From 72e77a943ef58c278e085e388ee7a06bc99885c9 Mon Sep 17 00:00:00 2001
From: RanAwaySuccessfully <RanAwaySuccessfully@users.noreply.github.com>
Date: Tue, 26 Jun 2018 22:08:14 -0300
Subject: [PATCH 1/2] have a \s

"< text" is not valid HTML so it's not vulnerable to XSS
---
 lib/function.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/function.php b/lib/function.php
index 3e83081..d615a02 100644
--- a/lib/function.php
+++ b/lib/function.php
@@ -1263,7 +1263,7 @@ function xss_clean($data) {
 	#$data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);
 	do {
 		$old_data	= $data;
-		$data		= preg_replace('#(<[^>]+?[\x00-\x20"\'])(on|xmlns)([^>]*+)>#iu', '$1DISABLED_$2$3>', $data);
+		$data		= preg_replace('#(<[^>\s]+?[\x00-\x20"\'])(on|xmlns)([^>]*+)>#iu', '$1DISABLED_$2$3>', $data);
 	} while ($old_data !== $data);
 
 	// Remove javascript: and vbscript: protocols

From 959ae3a672ea2a862e46a3f73598c595561810eb Mon Sep 17 00:00:00 2001
From: RanAwaySuccessfully <RanAwaySuccessfully@users.noreply.github.com>
Date: Tue, 26 Jun 2018 22:26:33 -0300
Subject: [PATCH 2/2] i have a better idea

famous last words
---
 lib/function.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/function.php b/lib/function.php
index d615a02..7646e96 100644
--- a/lib/function.php
+++ b/lib/function.php
@@ -1263,7 +1263,7 @@ function xss_clean($data) {
 	#$data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);
 	do {
 		$old_data	= $data;
-		$data		= preg_replace('#(<[^>\s]+?[\x00-\x20"\'])(on|xmlns)([^>]*+)>#iu', '$1DISABLED_$2$3>', $data);
+		$data		= preg_replace('#(<[A-Za-z][^>]*?[\x00-\x20"\'])(on|xmlns)([^>]*+)>#iu', '$1DISABLED_$2$3>', $data);
 	} while ($old_data !== $data);
 
 	// Remove javascript: and vbscript: protocols