[pLog-svn] r6822 - plog/branches/lifetype-1.2/class/data
jondaley at devel.lifetype.net
jondaley at devel.lifetype.net
Sat Feb 21 15:19:52 EST 2009
Author: jondaley
Date: 2009-02-21 15:19:52 -0500 (Sat, 21 Feb 2009)
New Revision: 6822
Modified:
plog/branches/lifetype-1.2/class/data/inputfilter.class.php
Log:
allow = signs inside values
Modified: plog/branches/lifetype-1.2/class/data/inputfilter.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/data/inputfilter.class.php 2009-02-21 19:56:23 UTC (rev 6821)
+++ plog/branches/lifetype-1.2/class/data/inputfilter.class.php 2009-02-21 20:19:52 UTC (rev 6822)
@@ -196,10 +196,20 @@
for ($i = 0; $i <count($attrSet); $i++) {
// skip blank spaces in tag
if (!$attrSet[$i]) continue;
- // split into attr name and value
- $attrSubSet = explode('=', trim($attrSet[$i]));
+ // split into attr name and value
+ // jondaley/lifetype, this added bit allows '=' to be inside the value,
+ // ex. name="FlashVars" value="file=blahblah&height=20"
+ $attr = trim($attrSet[$i]);
+ $equals = strpos($attr, "=");
+ if($equals !== false){
+ $attrSubSet = array(substr($attr, 0, $equals), substr($attr, $equals+1));
+ }
+ else{
+ $attrSubSet = array($attr);
+ }
list($attrSubSet[0]) = explode(' ', $attrSubSet[0]);
- // removes all "non-regular" attr names AND also attr blacklisted
+
+ // removes all "non-regular" attr names AND also attr blacklisted
if ((!eregi("^[a-z]*$",$attrSubSet[0])) || (($this->xssAuto) && ((in_array(strtolower($attrSubSet[0]), $this->attrBlacklist)) || (substr($attrSubSet[0], 0, 2) == 'on'))))
continue;
// xss attr value filtering
More information about the pLog-svn
mailing list