Origin: https://github.com/drupal/drupal/commit/9c8d2ca3a625879910a468070d02532aabf8bf04
Forwarded: not-needed
From: Jasu_M, effulgentsia, alexpott, mlhess, Wim Leers, Heine, pwolanin, xjm, samuel.mortenson, nwellnhof, larowlan, phenaproxima, mcrdruid
Date: Fri 23 Apr 2021 02:00:11 PM CDT
Subject: Fixes for SA-CORE-2021-002
 Backported the diff between 7.79 and 7.80, applying it to the version in the
 old-stable Debian release (7.52)
 .
 SA-CORE-2021-002 fixes a cross-site scripting due to lack of sanitization.
Index: drupal7/includes/common.inc
===================================================================
--- drupal7.orig/includes/common.inc
+++ drupal7/includes/common.inc
@@ -1601,7 +1601,13 @@ function _filter_xss_attributes($attr) {
         // Attribute name, href for instance.
         if (preg_match('/^([-a-zA-Z]+)/', $attr, $match)) {
           $attrname = strtolower($match[1]);
-          $skip = ($attrname == 'style' || substr($attrname, 0, 2) == 'on');
+          $skip = (
+            $attrname == 'style' ||
+            substr($attrname, 0, 2) == 'on' ||
+            substr($attrname, 0, 1) == '-' ||
+            // Ignore long attributes to avoid unnecessary processing overhead.
+            strlen($attrname) > 96
+          );
           $working = $mode = 1;
           $attr = preg_replace('/^[-a-zA-Z]+/', '', $attr);
         }
