don't allow cdata elements in purified html

diff --git a/lib/util.php b/lib/util.php
index 1d973d710031cc56054a4608998319ac5500095f..156a40a5cbba29a7bb0bfc2c318b01640e2ca660 100644 (file)
--- a/lib/util.php
+++ b/lib/util.php
@@ -581,7 +581,8 @@ function common_purify($html)
 
     $config = array('safe' => 1,    // means that elements=* means elements=*-applet-embed-iframe-object-script or so
                     'elements' => '*',
-                    'deny_attribute' => 'id,style,on*');
+                    'deny_attribute' => 'id,style,on*',
+                    'cdata' => 1);
 
     // Remove more elements than what the 'safe' filter gives (elements must be '*' before this)
     // http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s3.6
@@ -2458,4 +2459,4 @@ function html_sprintf()
 function _ve($var)
 {
     return var_export($var, true);
-}
+}
\ No newline at end of file