Fixed entity sanitization for XSS detection

Author: w00fz

CHANGELOG.md

@@ -8,6 +8,7 @@
     * Fixed `'mbstring' extension is not loaded` error, use Polyfill instead [#3504](https://github.com/getgrav/grav/pull/3504)
     * Fixed new `Utils::pathinfo()` and `Utils::basename()` being too strict for legacy use [#3542](https://github.com/getgrav/grav/issues/3542)
     * Fixed non-standard video html atributes generated by `{{ media.html() }}` [#3540](https://github.com/getgrav/grav/issues/3540)
+    * Fixed entity sanitization for XSS detection
 
 # v1.7.30
 ## 02/07/2022

system/src/Grav/Common/Security.php

@@ -200,7 +200,7 @@ public static function detectXss($string, array $options = null): ?string
         }, $string);
 
         // Clean up entities
-        $string = preg_replace('!(&#0+[0-9]+)!u', '$1;', $string);
+        $string = preg_replace('!(&#[0-9]+)!u', '$1;', $string);
 
         // Decode entities
         $string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, 'UTF-8');