diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2005-10-30 22:22:42 +0100 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2005-10-30 22:22:42 +0100 |
| commit | 7209be2345d5458f5dd349809cd41895642103e1 (patch) | |
| tree | 6aa1e866403ccf96919577f3aee7c65743e540d0 | |
| parent | 6e69c1ba2d33f6a576534fc6d05a66cb1554c7d0 (diff) | |
| download | rpg-7209be2345d5458f5dd349809cd41895642103e1.tar.gz rpg-7209be2345d5458f5dd349809cd41895642103e1.tar.bz2 | |
Security fix for hmtl_hilight() #616
darcs-hash:20051030212242-7ad00-e21dc88d3f6abc87b3e9691006d6b9b21a8683d6.gz
| -rw-r--r-- | inc/html.php | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/inc/html.php b/inc/html.php index 50844da88..8d48d5397 100644 --- a/inc/html.php +++ b/inc/html.php @@ -285,16 +285,31 @@ function html_show($txt=''){ * Highlights searchqueries in HTML code * * @author Andreas Gohr <andi@splitbrain.org> + * @author Harry Fuecks <hfuecks@gmail.com> */ function html_hilight($html,$query){ - $queries = preg_split ("/\s/",$query,-1,PREG_SPLIT_NO_EMPTY); + //split at common delimiters + $queries = preg_split ('/[\s\'"\\\\`()\]\[?:!\.{};,#+*<>]+/',$query,-1,PREG_SPLIT_NO_EMPTY); foreach ($queries as $q){ - $q = preg_quote($q,'/'); - $html = preg_replace("/((<[^>]*)|$q)/ie", '"\2"=="\1"? unslash("\1"):"<span class=\"search_hit\">".unslash("\1")."</span>"', $html); + $q = preg_quote($q,'/'); + $html = preg_replace_callback("/((<[^>]*)|$q)/i",'html_hilight_callback',$html); } return $html; } +/** + * Callback used by html_hilight() + * + * @author Harry Fuecks <hfuecks@gmail.com> + */ +function html_hilight_callback($m) { + $hlight = unslash($m[0]); + if ( !isset($m[2])) { + $hlight = '<span class="search_hit">'.$hlight.'</span>'; + } + return $hlight; +} + /** * Run a search and display the result * @@ -1163,4 +1178,4 @@ function html_resendpwd() { <?php } -//Setup VIM: ex: et ts=2 enc=utf-8 :
\ No newline at end of file +//Setup VIM: ex: et ts=2 enc=utf-8 : |