From: JustAMacUser <donotreply@example.org>
Date: Sat, 6 Aug 2016 18:07:30 +0000 (-0400)
Subject: Remove href attribute if it executes JavaScript.
X-Git-Tag: 16.8~2^2
X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=d8b0f06705812ef9e4ee4b1943f53dd82743db19;p=tt-rss.git

Remove href attribute if it executes JavaScript.
---

diff --git a/include/functions2.php b/include/functions2.php
index aab73d34..dceea507 100644
--- a/include/functions2.php
+++ b/include/functions2.php
@@ -1064,6 +1064,10 @@
 						array_push($attrs_to_remove, $attr);
 					}
 
+					if ($attr->nodeName == 'href' && stripos($attr->value, 'javascript:') === 0) {
+						array_push($attrs_to_remove, $attr);
+					}
+
 					if (in_array($attr->nodeName, $disallowed_attributes)) {
 						array_push($attrs_to_remove, $attr);
 					}