Cover more events on XSS regexp and avoid confusion between legitimate words with beginning of "on" and on[Events]

2024-10-05 17:52:03 +02:00 · 2017-03-06 19:12:34 +01:00 · 2017-03-06 19:12:34 +01:00 · 3209484d31
commit 3209484d31
parent 7293967215
1 changed files with 5 additions and 1 deletions
--- a/api/src/loader/security.php
+++ b/api/src/loader/security.php
@ -29,7 +29,11 @@ function _check_script_tag(&$var,$name='',$log=true)
 		// forbidden tags like iframe or script
 		'/(<(\s*\/)?\s*(iframe|script|object|embed|math|meta)[^a-z0-9]|'.
 		// on* attributes
-		'<[^>]*on(before)?(abort|blur|change|click|dblclick|error|focus|keydown|keypress|keyup|load|mouse[^=]+|reset|select|submit|unload|resize|propertychange|page[^=]*|scroll|readystatechange|start|popstate|form[^=]+|input)\s*=|'.
+		'<[^>]*on(before)?(abort|blur|change|click|dblclick|error|focus|keydown|keypress|keyup|load|mouse(out|enter|leave|over|move|up|wheel|down)'.
+		'|cached|beforeunload|online|offline|open|message|close|animation(start|end|iteration)|transition(start|end|run)|reset'.
+		'|beforeprint|afterprint|composition(start|update|end)|fullscreenchange|fullscreenerror|cut|copy|auxclick|contextmenu'.
+		'|wheel|drag(start|end|enter|over|leave)|drop|loadstart|progress|timeout|loadendreset|select|submit|unload|resize'.
+		'|propertychange|page(hide|show)|scroll|readystatechange|start|popstate|form|input)\s*=|'.
 		// ="javascript:*" diverse javascript attribute value
 		'<[^>]+(href|src|dynsrc|lowsrc|background|style|poster|action)\s*=\s*("|\')?[^"\']*javascript|'.
 		// benavior:url and expression in style attribute