Commit 17cd7c49 authored by Dries's avatar Dries

- Added a function check_url() that CSS checks URLs (or parts thereof).
parent 8f783f69
......@@ -97,6 +97,15 @@ function object2array($node) {
return $array;
}
function referer_uri() {
if (isset($_SERVER["HTTP_REFERER"])) {
$uri = $_SERVER["HTTP_REFERER"];
return check_url($uri);
}
}
function request_uri() {
/*
** Since request_uri() is only available on Apache, we generate
......@@ -110,21 +119,7 @@ function request_uri() {
$uri = $_SERVER["PHP_SELF"] ."?". $_SERVER["QUERY_STRING"];
}
/*
** We pipe the request URI through htmlspecialchars() to prevent
** XSS attacks.
*/
$uri = htmlspecialchars($uri, ENT_QUOTES);
/*
** We replace ( and ) with their entity equivalents to prevent XSS
** attacks.
*/
$uri = strtr($uri, array("(" => "&040;", ")" => "&041;"));
return $uri;
return check_url($uri);
}
function message_access() {
......@@ -457,8 +452,8 @@ function drupal_goto($url) {
*/
function referer_save() {
if (!strstr($_SERVER["HTTP_REFERER"], request_uri())) {
$_SESSION["referer"] = $_SERVER["HTTP_REFERER"];
if (!strstr(referer_uri(), request_uri())) {
$_SESSION["referer"] = referer_uri();
}
}
......@@ -475,6 +470,24 @@ function referer_load() {
}
}
function check_url($uri) {
/*
** We pipe the request URI through htmlspecialchars() to prevent
** XSS attacks.
*/
$uri = htmlspecialchars($uri, ENT_QUOTES);
/*
** We replace ( and ) with their entity equivalents to prevent XSS
** attacks.
*/
$uri = strtr($uri, array("(" => "&040;", ")" => "&041;"));
return $uri;
}
function check_form($text) {
return drupal_specialchars($text);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment