diff --git a/phpgwapi/inc/class.egw_htmLawed.inc.php b/phpgwapi/inc/class.egw_htmLawed.inc.php index be3512422d..d1c6c7eca2 100644 --- a/phpgwapi/inc/class.egw_htmLawed.inc.php +++ b/phpgwapi/inc/class.egw_htmLawed.inc.php @@ -83,6 +83,7 @@ class egw_htmLawed 'balance'=>0,//turn off tag-balancing (config['balance']=>0). That will not introduce any security risk; only standards-compliant tag nesting check/filtering will be turned off (basic tag-balance will remain; i.e., there won't be any unclosed tag, etc., after filtering) 'tidy'=>1, 'elements' => "* -script", + 'deny_attribute' => 'on*', 'schemes'=>'href: file, ftp, http, https, mailto; src: cid, data, file, ftp, http, https; *:file, http, https', 'hook_tag' =>"hl_my_tag_transform", ); @@ -172,13 +173,10 @@ function hl_my_tag_transform($element, $attribute_array=0) } */ - // unwanted javascript - static $pregFindScript = '/\b(on(before)?(abort|blur|change|click|dblclick|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|reset|select|submit|unload))\b/i'; // Build the attributes string $attributes = ''; foreach($attribute_array as $k=>$v){ - //error_log(__METHOD__.__LINE__.' '.$k.'->'.preg_match($preg,$k)); - if (!preg_match($pregFindScript,$k)) $attributes .= " {$k}=\"{$v}\""; + $attributes .= " {$k}=\"{$v}\""; } // Return the opening tag with attributes @@ -273,13 +271,10 @@ function hl_email_tag_transform($element, $attribute_array=0) } - // unwanted javascript - static $pregFindScript = '/\b(on(before)?(abort|blur|change|click|dblclick|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|reset|select|submit|unload))\b/i'; // Build the attributes string $attributes = ''; foreach($attribute_array as $k=>$v){ - //error_log(__METHOD__.__LINE__.' '.$k.'->'.preg_match($preg,$k)); - if (!preg_match($pregFindScript,$k)) $attributes .= " {$k}=\"{$v}\""; + $attributes .= " {$k}=\"{$v}\""; } // Return the opening tag with attributes