Commit 580fe354419fff36782cd076dca76e22d634b2bf
1 parent
6307b213
Type: Bug fix
Description: Modification on the XSS bugfix for the logon page. Behaviour before fix: Not allowing certain punctuation. Behaviour after fix: Allows limited punctuation. git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@2825 c91229c3-7414-0410-bfa2-8a42b809f60b
Showing
1 changed file
with
11 additions
and
5 deletions
lib/sanitize.inc
| @@ -30,11 +30,17 @@ | @@ -30,11 +30,17 @@ | ||
| 30 | */ | 30 | */ |
| 31 | 31 | ||
| 32 | function sanitize($string) { | 32 | function sanitize($string) { |
| 33 | - // Remove '(' and ')' | ||
| 34 | - $xss_array = array("(" => "#&40;", ")" => "#&41;"); | ||
| 35 | - // Remove all HTML tags. | ||
| 36 | - $string = strtr(strip_tags(urldecode($string)), $xss_array); | ||
| 37 | - return $string; | 33 | + // This should be set if you've read the INSTALL instructions. |
| 34 | + // Better to be safe though. | ||
| 35 | + if (get_magic_quotes_gpc()) { | ||
| 36 | + $string = strip_tags(urldecode(trim($string))); | ||
| 37 | + } else { | ||
| 38 | + $string = addslashes(strip_tags(urldecode(trim($string)))); | ||
| 39 | + } | ||
| 40 | + | ||
| 41 | + // This might be a little too aggressive | ||
| 42 | + $pattern = "([^[:alpha:]|^_\.\ \:-])"; | ||
| 43 | + return ereg_replace($pattern, '', $string); | ||
| 38 | } | 44 | } |
| 39 | 45 | ||
| 40 | ?> | 46 | ?> |