<svg.*on.*?>|<img.*on.*?> はマッチする範囲が広すぎるため onload|onerror に限定する

EC-CUBE · May 12, 2021 · 55ba242 · 55ba242
1 parent e7c989b
commit 55ba242
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/data/smarty_extends/modifier.script_escape.php b/data/smarty_extends/modifier.script_escape.php
@@ -9,7 +9,7 @@ function smarty_modifier_script_escape($value)
 {
     if (is_array($value)) return $value;
 
-    $pattern = "/<script.*?>|<\/script>|javascript:|<svg.*on.*?>|<img.*on.*?>|<body.*onload.*?>|<iframe.*?>|<object.*?>|<embed.*?>|<.*onmouse.*?>/i";
+    $pattern = "/<script.*?>|<\/script>|javascript:|<svg.*(onload|onerror).*?>|<img.*(onload|onerror).*?>|<body.*onload.*?>|<iframe.*?>|<object.*?>|<embed.*?>|<.*onmouse.*?>/i";
     $convert = '#script tag escaped#';
 
     if (preg_match_all($pattern, $value, $matches)) {