From ddd0f144aca654ca301e1885e70095c39d195ff4 Mon Sep 17 00:00:00 2001 From: Magnus Manske Date: Wed, 17 Sep 2003 08:20:16 +0000 Subject: [PATCH] table markup dirty security hack --- includes/OutputPage.php | 51 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 48 insertions(+), 3 deletions(-) diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 849c5f9f73..9f6f01ab07 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -599,6 +599,51 @@ class OutputPage { } +function fixTableTags ( $t ) +{ +if ( trim ( $t ) == "" ) return "" ; # Saves runtime ;-) + +$r = array () ; + +$t = explode ( " " , $t ) ; +$quote = false ; +$collect = "" ; + +foreach ( $t AS $x ) +{ + $cnt = substr_count($x,"\"") + substr_count($x,"'") ; + if ( $cnt&1 ) $quote = !$quote ; + $collect .= " " . $x ; + if ( !$quote ) + { + if ( trim ( $collect ) != "" ) $r[] = trim ( $collect ) ; + $collect = "" ; + } +} +if ( trim ( $collect ) != "" ) $r[] = trim ( $collect ) ; + +$t = $r ; +$r = array () ; + +foreach ( $t AS $x ) +{ + $y = explode ( "=" , $x , 2 ) ; + if ( count ( $y ) == 1 ) $y[] = "" ; + $k = trim ( $y[0] ) ; + $v = trim ( $y[1] ) ; + + # Filtering + if ( "on" == strtolower ( substr ( $k , 0 , 2 ) ) ) $k = "" ; + if ( $v == "" && "nowrap" != strtolower ( $k ) ) $k = "" ; + + if ( $k == "" ) $v = "" ; + if ( $v != "" ) $k .= "={$v}" ; + if ( $k != "" ) $r[] = $k ; +} + $t = implode ( " " , $r ) ; +return $t ; +} + function doTableStuff ( $t ) { $t = explode ( "\n" , $t ) ; @@ -611,7 +656,7 @@ function doTableStuff ( $t ) $fc = substr ( $x , 0 , 1 ) ; if ( "{|" == substr ( $x , 0 , 2 ) ) { - $t[$k] = "" ; + $t[$k] = "
fixTableTags ( substr ( $x , 3 ) ) . ">" ; array_push ( $td , false ) ; array_push ( $ltd , "" ) ; array_push ( $tr , false ) ; @@ -661,14 +706,13 @@ function doTableStuff ( $t ) array_push ( $ltd , $l ) ; $y = explode ( "|" , $theline , 2 ) ; if ( count ( $y ) == 1 ) $y = "{$z}<{$l}>{$y[0]}" ; - else $y = $y = "{$z}<{$l} {$y[0]}>{$y[1]}" ; + else $y = $y = "{$z}<{$l} ".$this->fixTableTags($y[0]).">{$y[1]}" ; $t[$k] .= $y ; array_push ( $td , true ) ; } } } - # Closing open td, tr && table while ( count ( $td ) > 0 ) { @@ -681,6 +725,7 @@ $t[] = "
" ; return $t ; } + # Well, OK, it's actually about 14 passes. But since all the # hard lifting is done inside PHP's regex code, it probably # wouldn't speed things up much to add a real parser. -- 2.20.1