Security fixes: XSS detection, SVG XXE, Zip Slip, media attribute

Closes the output-escaping / upload tier of the 2026-04 advisory batch:

- GHSA-9695-8fr9-hw5q: Security::detectXss `on_events` regex no longer
  requires quotes/whitespace around `=`, so unquoted handlers like
  `<img onerror=alert(1)>` are flagged. Same fix removes the regex-bypass
  half of GHSA-c2q3 and GHSA-w8cg.

- GHSA-w8cg-7jcj-4vv2 / GHSA-c2q3-p4jr-c55f: added `svg`, `math`, `option`,
  `select` to default `security.xss_dangerous_tags` — XML-namespace tags
  that allow inline scripting and the select-context tags used to escape
  admin form templates.

- GHSA-r7fx-8g49-7hhr: `MediaObjectTrait::attribute()` now gates the
  attribute name through a strict identifier regex + denylist (on*,
  style, xmlns, srcdoc, formaction). Markdown like
  `![alt](img.gif?attribute=onload,alert(1))` no longer paints an event
  handler onto the rendered <img>. Themes can still call
  `$image->attribute('src', $signed_url)` from PHP.

- GHSA-3446-6mgw-f79p: `VectorImageMedium` strips DOCTYPE/ENTITY
  declarations and parses with LIBXML_NONET (+ libxml_disable_entity_loader
  shim on PHP < 8) so an attacker-uploaded SVG can no longer exfiltrate
  files via XXE or DoS via billion-laughs while Grav reads its width/height.
  Companion hardening for sanitization paths lives in rhukster/dom-sanitizer.

- GHSA-w48r-jppp-rcfw (path layer): `Installer::unZip` pre-validates every
  archive entry and refuses Zip Slip primitives (`..` segments, absolute
  paths, Windows drive letters, NUL bytes). New `Installer::isSafeArchiveEntry`
  helper. Defending against a well-formed but malicious plugin whose PHP
  is itself the payload remains a "trust the source" problem when using
  directInstall.

Four new test files (DetectXssTest, MediaAttributeSecurityTest,
SvgXxeSecurityTest, ZipSlipSecurityTest) plus updated entries in
existing CleanDangerousTwigTest. Full unit suite: 721 tests, 2560
assertions.

Author: rhukster

CHANGELOG.md

@@ -15,6 +15,11 @@
     * [security] Hardened the new-user uniqueness guard in `UserObject::save` (GHSA-rr73-568v-28f8): `strpos(..., '@@')` replaced with `str_contains` (the old form was falsy when the transient-key marker was at position 0, silently bypassing the check) and the check now runs for every `FlexStorageInterface` backend rather than only `FileStorage`. A low-privileged user with `admin.users.create` can no longer disrupt a super-admin account by submitting the admin's username through the "add user" form.
     * [security] Added HMAC integrity to `Framework\Cache\Adapter\FileCache` (GHSA-gwfr-jfjf-92vv): every cache payload is signed with `Security::getNonceKey()` on write and verified on read; tampered, attacker-planted, or pre-upgrade files are treated as cache misses and removed instead of being unserialized. The on-disk format is now versioned (`v2\n<expires>\n<key>\n<hmac>\n<serialized>`); existing caches rebuild transparently on first read.
     * [security] Closed GHSA-vj3m-2g9h-vm4p (5-part advisory): (#1) `JobQueue` now HMAC-signs the `serialized_job` blob — a tampered queue file can no longer smuggle a forged `Job` for direct RCE via `Job::exec → call_user_func_array`; legitimate items still execute via the structured-fields fallback. (#3) `Session::getFlashObject` now wraps its payload in a versioned HMAC envelope, refusing to unserialize legacy/forged values. (#4) `InstallCommand` git-clone arguments (`branch`, `url`, `path` from `user/.dependencies`) now go through `escapeshellarg`, with a `--` separator before url/path to block option-injection. (#5) `twig_array_reduce` (plus `twig_array_some`/`twig_array_every`) added to `cleanDangerousTwig`'s callable blocklist alongside the existing `twig_array_map`/`filter`. (#2) was the same FileCache issue addressed by GHSA-gwfr above.
+    * [security] Tightened `Security::detectXss` `on_events` regex (GHSA-9695-8fr9-hw5q): the previous form required quotes/whitespace around the `=` sign and was bypassed by `<img onerror=alert(1)>`. Same fix knocks down the regex-bypass half of GHSA-c2q3-p4jr-c55f and GHSA-w8cg-7jcj-4vv2.
+    * [security] Added `svg`, `math`, `option`, `select` to default `security.xss_dangerous_tags` (GHSA-w8cg-7jcj-4vv2, GHSA-c2q3-p4jr-c55f) — XML-namespace tags that allow inline scripting plus the select-context break used to escape admin form templates.
+    * [security] `MediaObjectTrait::attribute()` now gates the attribute name through a strict identifier regex + denylist (`on*`, `style`, `xmlns`, `srcdoc`, `formaction`) so a Markdown image like `![alt](img.gif?attribute=onload,alert(1))` no longer injects an event handler onto the rendered tag (GHSA-r7fx-8g49-7hhr).
+    * [security] Hardened SVG dimension reading in `VectorImageMedium` against XXE / billion-laughs (GHSA-3446-6mgw-f79p): DOCTYPE/ENTITY declarations are stripped before parse and `simplexml_load_string` is now called with `LIBXML_NONET` (and `libxml_disable_entity_loader` for PHP < 8). The companion fix lives in rhukster/dom-sanitizer for SVG sanitization paths.
+    * [security] `Installer::unZip` now pre-validates every archive entry and refuses Zip Slip primitives — `..` segments, absolute paths, Windows drive letters, NUL bytes (GHSA-w48r-jppp-rcfw). Note: this hardens the path layer only; a well-formed but malicious plugin whose own PHP code is the payload remains a "trust the source" problem when using directInstall.
 
 # v2.0.0-beta.1
 ## 04/16/2026

system/config/security.yaml

@@ -32,6 +32,16 @@ xss_dangerous_tags:
   - title
   - base
   - isindex
+  # GHSA-w8cg-7jcj-4vv2: svg/math allow inline scripting via XML namespaces
+  # and event-handler attributes; flag them as dangerous in user-editable
+  # content so the on_events regex bypass (now fixed for GHSA-9695) has
+  # belt-and-suspenders coverage.
+  - svg
+  - math
+  # GHSA-c2q3-p4jr-c55f: option/select are used by attackers to break out
+  # of the admin select-template context.
+  - option
+  - select
 uploads_dangerous_extensions:
   - php
   - php2

system/src/Grav/Common/GPM/Installer.php

@@ -179,6 +179,24 @@ public static function unZip($zip_file, $destination)
         $archive = $zip->open($zip_file);
 
         if ($archive === true) {
+            // GHSA-w48r-jppp-rcfw: validate every entry name before extraction.
+            // ZipArchive::extractTo would otherwise honour `../` segments and
+            // absolute paths, letting a crafted plugin/theme ZIP write files
+            // anywhere the web server can reach (Zip Slip, CVE-2018-1000544
+            // family). Note: this hardens the path layer; it does NOT and
+            // cannot defend against a well-formed but malicious plugin whose
+            // own PHP code is the payload — that's a "trust the source"
+            // problem the admin must own when using directInstall.
+            $numFiles = $zip->numFiles;
+            for ($i = 0; $i < $numFiles; $i++) {
+                $entryName = (string) $zip->getNameIndex($i);
+                if (!self::isSafeArchiveEntry($entryName)) {
+                    self::$error = self::ZIP_EXTRACT_ERROR;
+                    $zip->close();
+                    return false;
+                }
+            }
+
             Folder::create($destination);
 
             $unzip = $zip->extractTo($destination);
@@ -207,6 +225,35 @@ public static function unZip($zip_file, $destination)
         return false;
     }
 
+    /**
+     * Reject Zip Slip primitives in archive entry names: empty names, NUL
+     * bytes, absolute paths, or any path segment that is `..`. Forward and
+     * back slashes are both treated as separators so Windows-authored
+     * archives are also covered.
+     *
+     * @internal Public for testing.
+     */
+    public static function isSafeArchiveEntry(string $name): bool
+    {
+        if ($name === '' || str_contains($name, "\0")) {
+            return false;
+        }
+        if (str_starts_with($name, '/') || str_starts_with($name, '\\')) {
+            return false;
+        }
+        // Windows drive letter: C:\..., D:/...
+        if (preg_match('#^[A-Za-z]:[/\\\\]#', $name) === 1) {
+            return false;
+        }
+        // Any `..` path segment, regardless of slash flavour.
+        foreach (preg_split('#[\\\\/]+#', $name) as $segment) {
+            if ($segment === '..') {
+                return false;
+            }
+        }
+        return true;
+    }
+
     /**
      * Instantiates and returns the package installer class
      *

system/src/Grav/Common/Media/Traits/MediaObjectTrait.php

@@ -325,18 +325,51 @@ public function reset()
     /**
      * Add custom attribute to medium.
      *
+     * Reachable from Markdown via `?attribute=name,value` on image excerpts, so
+     * the attribute NAME is editor-controlled. We restrict it to plain HTML
+     * attribute identifiers (alphanumerics + `-`/`:`/`_`) and reject any name
+     * that would inject script when rendered onto an `<img>` tag — event
+     * handlers (`on*`), inline style, the XML namespace, srcdoc, and the
+     * various `form*` attributes whose URL targets are themselves trusted as
+     * actions. GHSA-r7fx-8g49-7hhr.
+     *
      * @param string $attribute
      * @param string $value
      * @return $this
      */
     public function attribute($attribute = null, $value = '')
     {
-        if (!empty($attribute)) {
-            $this->attributes[$attribute] = $value;
+        if (empty($attribute) || !is_string($attribute)) {
+            return $this;
         }
+        if (!self::isSafeAttributeName($attribute)) {
+            return $this;
+        }
+        $this->attributes[$attribute] = $value;
         return $this;
     }
 
+    /** @internal */
+    private static function isSafeAttributeName(string $name): bool
+    {
+        // Strict shape: HTML attribute names are letter-led, then alnum/-/_/:/./$
+        // Anything else (whitespace, quotes, `<>`, etc.) is rejected outright.
+        if (!preg_match('/^[A-Za-z][A-Za-z0-9_:.\-]*$/', $name)) {
+            return false;
+        }
+        $lower = strtolower($name);
+        // Event handlers — primary GHSA-r7fx-8g49-7hhr vector.
+        if (str_starts_with($lower, 'on')) {
+            return false;
+        }
+        // Attribute names that open a scripting context regardless of value.
+        // We deliberately do NOT deny `src` / `href` here — themes legitimately
+        // call `$image->attribute('src', $signed_url)` from PHP, and the
+        // primary script-injection surface is the event-handler family above.
+        $denylist = ['style', 'xmlns', 'srcdoc', 'formaction'];
+        return !in_array($lower, $denylist, true);
+    }
+
     /**
      * Switch display mode.
      *

system/src/Grav/Common/Page/Medium/VectorImageMedium.php

@@ -46,7 +46,24 @@ public function __construct($items = [], ?Blueprint $blueprint = null)
             return;
         }
 
-        $xml = simplexml_load_string(file_get_contents($path));
+        // GHSA-3446-6mgw-f79p: strip DOCTYPE/ENTITY declarations and pass
+        // LIBXML_NONET to prevent XXE / billion-laughs / network exfiltration
+        // when reading width/height from an attacker-supplied SVG.
+        $svg = (string) file_get_contents($path);
+        $svg = preg_replace('/<!DOCTYPE\b[^>]*(?:\[[^\]]*\])?[^>]*>/is', '', $svg) ?? $svg;
+        $svg = preg_replace('/<!ENTITY\b[^>]*>/i', '', $svg) ?? $svg;
+
+        $previousEntityLoader = null;
+        if (\PHP_VERSION_ID < 80000 && function_exists('libxml_disable_entity_loader')) {
+            $previousEntityLoader = libxml_disable_entity_loader(true);
+        }
+        try {
+            $xml = simplexml_load_string($svg, 'SimpleXMLElement', LIBXML_NONET | LIBXML_NOERROR | LIBXML_NOWARNING);
+        } finally {
+            if ($previousEntityLoader !== null) {
+                libxml_disable_entity_loader($previousEntityLoader);
+            }
+        }
         $attr = $xml ? $xml->attributes() : null;
         if (!$attr instanceof \SimpleXMLElement) {
             return;

system/src/Grav/Common/Security.php

@@ -229,9 +229,16 @@ public static function detectXss($string, ?array $options = null): ?string
 
         // Set the patterns we'll test against
         $patterns = [
-            // Match any attribute starting with "on" or xmlns (must be preceded by whitespace/special chars)
-            // Allow optional whitespace between 'on' and event name to catch obfuscation attempts
-            'on_events' => '#(<[^>]+[\s\x00-\x20\"\'\/])(on\s*[a-z]+|xmlns)\s*=[\s|\'\"].*[\s|\'\"]>#iUu',
+            // Match any attribute starting with "on" or xmlns (must be preceded by an
+            // attribute boundary: whitespace, NUL, quote or slash). We deliberately
+            // do NOT try to match the attribute value itself — the previous regex
+            // required quotes-or-spaces around the `=` sign and was bypassed by
+            // unquoted handlers like `<img src=x onerror=alert(1)>`
+            // (GHSA-9695-8fr9-hw5q, also exploited by GHSA-c2q3-p4jr-c55f and
+            // GHSA-w8cg-7jcj-4vv2). Detecting the attribute name + `=` is enough
+            // for a tripwire; trade-off is occasional false positives when an
+            // unrelated `on*=` substring appears inside another attribute's value.
+            'on_events' => '#<[^>]*?[\s\x00-\x20\"\'\/](on\s*[a-z]+|xmlns)\s*=#iu',
 
             // Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols
             'invalid_protocols' => '#(' . implode('|', array_map('preg_quote', $invalid_protocols, ['#'])) . ')(:|\&\#58)\S.*?#iUu',

tests/unit/Grav/Common/Security/DetectXssTest.php

@@ -0,0 +1,137 @@
+<?php
+
+use Codeception\Util\Fixtures;
+use Grav\Common\Grav;
+use Grav\Common\Security;
+
+/**
+ * Class DetectXssTest
+ *
+ * Tests for Security::detectXss() — specifically the on_events regex hardening
+ * for GHSA-9695-8fr9-hw5q (unquoted event handlers), with parallel coverage
+ * for the same bypass pattern called out in GHSA-c2q3-p4jr-c55f and
+ * GHSA-w8cg-7jcj-4vv2.
+ *
+ * Naming convention: test{Method}_{GHSA_ID}_{description}
+ */
+class DetectXssTest extends \PHPUnit\Framework\TestCase
+{
+    /** @var Grav */
+    protected $grav;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $grav = Fixtures::get('grav');
+        $this->grav = $grav();
+    }
+
+    // =========================================================================
+    // GHSA-9695-8fr9-hw5q: unquoted on* handlers must be detected
+    // =========================================================================
+
+    /**
+     * @dataProvider providerGHSA9695_UnquotedOnEvents
+     */
+    public function testDetectXss_GHSA9695_FlagsUnquotedEventHandler(string $payload, string $description): void
+    {
+        $result = Security::detectXss($payload);
+        self::assertSame('on_events', $result, "Should flag on_events for: $description");
+    }
+
+    public static function providerGHSA9695_UnquotedOnEvents(): array
+    {
+        return [
+            ['<img src=x onerror=alert(1)>', 'advisory PoC: unquoted onerror, no space before >'],
+            ['<img src=x onerror=eval(atob(/Y/.source))>', 'advisory PoC: atob/regex.source obfuscation'],
+            ['<svg onload=alert(1)>', 'unquoted onload on svg'],
+            ['<body onload=alert(1)>', 'unquoted onload on body'],
+            ['<a href=# onclick=alert(1)>x</a>', 'unquoted onclick'],
+            // GHSA-c2q3-p4jr-c55f payload — the exact taxonomy escape sequence:
+            ['</option></select><img src=x onerror=alert(1)>', 'GHSA-c2q3 select-context break + unquoted onerror'],
+            // Obfuscation: whitespace inside the event name (e.g. on  error=)
+            ['<img src=x on error=alert(1)>', 'whitespace between on and event name'],
+            // xmlns is also covered by the same rule — keep regression coverage:
+            ['<svg xmlns=http://example.com/ns>', 'unquoted xmlns'],
+        ];
+    }
+
+    /**
+     * @dataProvider providerGHSA9695_QuotedOnEvents
+     */
+    public function testDetectXss_GHSA9695_StillFlagsQuotedEventHandlersAfterFix(string $payload, string $description): void
+    {
+        // Make sure tightening the regex didn't regress the previously-working
+        // quoted forms.
+        $result = Security::detectXss($payload);
+        self::assertSame('on_events', $result, "Should still flag quoted on_events for: $description");
+    }
+
+    public static function providerGHSA9695_QuotedOnEvents(): array
+    {
+        return [
+            ['<img src="x" onerror="alert(1)">', 'double-quoted onerror'],
+            ["<img src='x' onerror='alert(1)'>", 'single-quoted onerror'],
+            ['<body onload="document.location=\'evil\'">', 'quoted onload'],
+            ['<svg onload="fetch(\'/x\')">', 'svg with quoted onload'],
+        ];
+    }
+
+    // =========================================================================
+    // Negative coverage: legitimate content should not trip on_events
+    // =========================================================================
+
+    /**
+     * @dataProvider providerSafeContent
+     */
+    public function testDetectXss_SafeContentReturnsNullOnEventsRule(string $payload, string $description): void
+    {
+        // Some safe content may still trip OTHER rules (e.g. the dangerous_tags
+        // list), but the on_events rule specifically should not fire.
+        $result = Security::detectXss($payload);
+        self::assertNotSame('on_events', $result, "on_events must not fire for: $description");
+    }
+
+    public static function providerSafeContent(): array
+    {
+        return [
+            ['<p>Hello world</p>', 'plain paragraph'],
+            ['<a href="https://example.com">link</a>', 'link with href'],
+            ['<img src="/foo.png" alt="bar">', 'plain img'],
+            ['Pricing on demand', 'word starting with "on" outside any tag'],
+            ['<button>Click me</button>', 'button tag (ends in "on")'],
+            ['<section>content</section>', 'section tag'],
+        ];
+    }
+
+    // =========================================================================
+    // GHSA-w8cg-7jcj-4vv2: svg/math + GHSA-c2q3 option/select added to defaults
+    // =========================================================================
+
+    /**
+     * @dataProvider providerGHSAw8cg_NewlyDangerousTags
+     */
+    public function testDetectXss_GHSAw8cg_FlagsNewlyDangerousTags(string $payload, string $description): void
+    {
+        $result = Security::detectXss($payload);
+        // Either dangerous_tags (new) or on_events (already covered by #1) is
+        // an acceptable trip — both indicate the payload is flagged.
+        self::assertNotNull($result, "Should flag: $description");
+        self::assertContains(
+            $result,
+            ['dangerous_tags', 'on_events'],
+            "Expected dangerous_tags or on_events for: $description, got '$result'"
+        );
+    }
+
+    public static function providerGHSAw8cg_NewlyDangerousTags(): array
+    {
+        return [
+            ['<svg><script>alert(1)</script></svg>', 'GHSA-w8cg svg with embedded script'],
+            ['<svg></svg>', 'svg tag alone'],
+            ['<math><mtext>x</mtext></math>', 'math tag (similar XML namespace risk)'],
+            ['</option></select>injected', 'GHSA-c2q3 option/select context break'],
+            ['<select><option>x</option></select>', 'option/select wrapping'],
+        ];
+    }
+}