From a74ebcc87a63628f8c4e0ea35a694b8f299c0633 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Wed, 30 Nov 2005 15:31:23 +0000
Subject: - More fixes

---
 includes/file.inc            |  4 ++++
 modules/filter.module        | 28 +++++++++++++++++-----------
 modules/filter/filter.module | 28 +++++++++++++++++-----------
 3 files changed, 38 insertions(+), 22 deletions(-)

diff --git a/includes/file.inc b/includes/file.inc
index dca300079..a1232f1e9 100644
--- a/includes/file.inc
+++ b/includes/file.inc
@@ -456,6 +456,10 @@ function file_transfer($source, $headers) {
   ob_end_clean();
 
   foreach ($headers as $header) {
+    // To prevent HTTP header injection, we delete new lines that are
+    // not followed by a space or a tab.
+    // See http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
+    $header = preg_replace('/\r?\n(?!\t| )/', '', $header);
     header($header);
   }
 
diff --git a/modules/filter.module b/modules/filter.module
index 280f53a21..7b007c5ea 100644
--- a/modules/filter.module
+++ b/modules/filter.module
@@ -980,7 +980,8 @@ function _filter_html_settings($format) {
  */
 function _filter_html($text, $format) {
   if (variable_get("filter_html_$format", FILTER_HTML_STRIP) == FILTER_HTML_STRIP) {
-    $text = filter_xss($text, $format);
+    $allowed_tags = preg_split('/\s+|<|>/', variable_get("allowed_html_$format", '<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>'), -1, PREG_SPLIT_NO_EMPTY);
+    $text = filter_xss($text, $allowed_tags);
   }
 
   if (variable_get("filter_html_$format", FILTER_HTML_STRIP) == FILTER_HTML_ESCAPE) {
@@ -1066,12 +1067,14 @@ function _filter_autop($text) {
  * @param $string
  *   The string with raw HTML in it. It will be stripped of everything that can cause
  *   an XSS attack.
+ * @param $allowed_tags
+ *   An array of allowed tags.
  * @param $format
  *   The format to use.
  */
-function filter_xss($string, $format) {
+function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
   // Store the input format
-  _filter_xss_split($format);
+  _filter_xss_split($allowed_tags, TRUE);
   // Remove NUL characters (ignored by some browsers)
   $string = str_replace(chr(0), '', $string);
   // Remove Netscape 4 JS entities
@@ -1098,18 +1101,21 @@ function filter_xss($string, $format) {
 /**
  * Processes an HTML tag.
  *
- * @param
- *   On first call, a format identifier. On subsequent calls, an array where the
- *   first element is the HTML tag to process.
+ * @param @m
+ *   An array with various meaning depending on the value of $store.
+ *   If $store is TRUE then the array contains the allowed tags.
+ *   If $store is FALSE then the array has one element, the HTML tag to process.
+ * @param $store
+ *   Whether to store $m.
  * @return
- *   If the element isn't allowed, an empty string. Otherwise, the cleaned up version
- *   of the HTML element.
+ *   If the element isn't allowed, an empty string. Otherwise, the cleaned up
+ *   version of the HTML element.
  */
-function _filter_xss_split($m) {
+function _filter_xss_split($m, $store = FALSE) {
   static $allowed_html;
 
-  if (!isset($allowed_html)) {
-    $allowed_html = array_flip(preg_split('/\s+|<|>/', variable_get("allowed_html_$m", '<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>'), -1, PREG_SPLIT_NO_EMPTY));
+  if ($store) {
+    $allowed_html = array_flip($m);
     return;
   }
 
diff --git a/modules/filter/filter.module b/modules/filter/filter.module
index 280f53a21..7b007c5ea 100644
--- a/modules/filter/filter.module
+++ b/modules/filter/filter.module
@@ -980,7 +980,8 @@ function _filter_html_settings($format) {
  */
 function _filter_html($text, $format) {
   if (variable_get("filter_html_$format", FILTER_HTML_STRIP) == FILTER_HTML_STRIP) {
-    $text = filter_xss($text, $format);
+    $allowed_tags = preg_split('/\s+|<|>/', variable_get("allowed_html_$format", '<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>'), -1, PREG_SPLIT_NO_EMPTY);
+    $text = filter_xss($text, $allowed_tags);
   }
 
   if (variable_get("filter_html_$format", FILTER_HTML_STRIP) == FILTER_HTML_ESCAPE) {
@@ -1066,12 +1067,14 @@ function _filter_autop($text) {
  * @param $string
  *   The string with raw HTML in it. It will be stripped of everything that can cause
  *   an XSS attack.
+ * @param $allowed_tags
+ *   An array of allowed tags.
  * @param $format
  *   The format to use.
  */
-function filter_xss($string, $format) {
+function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
   // Store the input format
-  _filter_xss_split($format);
+  _filter_xss_split($allowed_tags, TRUE);
   // Remove NUL characters (ignored by some browsers)
   $string = str_replace(chr(0), '', $string);
   // Remove Netscape 4 JS entities
@@ -1098,18 +1101,21 @@ function filter_xss($string, $format) {
 /**
  * Processes an HTML tag.
  *
- * @param
- *   On first call, a format identifier. On subsequent calls, an array where the
- *   first element is the HTML tag to process.
+ * @param @m
+ *   An array with various meaning depending on the value of $store.
+ *   If $store is TRUE then the array contains the allowed tags.
+ *   If $store is FALSE then the array has one element, the HTML tag to process.
+ * @param $store
+ *   Whether to store $m.
  * @return
- *   If the element isn't allowed, an empty string. Otherwise, the cleaned up version
- *   of the HTML element.
+ *   If the element isn't allowed, an empty string. Otherwise, the cleaned up
+ *   version of the HTML element.
  */
-function _filter_xss_split($m) {
+function _filter_xss_split($m, $store = FALSE) {
   static $allowed_html;
 
-  if (!isset($allowed_html)) {
-    $allowed_html = array_flip(preg_split('/\s+|<|>/', variable_get("allowed_html_$m", '<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>'), -1, PREG_SPLIT_NO_EMPTY));
+  if ($store) {
+    $allowed_html = array_flip($m);
     return;
   }
 
-- 
cgit v1.2.3