From 580fe354419fff36782cd076dca76e22d634b2bf Mon Sep 17 00:00:00 2001
From: andrew <andrew@c91229c3-7414-0410-bfa2-8a42b809f60b>
Date: Wed, 3 Mar 2004 08:28:54 +0000
Subject: [PATCH] Type:			Bug fix Description:		Modification on the XSS bugfix for the logon page. Behaviour before fix:	Not allowing certain punctuation. Behaviour after fix:	Allows limited punctuation.

---
 lib/sanitize.inc | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/lib/sanitize.inc b/lib/sanitize.inc
index e02beac..ccad431 100644
--- a/lib/sanitize.inc
+++ b/lib/sanitize.inc
@@ -30,11 +30,17 @@
  */
 
 function sanitize($string) {
-	// Remove '(' and ')'
-        $xss_array = array("(" => "#&40;", ")" => "#&41;");
-	// Remove all HTML tags.
-        $string = strtr(strip_tags(urldecode($string)), $xss_array);
-        return $string;
+	// This should be set if you've read the INSTALL instructions.
+	// Better to be safe though.
+	if (get_magic_quotes_gpc()) {
+        	$string = strip_tags(urldecode(trim($string)));
+ 	} else {
+        	$string = addslashes(strip_tags(urldecode(trim($string))));
+	}
+
+	// This might be a little too aggressive
+	$pattern = "([^[:alpha:]|^_\.\ \:-])";
+	return ereg_replace($pattern, '', $string);
 }
 
 ?>
--
libgit2 0.21.4