diff options
| author | Dries Buytaert <dries@buytaert.net> | 2005-11-30 15:31:23 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2005-11-30 15:31:23 +0000 |
| commit | a74ebcc87a63628f8c4e0ea35a694b8f299c0633 (patch) | |
| tree | 02197e34fb608a69537b6f3b2b1790134ab2c598 | |
| parent | 17ec644763bb46af1a17b858accaaa2ff9fb9693 (diff) | |
| download | brdo-a74ebcc87a63628f8c4e0ea35a694b8f299c0633.tar.gz brdo-a74ebcc87a63628f8c4e0ea35a694b8f299c0633.tar.bz2 | |
- More fixes
| -rw-r--r-- | includes/file.inc | 4 | ||||
| -rw-r--r-- | modules/filter.module | 28 | ||||
| -rw-r--r-- | modules/filter/filter.module | 28 |
3 files changed, 38 insertions, 22 deletions
diff --git a/includes/file.inc b/includes/file.inc index dca300079..a1232f1e9 100644 --- a/includes/file.inc +++ b/includes/file.inc @@ -456,6 +456,10 @@ function file_transfer($source, $headers) { ob_end_clean(); foreach ($headers as $header) { + // To prevent HTTP header injection, we delete new lines that are + // not followed by a space or a tab. + // See http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2 + $header = preg_replace('/\r?\n(?!\t| )/', '', $header); header($header); } diff --git a/modules/filter.module b/modules/filter.module index 280f53a21..7b007c5ea 100644 --- a/modules/filter.module +++ b/modules/filter.module @@ -980,7 +980,8 @@ function _filter_html_settings($format) { */ function _filter_html($text, $format) { if (variable_get("filter_html_$format", FILTER_HTML_STRIP) == FILTER_HTML_STRIP) { - $text = filter_xss($text, $format); + $allowed_tags = preg_split('/\s+|<|>/', variable_get("allowed_html_$format", '<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>'), -1, PREG_SPLIT_NO_EMPTY); + $text = filter_xss($text, $allowed_tags); } if (variable_get("filter_html_$format", FILTER_HTML_STRIP) == FILTER_HTML_ESCAPE) { @@ -1066,12 +1067,14 @@ function _filter_autop($text) { * @param $string * The string with raw HTML in it. It will be stripped of everything that can cause * an XSS attack. + * @param $allowed_tags + * An array of allowed tags. * @param $format * The format to use. */ -function filter_xss($string, $format) { +function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) { // Store the input format - _filter_xss_split($format); + _filter_xss_split($allowed_tags, TRUE); // Remove NUL characters (ignored by some browsers) $string = str_replace(chr(0), '', $string); // Remove Netscape 4 JS entities @@ -1098,18 +1101,21 @@ function filter_xss($string, $format) { /** * Processes an HTML tag. * - * @param - * On first call, a format identifier. On subsequent calls, an array where the - * first element is the HTML tag to process. + * @param @m + * An array with various meaning depending on the value of $store. + * If $store is TRUE then the array contains the allowed tags. + * If $store is FALSE then the array has one element, the HTML tag to process. + * @param $store + * Whether to store $m. * @return - * If the element isn't allowed, an empty string. Otherwise, the cleaned up version - * of the HTML element. + * If the element isn't allowed, an empty string. Otherwise, the cleaned up + * version of the HTML element. */ -function _filter_xss_split($m) { +function _filter_xss_split($m, $store = FALSE) { static $allowed_html; - if (!isset($allowed_html)) { - $allowed_html = array_flip(preg_split('/\s+|<|>/', variable_get("allowed_html_$m", '<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>'), -1, PREG_SPLIT_NO_EMPTY)); + if ($store) { + $allowed_html = array_flip($m); return; } diff --git a/modules/filter/filter.module b/modules/filter/filter.module index 280f53a21..7b007c5ea 100644 --- a/modules/filter/filter.module +++ b/modules/filter/filter.module @@ -980,7 +980,8 @@ function _filter_html_settings($format) { */ function _filter_html($text, $format) { if (variable_get("filter_html_$format", FILTER_HTML_STRIP) == FILTER_HTML_STRIP) { - $text = filter_xss($text, $format); + $allowed_tags = preg_split('/\s+|<|>/', variable_get("allowed_html_$format", '<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>'), -1, PREG_SPLIT_NO_EMPTY); + $text = filter_xss($text, $allowed_tags); } if (variable_get("filter_html_$format", FILTER_HTML_STRIP) == FILTER_HTML_ESCAPE) { @@ -1066,12 +1067,14 @@ function _filter_autop($text) { * @param $string * The string with raw HTML in it. It will be stripped of everything that can cause * an XSS attack. + * @param $allowed_tags + * An array of allowed tags. * @param $format * The format to use. */ -function filter_xss($string, $format) { +function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) { // Store the input format - _filter_xss_split($format); + _filter_xss_split($allowed_tags, TRUE); // Remove NUL characters (ignored by some browsers) $string = str_replace(chr(0), '', $string); // Remove Netscape 4 JS entities @@ -1098,18 +1101,21 @@ function filter_xss($string, $format) { /** * Processes an HTML tag. * - * @param - * On first call, a format identifier. On subsequent calls, an array where the - * first element is the HTML tag to process. + * @param @m + * An array with various meaning depending on the value of $store. + * If $store is TRUE then the array contains the allowed tags. + * If $store is FALSE then the array has one element, the HTML tag to process. + * @param $store + * Whether to store $m. * @return - * If the element isn't allowed, an empty string. Otherwise, the cleaned up version - * of the HTML element. + * If the element isn't allowed, an empty string. Otherwise, the cleaned up + * version of the HTML element. */ -function _filter_xss_split($m) { +function _filter_xss_split($m, $store = FALSE) { static $allowed_html; - if (!isset($allowed_html)) { - $allowed_html = array_flip(preg_split('/\s+|<|>/', variable_get("allowed_html_$m", '<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>'), -1, PREG_SPLIT_NO_EMPTY)); + if ($store) { + $allowed_html = array_flip($m); return; } |