[pLog-svn] r6488 - plog/branches/lifetype-1.2/class/data
jondaley at devel.lifetype.net
jondaley at devel.lifetype.net
Thu May 29 10:08:25 EDT 2008
Author: jondaley
Date: 2008-05-29 10:08:24 -0400 (Thu, 29 May 2008)
New Revision: 6488
Modified:
plog/branches/lifetype-1.2/class/data/textfilter.class.php
Log:
javascript filter needs to be updated, maybe http://htmlpurifier.org/ is the real way to fix it, but in the interest of not changing tons, I just added our existing htmldecode function. This plugs the holes I know about, though I don't have an exhaustive way to test it.
Modified: plog/branches/lifetype-1.2/class/data/textfilter.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/data/textfilter.class.php 2008-05-29 14:06:32 UTC (rev 6487)
+++ plog/branches/lifetype-1.2/class/data/textfilter.class.php 2008-05-29 14:08:24 UTC (rev 6488)
@@ -47,6 +47,9 @@
*/
function filterJavaScript( $text )
{
+ // convert text first, to get "hidden" javascript
+ $text = Textfilter::htmlDecode($text);
+
// Strip all of the Javascript in script tags out...
$text = preg_replace('/<SCRIPT.*?<\/SCRIPT>/ims',"",$text);
@@ -59,7 +62,7 @@
* -- which is just silly...
*/
$text = preg_replace('/on(Load|Click|DblClick|DragStart|KeyDown|KeyPress|KeyUp|MouseDown|MouseMove|MouseOut|MouseOver|SelectStart|Blur|Focus|Scroll|Select|Unload|Change|Submit)\s*=\s*(\'|").*?\\2/smi',"",$text);
-
+
$text = preg_replace('/(\'|")Javascript:.*?\\1/smi','',$text);
return $text;
More information about the pLog-svn
mailing list