SimplePie forbit formaction attribute (#7506)

Sanitize buttons with a form or formaction attribute.
author: Alexandre Alapetite <alexandre@alapetite.fr> 2025-04-13 00:01:09 +0200
committer: GitHub <noreply@github.com> 2025-04-13 00:01:09 +0200
commit: f58dea6a5abec4da2b14eb808221b3f28d6160d0 (patch)
tree: 3fa5421631a0f833257fae999febc551e05ab0d2 /lib/lib_rss.php
parent: be73c6d6694beb6d68b90b6e59223a397676b303 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index 4fb4fdef9..73e1c62f0 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -348,7 +348,8 @@ function customSimplePie(array $attributes = [], array $curl_options = []): \Sim
 	]);
 	$simplePie->rename_attributes(['id', 'class']);
 	$simplePie->strip_attributes(array_merge($simplePie->strip_attributes, [
-		'autoplay', 'class', 'onload', 'onunload', 'onclick', 'ondblclick', 'onmousedown', 'onmouseup',
+		'autoplay', 'class', 'form', 'formaction',
+		'onload', 'onunload', 'onclick', 'ondblclick', 'onmousedown', 'onmouseup',
 		'onmouseover', 'onmousemove', 'onmouseout', 'onfocus', 'onblur',
 		'onkeypress', 'onkeydown', 'onkeyup', 'onselect', 'onchange', 'seamless', 'sizes', 'srcdoc', 'srcset']));
 	$simplePie->add_attributes([
author	Alexandre Alapetite <alexandre@alapetite.fr>	2025-04-13 00:01:09 +0200
committer	GitHub <noreply@github.com>	2025-04-13 00:01:09 +0200
commit	f58dea6a5abec4da2b14eb808221b3f28d6160d0 (patch)
tree	3fa5421631a0f833257fae999febc551e05ab0d2 /lib/lib_rss.php
parent	be73c6d6694beb6d68b90b6e59223a397676b303 (diff)