Grav found potential XSS issues in content: 'on_events'

I’m getting this error on 1 page when editing in admin.
Site seems to work so not that concerned, but it is a strange one.
I’ve found the culprit it occurs in text (e.g. >200v <10mA)

(e.g.&nbsp;>200v&nbsp;<10mA)

in the 5th paragraph and is caused by the < character.
But only occurs if followed by a Notice of any kind

[Notice=Define] some text [/notice]

I’m using a customised Learn2 with Shortcode-core for notices capability.
Removing either the < or the notice and the error goes away.

I would appreciate any ideas or should I just live with it?

A site editor reported this error to me when using a Google Maps shortcode. I haven’t investigated yet (refer “live with it” :slight_smile: but this is indeed a potential issue).

Since it’s causing no user-facing issues, check the repos of the theme and shortcode core plugins for this error.

If you don’t find a solution or workaround there, I’d say live with it and please add an issue to the Github repo. Start with the shortcode plugin (the most likely source) if you’re not sure.

Members of the forum can help here, but we’d like to know you’ve tried the most appropriate avenue first.

Thank you @hughbris for your reply.
I have searched for this error, not found anything that shed light on to it.
There are no errors on any other page where the plugin is used.

once the character combination ‘&nbsp;<’ is used in simple text the error occurs when a shortcode Notice is used anywhere on the page after the < which is the strange bit.

You are correct there is no user-facing issue and I can live with it.

However, I will trawl through the resultant HTML to see if I can spot an error (unlikely) and raise on the shortcode-core repo.

1 Like

Nice.

PS Might be worth upgrading Grav after today’s update to 1.7.44. Changelog claims that it includes a fix for an XSS issue in a PHP library.

1 Like

This is a strange bug.
The update didn’t seem to fix it.
However, although my live version still show the error, in my local test version it has cleared. Haven’t done any changes between the two, other than some page editing on other pages.
As it doesn’t seem to cause any problems I’ll just ignore it