Medium severityGHSA Advisory· Published Sep 30, 2025· Updated Apr 15, 2026
CVE-2025-54476
CVE-2025-54476
Description
Improper handling of input could lead to an XSS vector in the checkAttribute method of the input filter framework class.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
joomla/filterPackagist | >= 4.0.0, < 4.0.1 | 4.0.1 |
joomla/filterPackagist | >= 3.0.0, < 3.0.5 | 3.0.5 |
joomla/filterPackagist | < 2.0.6 | 2.0.6 |
Affected products
1- Range: < 2.0.6
Patches
3fcde280785f1Merge pull request #82 from SniperSister/4.x-tabsinattributes
2 files changed · +93 −0
src/InputFilter.php+3 −0 modified@@ -272,6 +272,9 @@ public static function checkAttribute($attrSubSet) $attrSubSet[0] = strtolower($attrSubSet[0]); $attrSubSet[1] = html_entity_decode(strtolower($attrSubSet[1]), ENT_QUOTES | ENT_HTML401, 'UTF-8'); + // Remove common XSS-evasion characters + $attrSubSet[1] = str_replace(["\t", "\n", " ", "\0"], "", $attrSubSet[1]); + return (strpos($attrSubSet[1], 'expression') !== false && $attrSubSet[0] === 'style') || preg_match('/(?:(?:java|vb|live)script|behaviour|mocha)(?::|:|&column;)/', $attrSubSet[1]) !== 0; }
Tests/InputFilterTest.php+90 −0 modified@@ -664,6 +664,24 @@ public static function casesGeneric(): array '<img />', 'From generic cases', ], + 'Kill script with tab' => [ + '', + "<img src=\"java\tscript:alert();\" />", + '<img />', + 'From generic cases', + ], + 'Kill script with encoded tab' => [ + '', + "<img src=\"java	script:alert();\" />", + '<img />', + 'From generic cases', + ], + 'Kill script with space' => [ + '', + '<img src="java script:alert();" />', + '<img />', + 'From generic cases', + ], 'Nested tags' => [ '', '<em><strong>Fred</strong></em>', @@ -780,6 +798,24 @@ public static function allowed(): array '', 'From specific cases', ], + 'Kill script with tab' => [ + '', + "<img src=\"java\tscript:alert();\" />", + '', + 'From specific cases', + ], + 'Kill script with encoded tab' => [ + '', + "<img src=\"java	script:alert();\" />", + '', + 'From specific cases', + ], + 'Kill script with space' => [ + '', + '<img src="java script:alert();" />', + '', + 'From specific cases', + ], 'Nested tags' => [ '', '<em><strong>Fred</strong></em>', @@ -933,6 +969,24 @@ public static function allowImg(): array '<img />', 'From specific cases', ], + 'Kill script with tab' => [ + '', + "<img src=\"java\tscript:alert();\" />", + '<img />', + 'From generic cases', + ], + 'Kill script with encoded tab' => [ + '', + "<img src=\"java	script:alert();\" />", + '<img />', + 'From generic cases', + ], + 'Kill script with space' => [ + '', + '<img src="java script:alert();" />', + '<img />', + 'From generic cases', + ], 'Nested tags' => [ '', '<em><strong>Fred</strong></em>', @@ -1109,6 +1163,24 @@ public static function allowClass(): array '', 'From specific cases', ], + 'Kill script with tab' => [ + '', + "<img src=\"java\tscript:alert();\" />", + '', + 'From specific cases', + ], + 'Kill script with encoded tab' => [ + '', + "<img src=\"java	script:alert();\" />", + '', + 'From specific cases', + ], + 'Kill script with space' => [ + '', + '<img src="java script:alert();" />', + '', + 'From specific cases', + ], 'Nested tags' => [ '', '<em><strong>Fred</strong></em>', @@ -1618,6 +1690,24 @@ public static function blockedImg(): array '', 'From specific cases', ], + 'Kill script with tab' => [ + '', + "<img src=\"java\tscript:alert();\" />", + '', + 'From specific cases', + ], + 'Kill script with encoded tab' => [ + '', + "<img src=\"java	script:alert();\" />", + '', + 'From specific cases', + ], + 'Kill script with space' => [ + '', + '<img src="java script:alert();" />', + '', + 'From specific cases', + ], 'Unquoted Attribute Without Space' => [ '', '<img height=300>',
852c7e101c64remove xss evasion charadaters in attributes
2 files changed · +111 −0
src/InputFilter.php+3 −0 modified@@ -276,6 +276,9 @@ public static function checkAttribute($attrSubSet) $attrSubSet[0] = strtolower($attrSubSet[0]); $attrSubSet[1] = html_entity_decode(strtolower($attrSubSet[1]), ENT_QUOTES | ENT_HTML401, 'UTF-8'); + // Remove common XSS-evasion characters + $attrSubSet[1] = str_replace(["\t", "\n", " ", "\0"], "", $attrSubSet[1]); + return (strpos($attrSubSet[1], 'expression') !== false && $attrSubSet[0] === 'style') || preg_match('/(?:(?:java|vb|live)script|behaviour|mocha)(?::|:|&column;)/', $attrSubSet[1]) !== 0; }
Tests/InputFilterTest.php+108 −0 modified@@ -662,6 +662,24 @@ public function casesGeneric() '<img />', 'From generic cases', ], + 'Kill script with tab' => [ + '', + "<img src=\"java\tscript:alert();\" />", + '<img />', + 'From generic cases', + ], + 'Kill script with encoded tab' => [ + '', + "<img src=\"java	script:alert();\" />", + '<img />', + 'From generic cases', + ], + 'Kill script with space' => [ + '', + '<img src="java script:alert();" />', + '<img />', + 'From generic cases', + ], 'Nested tags' => [ '', '<em><strong>Fred</strong></em>', @@ -778,6 +796,24 @@ public function allowed() '', 'From specific cases', ], + 'Kill script with tab' => [ + '', + "<img src=\"java\tscript:alert();\" />", + '', + 'From generic cases', + ], + 'Kill script with encoded tab' => [ + '', + "<img src=\"java	script:alert();\" />", + '', + 'From generic cases', + ], + 'Kill script with space' => [ + '', + '<img src="java script:alert();" />', + '', + 'From generic cases', + ], 'Nested tags' => [ '', '<em><strong>Fred</strong></em>', @@ -932,6 +968,24 @@ public function allowImg() '<img />', 'From specific cases', ], + 'Kill script with tab' => [ + '', + "<img src=\"java\tscript:alert();\" />", + '<img />', + 'From generic cases', + ], + 'Kill script with encoded tab' => [ + '', + "<img src=\"java	script:alert();\" />", + '<img />', + 'From generic cases', + ], + 'Kill script with space' => [ + '', + '<img src="java script:alert();" />', + '<img />', + 'From generic cases', + ], 'Nested tags' => [ '', '<em><strong>Fred</strong></em>', @@ -1097,6 +1151,24 @@ public function allowClass() '', 'From specific cases', ], + 'Kill script with tab' => [ + '', + "<img src=\"java\tscript:alert();\" />", + '', + 'From generic cases', + ], + 'Kill script with encoded tab' => [ + '', + "<img src=\"java	script:alert();\" />", + '', + 'From generic cases', + ], + 'Kill script with space' => [ + '', + '<img src="java script:alert();" />', + '', + 'From generic cases', + ], 'Nested tags' => [ '', '<em><strong>Fred</strong></em>', @@ -1231,6 +1303,24 @@ public function allowClassImg() '<img />', 'From specific cases', ], + 'Kill script with tab' => [ + '', + "<img src=\"java\tscript:alert();\" />", + '<img />', + 'From generic cases', + ], + 'Kill script with encoded tab' => [ + '', + "<img src=\"java	script:alert();\" />", + '<img />', + 'From generic cases', + ], + 'Kill script with space' => [ + '', + '<img src="java script:alert();" />', + '<img />', + 'From generic cases', + ], 'Nested tags' => [ '', '<em><strong>Fred</strong></em>', @@ -1621,6 +1711,24 @@ public function blockedImg() '', 'From specific cases', ], + 'Kill script with tab' => [ + '', + "<img src=\"java\tscript:alert();\" />", + '', + 'From generic cases', + ], + 'Kill script with encoded tab' => [ + '', + "<img src=\"java	script:alert();\" />", + '', + 'From generic cases', + ], + 'Kill script with space' => [ + '', + '<img src="java script:alert();" />', + '', + 'From generic cases', + ], 'Unquoted Attribute Without Space' => [ '', '<img height=300>',
188dd3fccd6fRemove xss evasion characters on attribute checks
2 files changed · +93 −0
src/InputFilter.php+3 −0 modified@@ -272,6 +272,9 @@ public static function checkAttribute($attrSubSet) $attrSubSet[0] = strtolower($attrSubSet[0]); $attrSubSet[1] = html_entity_decode(strtolower($attrSubSet[1]), ENT_QUOTES | ENT_HTML401, 'UTF-8'); + // Remove common XSS-evasion characters + $attrSubSet[1] = str_replace(["\t", "\n", " ", "\0"], "", $attrSubSet[1]); + return (strpos($attrSubSet[1], 'expression') !== false && $attrSubSet[0] === 'style') || preg_match('/(?:(?:java|vb|live)script|behaviour|mocha)(?::|:|&column;)/', $attrSubSet[1]) !== 0; }
Tests/InputFilterTest.php+90 −0 modified@@ -663,6 +663,24 @@ public function casesGeneric() '<img />', 'From generic cases', ], + 'Kill script with tab' => [ + '', + "<img src=\"java\tscript:alert();\" />", + '<img />', + 'From generic cases', + ], + 'Kill script with encoded tab' => [ + '', + "<img src=\"java	script:alert();\" />", + '<img />', + 'From generic cases', + ], + 'Kill script with space' => [ + '', + '<img src="java script:alert();" />', + '<img />', + 'From generic cases', + ], 'Nested tags' => [ '', '<em><strong>Fred</strong></em>', @@ -779,6 +797,24 @@ public function allowed() '', 'From specific cases', ], + 'Kill script with tab' => [ + '', + "<img src=\"java\tscript:alert();\" />", + '', + 'From specific cases', + ], + 'Kill script with encoded tab' => [ + '', + "<img src=\"java	script:alert();\" />", + '', + 'From specific cases', + ], + 'Kill script with space' => [ + '', + '<img src="java script:alert();" />', + '', + 'From specific cases', + ], 'Nested tags' => [ '', '<em><strong>Fred</strong></em>', @@ -933,6 +969,24 @@ public function allowImg() '<img />', 'From specific cases', ], + 'Kill script with tab' => [ + '', + "<img src=\"java\tscript:alert();\" />", + '<img />', + 'From generic cases', + ], + 'Kill script with encoded tab' => [ + '', + "<img src=\"java	script:alert();\" />", + '<img />', + 'From generic cases', + ], + 'Kill script with space' => [ + '', + '<img src="java script:alert();" />', + '<img />', + 'From generic cases', + ], 'Nested tags' => [ '', '<em><strong>Fred</strong></em>', @@ -1110,6 +1164,24 @@ public function allowClass() '', 'From specific cases', ], + 'Kill script with tab' => [ + '', + "<img src=\"java\tscript:alert();\" />", + '', + 'From specific cases', + ], + 'Kill script with encoded tab' => [ + '', + "<img src=\"java	script:alert();\" />", + '', + 'From specific cases', + ], + 'Kill script with space' => [ + '', + '<img src="java script:alert();" />', + '', + 'From specific cases', + ], 'Nested tags' => [ '', '<em><strong>Fred</strong></em>', @@ -1622,6 +1694,24 @@ public function blockedImg() '', 'From specific cases', ], + 'Kill script with tab' => [ + '', + "<img src=\"java\tscript:alert();\" />", + '', + 'From specific cases', + ], + 'Kill script with encoded tab' => [ + '', + "<img src=\"java	script:alert();\" />", + '', + 'From specific cases', + ], + 'Kill script with space' => [ + '', + '<img src="java script:alert();" />', + '', + 'From specific cases', + ], 'Unquoted Attribute Without Space' => [ '', '<img height=300>',
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-fm22-g2q9-j3pwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-54476ghsaADVISORY
- developer.joomla.org/security-centre/1010-20250901-core-inadequate-content-filtering-within-the-checkattribute-filter-code.htmlnvdWEB
- github.com/joomla-framework/filter/commit/188dd3fccd6fa0532d105a52736affdf6b166217ghsaWEB
- github.com/joomla-framework/filter/commit/852c7e101c649500d3af58ffb8baf15d7c86d825ghsaWEB
- github.com/joomla-framework/filter/commit/fcde280785f188e93530f7da68102f7dd8f9f723ghsaWEB
News mentions
0No linked articles in our index yet.