Fix stored XSS in user profile description

strip_tags() allows <a> tags but does not remove HTML attributes,
allowing event handlers like onmouseover to pass through. The
description is rendered unescaped via {!! !!} in linkinfo.blade.php,
enabling stored XSS.

Add regex filters to strip all on* event handler attributes (both
quoted and unquoted values) from the sanitized description before
saving to the database.

Author: aazad

app/Http/Controllers/UserController.php

@@ -609,6 +609,8 @@ public function editPage(Request $request)
         $profilePhoto = $request->file('image');
         $pageName = $request->littlelink_name;
         $pageDescription = strip_tags($request->pageDescription, '<a><p><strong><i><ul><ol><li><blockquote><h2><h3><h4>');
+        $pageDescription = preg_replace('/\s+on\w+\s*=\s*(["\']).*?\1/i', '', $pageDescription);
+        $pageDescription = preg_replace('/\s+on\w+\s*=\s*[^\s>]*/i', '', $pageDescription);
         $pageDescription = preg_replace("/<a([^>]*)>/i", "<a $1 rel=\"noopener noreferrer nofollow\">", $pageDescription);
         $pageDescription = strip_tags_except_allowed_protocols($pageDescription);
         $name = $request->name;