From 0eca5935c0311034e42e4ac609ad6bc5d56f1d09 Mon Sep 17 00:00:00 2001
From: Frode Petterson <frode.andre.petterson@gmail.com>
Date: Thu, 22 Apr 2021 10:05:51 +0200
Subject: [PATCH] Fix improved filtering of attributes

---
 h5p.classes.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/h5p.classes.php b/h5p.classes.php
index 6eb3c3e..5c321c8 100644
--- a/h5p.classes.php
+++ b/h5p.classes.php
@@ -4319,7 +4319,13 @@ class H5PContentValidator {
           // Attribute name, href for instance.
           if (preg_match('/^([-a-zA-Z]+)/', $attr, $match)) {
             $attrName = strtolower($match[1]);
-            $skip = ($attrName == 'style' || substr($attrName, 0, 2) == 'on');
+            $skip = (
+              $attrname == 'style' ||
+              substr($attrname, 0, 2) == 'on' ||
+              substr($attrname, 0, 1) == '-' ||
+              // Ignore long attributes to avoid unnecessary processing overhead.
+              strlen($attrname) > 96
+            );
             $working = $mode = 1;
             $attr = preg_replace('/^[-a-zA-Z]+/', '', $attr);
           }