deploy: 32e9fbc

Author: kodiakhq

files/redaxo-main/redaxo/src/addons/mediapool/lib/service_media.php.txt

@@ -379,18 +379,24 @@ final class rex_media_service
 
     private static function sanitizeMedia(string $path, ?string $type): void
     {
+        if (!rex_addon::require('mediapool')->getProperty('sanitize_svgs', true)) {
+            return;
+        }
+
         if ('image/svg+xml' !== $type && 'svg' !== strtolower(rex_file::extension($path))) {
             return;
         }
 
         $content = rex_type::notNull(rex_file::get($path));
 
         $antiXss = new AntiXSS();
-        $antiXss->removeEvilAttributes(['style']);
+        $antiXss->removeNeverAllowedRegex(['<!--', '<!--$1-->']);
+        $antiXss->removeEvilAttributes(['style', 'xlink:href']);
         $antiXss->removeEvilHtmlTags(['style', 'svg', 'title']);
 
         $content = $antiXss->xss_clean($content);
         $content = preg_replace('/^\s*&lt;\?xml(.*?)\?&gt;/', '<?xml$1?>', $content);
+        $content = preg_replace('/&lt;!DOCTYPE(.*?)>/', '<!DOCTYPE$1>', $content);
 
         rex_file::put($path, $content);
     }

files/redaxo-main/redaxo/src/core/boot.php.txt

@@ -92,7 +92,7 @@ require_once rex_path::core('functions/function_rex_globals.php');
 require_once rex_path::core('functions/function_rex_other.php');
 
 // ----------------- VERSION
-rex::setProperty('version', '5.18.0');
+rex::setProperty('version', '5.18.1');
 
 $cacheFile = rex_path::coreCache('config.yml.cache');
 $configFile = rex_path::coreData('config.yml');

files/redaxo-main/redaxo/src/core/lib/login/backend_login.php.txt

@@ -129,8 +129,8 @@ class rex_backend_login extends rex_login
                     $add .= 'password = ?, ';
                     $params[] = $password = self::passwordHash($this->userPassword, true);
                 }
-                array_push($params, rex_sql::datetime(), rex_sql::datetime(), session_id(), $this->userLogin);
-                $sql->setQuery('UPDATE ' . $this->tableName . ' SET ' . $add . 'login_tries=0, lasttrydate=?, lastlogin=?, session_id=? WHERE login=? LIMIT 1', $params);
+                array_push($params, rex_sql::datetime(), rex_sql::datetime(), session_id(), $this->getSessionVar(self::SESSION_USER_ID));
+                $sql->setQuery('UPDATE ' . $this->tableName . ' SET ' . $add . 'login_tries=0, lasttrydate=?, lastlogin=?, session_id=? WHERE id=? LIMIT 1', $params);
 
                 $this->setSessionVar(self::SESSION_PASSWORD, $password);
 

files/redaxo-main/redaxo/src/core/lib/setup/setup.php.txt

@@ -241,6 +241,7 @@ class rex_setup
                 '11.2' => '2024-11-01',
                 '11.3' => '2024-05-01',
                 '11.4' => '2029-05-01', // LTS
+                '11.5' => '2024-11-01',
             ];
 
             $versionNumber = rex_formatter::version($dbVersion, '%s.%s');

files/redaxo-main/redaxo/src/core/pages/profile.php.txt

@@ -270,13 +270,14 @@ if (!$passwordChangeRequired) {
     echo $content;
 }
 
-$confirmField = static function (string $id) use ($login, $webauthn): string {
+$passkeyVerify = $login->getPasskey() ? $webauthn->getGetArgs($login->getPasskey()) : '';
+$confirmField = static function (string $id) use ($login, $passkeyVerify): string {
     $formElements = [];
     $n = [];
 
     if ($login->getPasskey()) {
         $n['label'] = '<label for="' . $id . '">' . rex_i18n::msg('passkey_current') . '</label>';
-        $n['field'] = '<div data-auth-passkey-verify="' . rex_escape($webauthn->getGetArgs($login->getPasskey())) . '">
+        $n['field'] = '<div data-auth-passkey-verify="' . rex_escape($passkeyVerify) . '">
         <button type="button" class="btn btn-primary" id="' . $id . '">' . rex_i18n::msg('passkey_current_verify') . '</button>
         <i class="fa fa-check-circle-o text-success hidden"></i>
         <input type="hidden" name="passkey_verify"/>