From 83259d80aefcb6df594a7309dfd8cd601e5efbed Mon Sep 17 00:00:00 2001
From: Johan Cwiklinski <jcwiklinski@teclib.com>
Date: Tue, 5 Mar 2019 12:49:05 +0100
Subject: [PATCH] Disallow all on attributes

---
 inc/html.class.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/inc/html.class.php b/inc/html.class.php
index 6041fa1c3c1..06fed39e73b 100644
--- a/inc/html.class.php
+++ b/inc/html.class.php
@@ -3548,7 +3548,9 @@ static function initEditorSystem($name, $rand = '', $display = true, $readonly =
          // init editor
          tinyMCE.init({
             language: '$language',
-            invalid_elements: 'form,iframe',
+            invalid_elements: 'form,iframe,script,@[onclick|ondblclick|'
+               + 'onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|'
+               + 'onkeydown|onkeyup]',
             browser_spellcheck: true,
             mode: 'exact',
             elements: '$name',