Merge branch '6.0-dev' into 6.1/maint/upmerge-260106

tecpromotion · tecpromotion · commit 8ef842d04264 · 2026-01-06T17:35:38.000+01:00
diff --git a/libraries/src/Filter/InputFilter.php b/libraries/src/Filter/InputFilter.php
@@ -9,6 +9,7 @@
 
 namespace Joomla\CMS\Filter;
 
+use enshrined\svgSanitize\Sanitizer;
 use Joomla\CMS\String\PunycodeHelper;
 use Joomla\Filter\InputFilter as BaseInputFilter;
 
@@ -492,4 +493,39 @@ protected function stripUSC($source)
 
         return preg_replace('/[\xF0-\xF7].../s', "\xE2\xAF\x91", $source);
     }
+
+    /**
+     * Internal method to strip a tag of disallowed attributes - extended to filter SVG content
+     *
+     * @param   array  $attrSet  Array of attribute pairs to filter
+     *
+     * @return  array  Filtered array of attribute pairs
+     *
+     * @since 6.0.2
+     */
+    protected function cleanAttributes(array $attrSet)
+    {
+        // Do the heavy lifting in the upstream library
+        $attrSet = parent::cleanAttributes($attrSet);
+
+        // Decode and check base64-encoded svgs
+        return array_map(
+            function ($attribute) {
+                // Check for presence of relevant tags
+                if (!preg_match('/"data:.*svg.*;base64,(.*)"/U', $attribute, $matches)) {
+                    return $attribute;
+                }
+
+                // Extract SVG
+                $svg = base64_decode($matches[1], true);
+
+                // Sanitize svg
+                $sanitizer = new Sanitizer();
+
+                // Replace content
+                return str_replace($matches[1], base64_encode($sanitizer->sanitize($svg)), $attribute);
+            },
+            $attrSet,
+        );
+    }
 }
diff --git a/plugins/content/pagebreak/tmpl/toc.php b/plugins/content/pagebreak/tmpl/toc.php
@@ -25,7 +25,7 @@
             <?php $class = $listItem->active ? ' active' : ''; ?>
             <li class="py-1">
                 <a href="<?php echo Route::_($listItem->link); ?>" class="toclink<?php echo $class; ?>">
-                    <?php echo $listItem->title; ?>
+                    <?php echo htmlspecialchars($listItem->title, ENT_QUOTES, 'UTF-8'); ?>
                 </a>
             </li>
         <?php endforeach; ?>
diff --git a/plugins/content/pagenavigation/tmpl/default.php b/plugins/content/pagenavigation/tmpl/default.php
@@ -28,7 +28,7 @@
             <span class="visually-hidden">
                 <?php echo Text::sprintf('JPREVIOUS_TITLE', htmlspecialchars($rows[$location - 1]->title)); ?>
             </span>
-            <?php echo '<span class="icon-chevron-' . $direction . '" aria-hidden="true"></span> <span aria-hidden="true">' . $row->prev_label . '</span>'; ?>
+            <?php echo '<span class="icon-chevron-' . $direction . '" aria-hidden="true"></span> <span aria-hidden="true">' . htmlspecialchars($row->prev_label) . '</span>'; ?>
             </a>
     <?php endif; ?>
     <?php if ($row->next) :
@@ -37,7 +37,7 @@
             <span class="visually-hidden">
                 <?php echo Text::sprintf('JNEXT_TITLE', htmlspecialchars($rows[$location + 1]->title)); ?>
             </span>
-            <?php echo '<span aria-hidden="true">' . $row->next_label . '</span> <span class="icon-chevron-' . $direction . '" aria-hidden="true"></span>'; ?>
+            <?php echo '<span aria-hidden="true">' . htmlspecialchars($row->next_label) . '</span> <span class="icon-chevron-' . $direction . '" aria-hidden="true"></span>'; ?>
             </a>
     <?php endif; ?>
     </span>
