From df47eac9b93700bdf3a73e2596e956e14ab1e4f2 Mon Sep 17 00:00:00 2001
From: Angel Fernando Quiroz Campos <angelfqc.18@gmail.com>
Date: Fri, 11 Oct 2024 13:05:38 -0500
Subject: [PATCH] Merge commit from fork

Fix GHSA-8qqw-rjh4-5gp2
---
 main/inc/lib/formvalidator/FormValidator.class.php | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/main/inc/lib/formvalidator/FormValidator.class.php b/main/inc/lib/formvalidator/FormValidator.class.php
index 33221be733e..3224a7dc7a6 100755
--- a/main/inc/lib/formvalidator/FormValidator.class.php
+++ b/main/inc/lib/formvalidator/FormValidator.class.php
@@ -1106,6 +1106,7 @@ public function addHtmlEditor(
 
         $this->addElement('html_editor', $name, $label, $attributes, $config);
         $this->applyFilter($name, 'trim');
+        $this->applyFilter($name, 'attr_on_filter');
         if ($required) {
             $this->addRule($name, get_lang('ThisFieldIsRequired'), 'required');
         }
@@ -2097,3 +2098,15 @@ function plain_url_filter($html, $mode = NO_HTML)
 
     return kses_split($html, $allowed_html_fixed, ['http', 'https']);
 }
+
+/**
+ * Prevent execution of event handlers in HTML elements.
+ *
+ * @param string $html
+ * @return string
+ */
+function attr_on_filter($html) {
+    $prefix = uniqid('data-cke-').'-';
+
+    return preg_replace('/(\s)(on)/i', '$1'.$prefix.'$2', $html);
+}