fix: corrected regex

thorsten · thorsten · commit ccd76836e03b · 2026-03-30T12:19:20.000+02:00
diff --git a/phpmyfaq/src/phpMyFAQ/Filter.php b/phpmyfaq/src/phpMyFAQ/Filter.php
@@ -158,10 +158,16 @@ public static function removeAttributes(string $html = ''): string
         // remove broken stuff
         $html = str_replace(search: '&#13;', replace: '', subject: $html);
 
-        preg_match_all(pattern: '/[a-z]+=".+"/iU', subject: $html, matches: $attributes);
+        // Match attributes with double quotes, single quotes, or no quotes
+        preg_match_all(
+            pattern: '/[a-z]+\s*=\s*(?:"[^"]*"|\'[^\']*\'|[^\s>]+)/iU',
+            subject: $html,
+            matches: $attributes,
+        );
 
         foreach ($attributes[0] as $attribute) {
             $attributeName = stristr($attribute, needle: '=', before_needle: true);
+            $attributeName = trim($attributeName);
             if (!self::isAttribute($attributeName)) {
                 continue;
             }
diff --git a/tests/phpMyFAQ/FilterTest.php b/tests/phpMyFAQ/FilterTest.php
@@ -250,6 +250,40 @@ public function testComplexHtmlFiltering(): void
         $this->assertStringNotContainsString('onmouseover', $result);
     }
 
+    public function testRemoveAttributesWithUnquotedValues(): void
+    {
+        $html = '<img src=x onerror=alert(1)>';
+        $result = Filter::removeAttributes($html);
+
+        $this->assertStringNotContainsString('onerror', $result);
+    }
+
+    public function testRemoveAttributesWithSingleQuotedValues(): void
+    {
+        $html = "<img src='x' onerror='alert(1)'>";
+        $result = Filter::removeAttributes($html);
+
+        $this->assertStringNotContainsString('onerror', $result);
+    }
+
+    public function testRemoveAttributesWithSvgOnload(): void
+    {
+        $html = '<svg onload=alert(1)>';
+        $result = Filter::removeAttributes($html);
+
+        $this->assertStringNotContainsString('onload', $result);
+    }
+
+    public function testRemoveAttributesWithMixedQuoteStyles(): void
+    {
+        $html = '<div class="safe" onclick=alert(1) style=\'color:red\' onmouseover="steal()">';
+        $result = Filter::removeAttributes($html);
+
+        $this->assertStringContainsString('class="safe"', $result);
+        $this->assertStringNotContainsString('onclick', $result);
+        $this->assertStringNotContainsString('onmouseover', $result);
+    }
+
     protected function tearDown(): void
     {
         unset($_GET['test_var'], $_GET['special_test'], $_POST['name'], $_POST['email']);
