Type: Bug fix

Description: Modification on the XSS bugfix for the logon page. Behaviour before fix: Not allowing certain punctuation. Behaviour after fix: Allows limited punctuation. git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@2825 c91229c3-7414-0410-bfa2-8a42b809f60b

Type: Bug fix
Description: Modification on the XSS bugfix for the logon page. Behaviour before fix: Not allowing certain punctuation. Behaviour after fix: Allows limited punctuation. git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@2825 c91229c3-7414-0410-bfa2-8a42b809f60b
andrew
1 parent 6307b213
Showing 1 changed file with 11 additions and 5 deletions
lib/sanitize.inc
@@ -30,11 +30,17 @@
  */
  
 function sanitize($string) {
-	// Remove '(' and ')'
-        $xss_array = array("(" => "#&40;", ")" => "#&41;");
-	// Remove all HTML tags.
-        $string = strtr(strip_tags(urldecode($string)), $xss_array);
-        return $string;
+	// This should be set if you've read the INSTALL instructions.
+	// Better to be safe though.
+	if (get_magic_quotes_gpc()) {
+        	$string = strip_tags(urldecode(trim($string)));
+ 	} else {
+        	$string = addslashes(strip_tags(urldecode(trim($string))));
+	}
+
+	// This might be a little too aggressive
+	$pattern = "([^[:alpha:]|^_\.\ \:-])";
+	return ereg_replace($pattern, '', $string);
 }
  
 ?>