Security: Remove on-attributes when showing an HTML editor in forms

Refs advisory GHSA-24cc-9jp9-rxx6

Author: AngelFQC

main/inc/lib/formvalidator/Element/HtmlEditor.php

@@ -2,6 +2,7 @@
 /* For licensing terms, see /license.txt */
 
 use Chamilo\CoreBundle\Component\Editor\CkEditor\CkEditor;
+use Chamilo\CoreBundle\Component\HTMLPurifier\Filter\RemoveOnAttributes;
 
 /**
  * A html editor field to use with QuickForm.
@@ -110,4 +111,12 @@ public function buildEditor($style = false)
 
         return $result;
     }
+
+    /**
+     * @return string|null
+     */
+    public function getValue(): ?string
+    {
+        return RemoveOnAttributes::filter($this->_value);
+    }
 }