Valid hex characters invalidates urls and remove them from the output - Githubissues

voku / anti-xss

㊙️ AntiXSS | Protection against Cross-site scripting (XSS) via PHP

MIT License

677 stars 104 forks source link

Valid hex characters invalidates urls and remove them from the output #103

Open paxter opened 2 years ago

paxter commented 2 years ago

What is this feature about (expected vs actual behaviour)?

If there are valid hex characters in an url, the whole link will be removed from the output. Valid links shouldn't be removed.

How can I reproduce it?

$antiXss = new AntiXSS();

$text = "<a href='https://example.com?34167-%DCbersicht'>text</a>";

echo $antiXss->xss_clean($text);

Output

<a href="">text</a>

Does it take minutes, hours or days to fix?

No idea.

Any additional information?

Let me know if anything further is needed.