From f58dea6a5abec4da2b14eb808221b3f28d6160d0 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sun, 13 Apr 2025 00:01:09 +0200
Subject: SimplePie forbit formaction attribute (#7506)

Sanitize buttons with a form or formaction attribute.
---
 lib/lib_rss.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib/lib_rss.php')

diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index 4fb4fdef9..73e1c62f0 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -348,7 +348,8 @@ function customSimplePie(array $attributes = [], array $curl_options = []): \Sim
 	]);
 	$simplePie->rename_attributes(['id', 'class']);
 	$simplePie->strip_attributes(array_merge($simplePie->strip_attributes, [
-		'autoplay', 'class', 'onload', 'onunload', 'onclick', 'ondblclick', 'onmousedown', 'onmouseup',
+		'autoplay', 'class', 'form', 'formaction',
+		'onload', 'onunload', 'onclick', 'ondblclick', 'onmousedown', 'onmouseup',
 		'onmouseover', 'onmousemove', 'onmouseout', 'onfocus', 'onblur',
 		'onkeypress', 'onkeydown', 'onkeyup', 'onselect', 'onchange', 'seamless', 'sizes', 'srcdoc', 'srcset']));
 	$simplePie->add_attributes([
-- 
cgit v1.2.3