filterjavascript doesn't filter all javascript... here is one example i noticed looking @ svn.<div><br></div><div><img src=dne onerror=alert(0) /><br><br><div class="gmail_quote">On Thu, Dec 4, 2008 at 4:21 PM, <span dir="ltr"><<a href="mailto:jondaley@devel.lifetype.net">jondaley@devel.lifetype.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Author: jondaley<br>
Date: 2008-12-04 16:21:57 -0500 (Thu, 04 Dec 2008)<br>
New Revision: 6754<br>
<br>
Modified:<br>
plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php<br>
Log:<br>
have to allow HTML whether the tinymce editor is enabled or not. At least filter javascript<br>
<br>
Modified: plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php<br>
===================================================================<br>
--- plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php 2008-12-04 21:16:19 UTC (rev 6753)<br>
+++ plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php 2008-12-04 21:21:57 UTC (rev 6754)<br>
@@ -70,15 +70,15 @@<br>
<br>
$this->_text = "";<br>
$text = $this->_request->getValue( "submissionText" );<br>
- $config =& Config::getConfig();<br>
- $htmlEnabled = $config->getValue("plugin_submissions_htmlarea_enabled");<br>
- $val2 = new StringValidator($htmlEnabled);<br>
+ $val2 = new StringValidator(true);<br>
if( !$val2->validate( $text )) {<br>
$errors["submissionText"] = true;<br>
$message["submissionText"] = $this->_locale->tr("error_submission_no_text");<br>
}<br>
else{<br>
- $this->_text = $text;<br>
+ // is this too much? Maybe just remove javascript?<br>
+// $this->_text = Textfilter::filterHtml($text);<br>
+ $this->_text = Textfilter::filterJavaScript($text);<br>
}<br>
<br>
$this->_categoryIds = "";<br>
<br>
_______________________________________________<br>
pLog-svn mailing list<br>
<a href="mailto:pLog-svn@devel.lifetype.net">pLog-svn@devel.lifetype.net</a><br>
<a href="http://limedaley.com/mailman/listinfo/plog-svn" target="_blank">http://limedaley.com/mailman/listinfo/plog-svn</a><br>
</blockquote></div><br></div>