Merge branch 'xss_vulnerability_on_ckeditor' into 'master'

Fixes #1220 Reverted general code logic for XSS attack See merge request !511

Merge branch 'xss_vulnerability_on_ckeditor' into 'master'
Fixes #1220 Reverted general code logic for XSS attack See merge request !511
fc021986 · Uma · 312e5d0b · 7485a71b · fc021986
Commit fc021986 authored 5 years ago by Uma
--- a/include/utils/ListViewUtils.php
+++ b/include/utils/ListViewUtils.php
@@ -675,9 +675,9 @@ function decode_html($str) {
 	global $default_charset;
 	// Direct Popup action or Ajax Popup action should be treated the same.
 	if ((isset($_REQUEST['action']) && $_REQUEST['action'] == 'Popup') || (isset($_REQUEST['file']) && $_REQUEST['file'] == 'Popup'))
-		return purifyHtmlEventAttributes(html_entity_decode($str));
+		return html_entity_decode($str);
 	else
-		return purifyHtmlEventAttributes(html_entity_decode($str, ENT_QUOTES, $default_charset));
+		return html_entity_decode($str, ENT_QUOTES, $default_charset);
 }

 function popup_decode_html($str) {