From d5e890d0421fbbedc5ad420ee0826e16cb31d56e Mon Sep 17 00:00:00 2001
From: prasad <prasad@vtiger.com>
Date: Mon, 21 Mar 2016 16:39:48 +0530
Subject: [PATCH] HTML purification to remove suspicious attributes.

---
 include/utils/VtlibUtils.php | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/include/utils/VtlibUtils.php b/include/utils/VtlibUtils.php
index 24a0bfc9e..57852c7b8 100644
--- a/include/utils/VtlibUtils.php
+++ b/include/utils/VtlibUtils.php
@@ -648,6 +648,7 @@ function vtlib_purify($input, $ignore=false) {
 				}
 			} else { // Simple type
 				$value = $__htmlpurifier_instance->purify($input);
+				$value = purifyHtmlEventAttributes($value);
 			}
 		}
 		$purified_cache[$md5OfInput] = $value;
@@ -656,6 +657,23 @@ function vtlib_purify($input, $ignore=false) {
 	return $value;
 }
 
+/**
+ * To purify malicious html event attributes
+ * @param <String> $value
+ * @return <String>
+ */
+function purifyHtmlEventAttributes($value){
+    $htmlEventAttributes = "onerror|onblur|onchange|oncontextmenu|onfocus|oninput|oninvalid|".
+                        "onreset|onsearch|onselect|onsubmit|onkeydown|onkeypress|onkeyup|".
+                        "onclick|ondblclick|ondrag|ondragend|ondragenter|ondragleave|ondragover|".
+                        "ondragstart|ondrop|onmousedown|onmousemove|onmouseout|onmouseover|".
+                        "onmouseup|onmousewheel|onscroll|onwheel|oncopy|oncut|onpaste";
+    if(preg_match("/\s(".$htmlEventAttributes.")\s*=/i", $value)) {
+        $value = str_replace("=", "&equals;", $value);
+    }
+    return $value;
+}
+
 /**
  * Function to return the valid SQl input.
  * @param <String> $string
-- 
GitLab