False positive on closed sorce tag.

[genetus]

What is this feature about (expected vs actual behaviour)?

If we tryind to validate HTML code like this:

<video controls="controls" width="300" height="150">
<source src="https://leonardo.osnova.io/49ab16a3-64a6-505e-97f1-34c83f122a49/-/preview/700/-/format/webp/" />
<source src="https://leonardo.osnova.io/49ab16a3-64a6-505e-97f1-34c83f122a49/-/preview/700/-/format/webp/" />
</video>

We got an XSS error rise. Howewer it is an valid HTML code, with allowed tags: video & sorce.

How can I reproduce it?

$html = <<<HTML
<video controls="controls" width="300" height="150">
<source src="https://leonardo.osnova.io/49ab16a3-64a6-505e-97f1-34c83f122a49/-/preview/700/-/format/webp/" />
<source src="https://leonardo.osnova.io/49ab16a3-64a6-505e-97f1-34c83f122a49/-/preview/700/-/format/webp/" />
</video>
HTML;

$antiXss = new AntiXSS();
$antiXss->removeEvilHtmlTags(['video', 'sorce']);
$antiXss->xss_clean($html);
var_dump($antiXss->isXssFound());

Any additional information?

On validation system check a valid src attribute in tag and this is what this regexp finds:

src="https://leonardo.osnova.io/49ab16a3-64a6-505e-97f1-34c83f122a49/-/preview/700/-/format/webp/" /

Obviously the last / is ambiguous and it show only, that this tag is closed.

[heyjohnlim]

$antiXss->removeEvilHtmlTags(['video', 'sorce']);

spelling of source.

[voku]

Thanks for the bug report, fixed in version: 4.1.40 (2023-02-11)