Disallow all on attributes

glpi-project · Mar 5, 2019 · 83259d8 · 83259d8
1 parent 3c04b73
commit 83259d8
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/inc/html.class.php b/inc/html.class.php
@@ -3548,7 +3548,9 @@ static function initEditorSystem($name, $rand = '', $display = true, $readonly =
          // init editor
          tinyMCE.init({
             language: '$language',
-            invalid_elements: 'form,iframe',
+            invalid_elements: 'form,iframe,script,@[onclick|ondblclick|'
+               + 'onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|'
+               + 'onkeydown|onkeyup]',
             browser_spellcheck: true,
             mode: 'exact',
             elements: '$name',