diff options
| author | Dries Buytaert <dries@buytaert.net> | 2003-06-28 07:05:34 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2003-06-28 07:05:34 +0000 |
| commit | 646bb31a42418f46f285824618f63904a06d2c96 (patch) | |
| tree | 64f0da4df1104d82713ec9856cf197be31fdb1cb /includes | |
| parent | f4df719502527597f6340be8016fd4b649cc1967 (diff) | |
| download | brdo-646bb31a42418f46f285824618f63904a06d2c96.tar.gz brdo-646bb31a42418f46f285824618f63904a06d2c96.tar.bz2 | |
- Improvement: faster regex/checks. Patch by Marco.
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/common.inc | 30 |
1 files changed, 3 insertions, 27 deletions
diff --git a/includes/common.inc b/includes/common.inc index 2346f2646..4b7fb4e2e 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -486,35 +486,11 @@ function xss_check_input_data($data) { */ // check attributes: - $match = preg_match("/\Wstyle\s*=[^>]+?>/i", $data); - $match += preg_match("/\Wdynsrc\s*=[^>]+?>/i", $data); - $match += preg_match("/\Wdatasrc\s*=[^>]+?>/i", $data); - $match += preg_match("/\Wdata\s*=[^>]+?>/i", $data); - $match += preg_match("/\Wlowsrc\s*=[^>]+?>/i", $data); - $match += preg_match("/\Wstyle\s*=[^>]+?>/i", $data); - $match += preg_match("/\Won[a-z]+\s*=[^>]+?>/i", $data); - $match += preg_match("/\Wsrc\s*=[\s'\"]*javascript[^>]+?>/i", $data); - $match += preg_match("/\Whref\s*=[\s'\"]*javascript:[^>]+?>/i", $data); - $match += preg_match("/\Whref\s*=[\s'\"]*javascript:[^>]+?>/i", $data); + $match = preg_match("/\W(style|dynsrc|datasrc|data|lowsrc|style|on[a-z]+)\s*=[^>]+?>/i", $data); + $match += preg_match("/\W(src|href)\s*=[\s'\"]*javascript[^>]+?>/i", $data); // check tags: - $match += preg_match("/<\s*applet/i", $data); - $match += preg_match("/<\s*script/i", $data); - $match += preg_match("/<\s*object/i", $data); - $match += preg_match("/<\s*style/i", $data); - $match += preg_match("/<\s*embed/i", $data); - $match += preg_match("/<\s*form/i", $data); - $match += preg_match("/<\s*blink/i", $data); - $match += preg_match("/<\s*meta/i", $data); - $match += preg_match("/<\s*font/i", $data); - $match += preg_match("/<\s*html/i", $data); - $match += preg_match("/<\s*frame/i", $data); - $match += preg_match("/<\s*iframe/i", $data); - $match += preg_match("/<\s*layer/i", $data); - $match += preg_match("/<\s*ilayer/i", $data); - $match += preg_match("/<\s*head/i", $data); - $match += preg_match("/<\s*frameset/i", $data); - $match += preg_match("/<\s*xml/i", $data); + $match += preg_match("/<\s*(applet|script|object|style|embed|form|blink|meta|font|html|link|frame|iframe|layer|ilayer|head|frameset|xml)/i", $data); if ($match) { watchdog("warning", "terminated request because of suspicious input data: ". drupal_specialchars($data)); |