Commit e4be0eb7 authored by Dries's avatar Dries
Browse files

- Patch #327331 by mr.baileys, wrwrwr: fix filter_xss() to not allow empty...

- Patch #327331 by mr.baileys, wrwrwr: fix filter_xss() to not allow empty style/on* attributes at end of opening tag.
parent a1277471
......@@ -1441,7 +1441,7 @@ function _filter_xss_attributes($attr) {
}
// The attribute list ends with a valueless attribute like "selected".
if ($mode == 1) {
if ($mode == 1 && !$skip) {
$attrarr[] = $attrname;
}
return $attrarr;
......
......@@ -912,6 +912,9 @@ class FilterUnitTestCase extends DrupalUnitTestCase {
$f = _filter_html('<p onerror="alert(0);" />', $filter);
$this->assertNoNormalized($f, 'onerror', t('HTML filter should remove on* attributes on default.'));
$f = _filter_html('<code onerror>&nbsp;</code>', $filter);
$this->assertNoNormalized($f, 'onerror', t('HTML filter should remove empty on* attributes on default.'));
}
/**
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment