From 9718b860588dff029184575201f18aa5e989b989 Mon Sep 17 00:00:00 2001
From: aazad <ali.azad@yahooinc.com>
Date: Thu, 9 Apr 2026 22:45:37 -0500
Subject: [PATCH] Fix stored XSS in user profile description

strip_tags() allows <a> tags but does not remove HTML attributes,
allowing event handlers like onmouseover to pass through. The
description is rendered unescaped via {!! !!} in linkinfo.blade.php,
enabling stored XSS.

Add regex filters using word boundary matching to strip all on* event
handler attributes (both quoted and unquoted values) from the sanitized
description before saving to the database.
---
 app/Http/Controllers/UserController.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
index 3014d810..4ff9cc68 100755
--- a/app/Http/Controllers/UserController.php
+++ b/app/Http/Controllers/UserController.php
@@ -609,6 +609,8 @@ public function editPage(Request $request)
         $profilePhoto = $request->file('image');
         $pageName = $request->littlelink_name;
         $pageDescription = strip_tags($request->pageDescription, '<a><p><strong><i><ul><ol><li><blockquote><h2><h3><h4>');
+        $pageDescription = preg_replace('/\bon\w+\s*=\s*(["\']).*?\1/i', '', $pageDescription);
+        $pageDescription = preg_replace('/\bon\w+\s*=\s*[^\s>]*/i', '', $pageDescription);
         $pageDescription = preg_replace("/<a([^>]*)>/i", "<a $1 rel=\"noopener noreferrer nofollow\">", $pageDescription);
         $pageDescription = strip_tags_except_allowed_protocols($pageDescription);
         $name = $request->name;