don't allow cdata elements in purified html

2016-01-13 16:01:27 +00:00 · 2016-01-13 16:01:27 +00:00 · 3e7e3de554
parent c826fe0af4
commit 3e7e3de554
1 changed files with 3 additions and 2 deletions
--- a/lib/util.php
+++ b/lib/util.php
@ -581,7 +581,8 @@ function common_purify($html)

    $config = array('safe' => 1,    // means that elements=* means elements=*-applet-embed-iframe-object-script or so
                    'elements' => '*',
-                    'deny_attribute' => 'id,style,on*');
+                    'deny_attribute' => 'id,style,on*',
+                    'cdata' => 1);

    // Remove more elements than what the 'safe' filter gives (elements must be '*' before this)
    // http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s3.6
@ -2458,4 +2459,4 @@ function html_sprintf()
 function _ve($var)
 {
    return var_export($var, true);
-}
+}