Forbid javascript scheme

trasher · trasher · commit 081338b2fa3a · 2019-06-20T15:05:43.000+02:00
diff --git a/inc/html.class.php b/inc/html.class.php
@@ -91,6 +91,7 @@ static function clean($value, $striptags = true, $keep_bad = 2) {
             'comment'          => 1, // 1: remove
             'cdata'            => 1, // 1: remove
             'direct_list_nest' => 1, // 1: Allow usage of ul/ol tags nested in other ul/ol tags
+            'schemes'          => 'aim, app, feed, file, ftp, gopher, http, https, !javascript, irc, mailto, news, nntp, sftp, ssh, tel, telnet'
          ]
       );
 

Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,7 @@ static function clean($value, $striptags = true, $keep_bad = 2) {`
`91`	`91`	`'comment' => 1, // 1: remove`
`92`	`92`	`'cdata' => 1, // 1: remove`
`93`	`93`	`'direct_list_nest' => 1, // 1: Allow usage of ul/ol tags nested in other ul/ol tags`
	`94`	`+ 'schemes' => 'aim, app, feed, file, ftp, gopher, http, https, !javascript, irc, mailto, news, nntp, sftp, ssh, tel, telnet'`
`94`	`95`	`]`
`95`	`96`	`);`
`96`	`97`