From dc15ba06e05df99885d0024b2fc9173291e79038 Mon Sep 17 00:00:00 2001 From: Dries Buytaert Date: Tue, 1 Jul 2003 17:54:22 +0000 Subject: - Improvement: don't perform XSS checks for trusted users. Trusted users are those that have the "bypass input data check" permission set. Should address bug #2147. - Improvement: simplified index.php and modules/admin.module. - Bugfix: fixed broken links in bloggerapi documentation. Patch by Chris Johnson. Fixes bug #2030. - Bugfix: fixed the date shown on a book module preview. Reported as part of bug #2097. - Bugfix: fixed broken URL in the book module documentation. --- includes/common.inc | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'includes') diff --git a/includes/common.inc b/includes/common.inc index 910174e19..87ab7640c 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -484,7 +484,7 @@ function xss_check_input_data($data) { */ // check attributes: - $match = preg_match("/\W(style|dynsrc|datasrc|data|lowsrc|style|on[a-z]+)\s*=[^>]+?>/i", $data); + $match = preg_match("/\W(style|dynsrc|datasrc|data|lowsrc|on[a-z]+)\s*=[^>]+?>/i", $data); $match += preg_match("/\W(src|href)\s*=[\s'\"]*javascript[^>]+?>/i", $data); // check tags: @@ -1021,6 +1021,16 @@ function drupal_page_header() { exit(); } } + + /* + ** Putting the check here avoids SQL query overhead in case we are + ** serving cached pages. The downside, however, is that the init + ** hooks might use unchecked data. + */ + + if (!user_access("bypass input data check")) { + xss_check_input_data($_REQUEST); + } } function drupal_page_footer() { @@ -1054,9 +1064,6 @@ set_error_handler("error_handler"); // spit out the correct charset http header header("Content-Type: text/html; charset=utf-8"); -// filter input data: -xss_check_input_data($_REQUEST); - // initialize installed modules: module_init(); @@ -1066,5 +1073,4 @@ $locale = locale_init(); // initialize theme: $theme = theme_init(); - ?> -- cgit v1.2.3