionsReader` in PHP 7.3
     * Fixed `session_store_active` language option (#3464)
     * Fixed deprecated warnings on `ArrayAccess` in PHP 8.1
+    * Fixed XSS detection with `&colon;`
 
 # v1.7.23
 ## 09/29/2021
diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php
index 55aa54593..fe259d8ba 100644
--- a/system/src/Grav/Common/Security.php
+++ b/system/src/Grav/Common/Security.php
@@ -203,7 +203,7 @@ class Security
         $string = preg_replace('!(&#0+[0-9]+)!u', '$1;', $string);
 
         // Decode entities
-        $string = html_entity_decode($string, ENT_NOQUOTES, 'UTF-8');
+        $string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, 'UTF-8');
 
         // Strip whitespace characters
         $string = preg_replace('!\s!u', '', $string);

From af4243aff267996021560a982274f10bb9dcf5e6 Mon Sep 17 00:00:00 2001
From: Matias Griese <matias@trilbymedia.com>
Date: Tue, 26 Oct 2021 19:22:56 +0300
Subject: [PATCH 2/3] User `authorize()` now checks user groups before
 superuser, allowing deny rules to work

---
 CHANGELOG.md                                         |  2 ++
 .../src/Grav/Common/Flex/Types/Users/UserObject.php  | 12 +++++++-----
 system/src/Grav/Common/Page/Pages.php                |  2 +-
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 45c4b5a1a..a7ff259e2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,8 @@
 1. [](#new)
     * Added support for image watermarks
     * Added support to disable a form, making it readonly
+2. [](#improved)
+    * User `authorize()` now checks user groups before superuser, allowing deny rules to work
 3. [](#bugfix)
     * Fixed a bug in `PermissionsReader` in PHP 7.3
     * Fixed `session_store_active` language option (#3464)
diff --git a/system/src/Grav/Common/Flex/Types/Users/UserObject.php b/system/src/Grav/Common/Flex/Types/Users/UserObject.php
index 02caee4aa..424e5ebef 100644
--- a/system/src/Grav/Common/Flex/Types/Users/UserObject.php
+++ b/system/src/Grav/Common/Flex/Types/Users/UserObject.php
@@ -274,6 +274,7 @@ class UserObject extends FlexObject implements UserInterface, Countable
             }
         }
 
+        // Check custom application access.
         $authorizeCallable = static::$authorizeCallable;
         if ($authorizeCallable instanceof Closure) {
             $authorizeCallable->bindTo($this);
@@ -290,13 +291,14 @@ class UserObject extends FlexObject implements UserInterface, Countable
             return $authorized;
         }
 
-        // If specific rule isn't hit, check if user is super user.
-        if ($access->authorize('admin.super') === true) {
-            return true;
+        // Check group access.
+        $authorized = $this->getGroups()->authorize($action, $scope);
+        if (is_bool($authorized)) {
+            return $authorized;
         }
 
-        // Check group access.
-        return $this->getGroups()->authorize($action, $scope);
+        // If any specific rule isn't hit, check if user is a superuser.
+        return $access->authorize('admin.super') === true;
     }
 
     /**
diff --git a/system/src/Grav/Common/Page/Pages.php b/system/src/Grav/Common/Page/Pages.php
index 941c9a7b3..9e5d47db0 100644
--- a/system/src/Grav/Common/Page/Pages.php
+++ b/system/src/Grav/Common/Page/Pages.php
@@ -649,7 +649,7 @@ class Pages
             $cmd = $value;
             $params = [];
         } elseif (is_array($value) && count($value) === 1 && !is_int(key($value))) {
-            // Format: @command.param: { attr1: value1, attr2: value2 }
+            // Format: @command.param: { attr1: value1, attr2: value2 }
             $cmd = (string)key($value);
             $params = (array)current($value);
         } else {

From 53c7f4c1198bfcd394a242db745ad3edf570b16c Mon Sep 17 00:00:00 2001
From: Matias Griese <matias@trilbymedia.com>
Date: Tue, 26 Oct 2021 19:25:41 +0300
Subject: [PATCH 3/3] Changelog update

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a7ff259e2..17cc37618 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@
     * Added support for image watermarks
     * Added support to disable a form, making it readonly
 2. [](#improved)
-    * User `authorize()` now checks user groups before superuser, allowing deny rules to work
+    * Flex `$user->authorize()` now checks user groups before `admin.super`, allowing deny rules to work properly
 3. [](#bugfix)
     * Fixed a bug in `PermissionsReader` in PHP 7.3
     * Fixed `session_store_active` language option (#3464)