HTML purification to remove suspicious attributes.

include/utils/VtlibUtils.php

@@ -648,6 +648,7 @@ function vtlib_purify($input, $ignore=false) {
 				}
 			} else { // Simple type
 				$value = $__htmlpurifier_instance->purify($input);
+				$value = purifyHtmlEventAttributes($value);
 			}
 		}
 		$purified_cache[$md5OfInput] = $value;
@@ -656,6 +657,23 @@ function vtlib_purify($input, $ignore=false) {
 	return $value;
 }
 
+/**
+ * To purify malicious html event attributes
+ * @param <String> $value
+ * @return <String>
+ */
+function purifyHtmlEventAttributes($value){
+    $htmlEventAttributes = "onerror|onblur|onchange|oncontextmenu|onfocus|oninput|oninvalid|".
+                        "onreset|onsearch|onselect|onsubmit|onkeydown|onkeypress|onkeyup|".
+                        "onclick|ondblclick|ondrag|ondragend|ondragenter|ondragleave|ondragover|".
+                        "ondragstart|ondrop|onmousedown|onmousemove|onmouseout|onmouseover|".
+                        "onmouseup|onmousewheel|onscroll|onwheel|oncopy|oncut|onpaste";
+    if(preg_match("/\s(".$htmlEventAttributes.")\s*=/i", $value)) {
+        $value = str_replace("=", "&equals;", $value);
+    }
+    return $value;
+}
+
 /**
  * Function to return the valid SQl input.
  * @param <String> $string