diff options
| author | Steven Wittens <steven@10.no-reply.drupal.org> | 2007-03-12 01:34:28 +0000 |
|---|---|---|
| committer | Steven Wittens <steven@10.no-reply.drupal.org> | 2007-03-12 01:34:28 +0000 |
| commit | 80646ca6c84a93a20a1b26caed5f147f282d8fcf (patch) | |
| tree | 3526318ff6b2765d33fbe0c679c68bb308e23c71 /modules | |
| parent | d9ece0d575151e0ef2b8994a19f672f9104afc3a (diff) | |
| download | brdo-80646ca6c84a93a20a1b26caed5f147f282d8fcf.tar.gz brdo-80646ca6c84a93a20a1b26caed5f147f282d8fcf.tar.bz2 | |
#105031: Allow both upper and lower case for allowed protocols in XSS checks.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/filter/filter.module | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/modules/filter/filter.module b/modules/filter/filter.module index ac13a0e98..65ad16d45 100644 --- a/modules/filter/filter.module +++ b/modules/filter/filter.module @@ -1475,8 +1475,9 @@ function filter_xss_bad_protocol($string, $decode = TRUE) { if (preg_match('![/?#]!', $protocol)) { break; } + // Per RFC2616, section 3.2.3 (URI Comparison) scheme comparison must be case-insensitive // Check if this is a disallowed protocol. - if (!isset($allowed_protocols[$protocol])) { + if (!isset($allowed_protocols[strtolower($protocol)])) { $string = substr($string, $colonpos + 1); } } |