From 17cd7c497dbdea19eb6e5a1f040eb4d37789abd0 Mon Sep 17 00:00:00 2001 From: Dries Buytaert Date: Fri, 6 Jun 2003 21:08:35 +0000 Subject: - Added a function check_url() that CSS checks URLs (or parts thereof). --- includes/common.inc | 47 ++++++++++++++++++++++++++++++----------------- 1 file changed, 30 insertions(+), 17 deletions(-) (limited to 'includes/common.inc') diff --git a/includes/common.inc b/includes/common.inc index 30ba8d7b9..963187096 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -97,6 +97,15 @@ function object2array($node) { return $array; } +function referer_uri() { + + if (isset($_SERVER["HTTP_REFERER"])) { + $uri = $_SERVER["HTTP_REFERER"]; + + return check_url($uri); + } +} + function request_uri() { /* ** Since request_uri() is only available on Apache, we generate @@ -110,21 +119,7 @@ function request_uri() { $uri = $_SERVER["PHP_SELF"] ."?". $_SERVER["QUERY_STRING"]; } - /* - ** We pipe the request URI through htmlspecialchars() to prevent - ** XSS attacks. - */ - - $uri = htmlspecialchars($uri, ENT_QUOTES); - - /* - ** We replace ( and ) with their entity equivalents to prevent XSS - ** attacks. - */ - - $uri = strtr($uri, array("(" => "&040;", ")" => "&041;")); - - return $uri; + return check_url($uri); } function message_access() { @@ -457,8 +452,8 @@ function drupal_goto($url) { */ function referer_save() { - if (!strstr($_SERVER["HTTP_REFERER"], request_uri())) { - $_SESSION["referer"] = $_SERVER["HTTP_REFERER"]; + if (!strstr(referer_uri(), request_uri())) { + $_SESSION["referer"] = referer_uri(); } } @@ -475,6 +470,24 @@ function referer_load() { } } +function check_url($uri) { + /* + ** We pipe the request URI through htmlspecialchars() to prevent + ** XSS attacks. + */ + + $uri = htmlspecialchars($uri, ENT_QUOTES); + + /* + ** We replace ( and ) with their entity equivalents to prevent XSS + ** attacks. + */ + + $uri = strtr($uri, array("(" => "&040;", ")" => "&041;")); + + return $uri; +} + function check_form($text) { return drupal_specialchars($text); } -- cgit v1.2.3