Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
7
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Open sidebar
project
drupal
Commits
e6b78e28
Commit
e6b78e28
authored
Dec 08, 2005
by
Dries
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
- Patch
#40351
by Richard/chx: filter_xss_bad_protocol too hungry.
parent
ac611b24
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
26 additions
and
22 deletions
+26
-22
modules/filter.module
modules/filter.module
+13
-11
modules/filter/filter.module
modules/filter/filter.module
+13
-11
No files found.
modules/filter.module
View file @
e6b78e28
...
...
@@ -1276,30 +1276,32 @@ function _filter_xss_attributes($attr) {
* Cleaned up and HTML-escaped version of $string.
*/
function
filter_xss_bad_protocol
(
$string
,
$decode
=
TRUE
)
{
static
$allowed_protocols
;
if
(
!
isset
(
$allowed_protocols
))
{
$allowed_protocols
=
array_flip
(
variable_get
(
'filter_allowed_protocols'
,
array
(
'http'
,
'https'
,
'ftp'
,
'news'
,
'nntp'
,
'telnet'
,
'mailto'
,
'irc'
,
'ssh'
,
'sftp'
,
'webcal'
)));
}
// Get the plain text representation of the attribute value (i.e. its meaning)
if
(
$decode
)
{
$string
=
decode_entities
(
$string
);
}
// Remove soft hyphen
$string
=
str_replace
(
chr
(
194
)
.
chr
(
173
),
''
,
$string
);
$string2
=
''
;
// Strip protocols
do
{
$before
=
$string
;
$string
=
preg_replace_callback
(
'/^([^:]+):/'
,
'_filter_xss_bad_protocol'
,
$string
);
$colonpos
=
strpos
(
$string
,
':'
);
if
(
$colonpos
>
0
)
{
$protocol
=
substr
(
$string
,
0
,
$colonpos
);
if
(
!
isset
(
$allowed_protocols
[
$protocol
]))
{
$string
=
substr
(
$string
,
$colonpos
+
1
);
}
}
}
while
(
$before
!=
$string
);
return
check_plain
(
$string
);
}
function
_filter_xss_bad_protocol
(
$m
)
{
static
$allowed_protocols
;
if
(
!
isset
(
$allowed_protocols
))
{
$allowed_protocols
=
array_flip
(
variable_get
(
'filter_allowed_protocols'
,
array
(
'http'
,
'https'
,
'ftp'
,
'news'
,
'nntp'
,
'telnet'
,
'mailto'
,
'irc'
,
'ssh'
,
'sftp'
,
'webcal'
)));
}
$string
=
preg_replace
(
'/\s+/'
,
''
,
$m
[
1
]);
return
isset
(
$allowed_protocols
[
$string
])
?
"
$string
:"
:
''
;
}
/**
* @} End of "Standard filters".
*/
...
...
modules/filter/filter.module
View file @
e6b78e28
...
...
@@ -1276,30 +1276,32 @@ function _filter_xss_attributes($attr) {
* Cleaned up and HTML-escaped version of $string.
*/
function
filter_xss_bad_protocol
(
$string
,
$decode
=
TRUE
)
{
static
$allowed_protocols
;
if
(
!
isset
(
$allowed_protocols
))
{
$allowed_protocols
=
array_flip
(
variable_get
(
'filter_allowed_protocols'
,
array
(
'http'
,
'https'
,
'ftp'
,
'news'
,
'nntp'
,
'telnet'
,
'mailto'
,
'irc'
,
'ssh'
,
'sftp'
,
'webcal'
)));
}
// Get the plain text representation of the attribute value (i.e. its meaning)
if
(
$decode
)
{
$string
=
decode_entities
(
$string
);
}
// Remove soft hyphen
$string
=
str_replace
(
chr
(
194
)
.
chr
(
173
),
''
,
$string
);
$string2
=
''
;
// Strip protocols
do
{
$before
=
$string
;
$string
=
preg_replace_callback
(
'/^([^:]+):/'
,
'_filter_xss_bad_protocol'
,
$string
);
$colonpos
=
strpos
(
$string
,
':'
);
if
(
$colonpos
>
0
)
{
$protocol
=
substr
(
$string
,
0
,
$colonpos
);
if
(
!
isset
(
$allowed_protocols
[
$protocol
]))
{
$string
=
substr
(
$string
,
$colonpos
+
1
);
}
}
}
while
(
$before
!=
$string
);
return
check_plain
(
$string
);
}
function
_filter_xss_bad_protocol
(
$m
)
{
static
$allowed_protocols
;
if
(
!
isset
(
$allowed_protocols
))
{
$allowed_protocols
=
array_flip
(
variable_get
(
'filter_allowed_protocols'
,
array
(
'http'
,
'https'
,
'ftp'
,
'news'
,
'nntp'
,
'telnet'
,
'mailto'
,
'irc'
,
'ssh'
,
'sftp'
,
'webcal'
)));
}
$string
=
preg_replace
(
'/\s+/'
,
''
,
$m
[
1
]);
return
isset
(
$allowed_protocols
[
$string
])
?
"
$string
:"
:
''
;
}
/**
* @} End of "Standard filters".
*/
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment