Please, see source code of the page to see how the following looks:
empty onsomething event here
empty style attribute here
This is because the check around line 1140 is not completelt accurate.
The fix could look like this:
// the attribute list ends with a valueless attribute like "selected"
if ($mode == 1 && $attrname != 'style' && substr($attrname, 0, 2) != 'on') {
$attrarr[] = $attrname;
}
I cannot think of any way to include a value for those attributes, so it doesn't look critical, but anyway...
| Comment | File | Size | Author |
|---|---|---|---|
| #5 | filter_attribute_end.patch | 1.25 KB | mr.baileys |
| #4 | filter_attribute_end.patch | 1.52 KB | mr.baileys |
| #1 | filter-skip-last-empty-too.patch | 597 bytes | wrwrwr |
Comments
Comment #1
wrwrwr commentedAh, yes, seems quite harmless, but a valueless style or event passes through the filter as a last attribute. I would add a skip check in this case too, just for sanity.
Comment #2
wrwrwr commentedComment #4
mr.baileysNeeded a re-roll after _filter_xss_attributes() was moved to common.inc in #470632: Move filter_xss*() into common.inc. Added a test to prevent regressions.
Comment #5
mr.baileysPrevious patch contained a stray underscore.
Comment #6
dries commentedThis looks RTBC to me. Updating status.
Comment #7
aspilicious commented#5: filter_attribute_end.patch queued for re-testing.
Comment #8
dries commentedCommitted to CVS HEAD. Thanks.