diff options
Diffstat (limited to 'includes/common.inc')
| -rw-r--r-- | includes/common.inc | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/includes/common.inc b/includes/common.inc index 910174e19..87ab7640c 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -484,7 +484,7 @@ function xss_check_input_data($data) { */ // check attributes: - $match = preg_match("/\W(style|dynsrc|datasrc|data|lowsrc|style|on[a-z]+)\s*=[^>]+?>/i", $data); + $match = preg_match("/\W(style|dynsrc|datasrc|data|lowsrc|on[a-z]+)\s*=[^>]+?>/i", $data); $match += preg_match("/\W(src|href)\s*=[\s'\"]*javascript[^>]+?>/i", $data); // check tags: @@ -1021,6 +1021,16 @@ function drupal_page_header() { exit(); } } + + /* + ** Putting the check here avoids SQL query overhead in case we are + ** serving cached pages. The downside, however, is that the init + ** hooks might use unchecked data. + */ + + if (!user_access("bypass input data check")) { + xss_check_input_data($_REQUEST); + } } function drupal_page_footer() { @@ -1054,9 +1064,6 @@ set_error_handler("error_handler"); // spit out the correct charset http header header("Content-Type: text/html; charset=utf-8"); -// filter input data: -xss_check_input_data($_REQUEST); - // initialize installed modules: module_init(); @@ -1066,5 +1073,4 @@ $locale = locale_init(); // initialize theme: $theme = theme_init(); - ?> |