From: Magnus Manske Date: Wed, 17 Sep 2003 08:38:14 +0000 (+0000) Subject: Improved table markup security fix X-Git-Tag: 1.1.0~262 X-Git-Url: https://git.cyclocoop.org/%28%28?a=commitdiff_plain;h=0993a38a90fd4269ad3498f9ef65ac4e9c32fcc7;p=lhc%2Fweb%2Fwiklou.git Improved table markup security fix --- diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 9f6f01ab07..51d2d9ba19 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -598,50 +598,35 @@ class OutputPage { return $r ; } - -function fixTableTags ( $t ) +function getHTMLattrs () { -if ( trim ( $t ) == "" ) return "" ; # Saves runtime ;-) - -$r = array () ; - -$t = explode ( " " , $t ) ; -$quote = false ; -$collect = "" ; - -foreach ( $t AS $x ) -{ - $cnt = substr_count($x,"\"") + substr_count($x,"'") ; - if ( $cnt&1 ) $quote = !$quote ; - $collect .= " " . $x ; - if ( !$quote ) - { - if ( trim ( $collect ) != "" ) $r[] = trim ( $collect ) ; - $collect = "" ; - } + $htmlattrs = array( # Allowed attributes--no scripting, etc. + "title", "align", "lang", "dir", "width", "height", + "bgcolor", "clear", /* BR */ "noshade", /* HR */ + "cite", /* BLOCKQUOTE, Q */ "size", "face", "color", + /* FONT */ "type", "start", "value", "compact", + /* For various lists, mostly deprecated but safe */ + "summary", "width", "border", "frame", "rules", + "cellspacing", "cellpadding", "valign", "char", + "charoff", "colgroup", "col", "span", "abbr", "axis", + "headers", "scope", "rowspan", "colspan", /* Tables */ + "id", "class", "name", "style" /* For CSS */ + ); +return $htmlattrs ; } -if ( trim ( $collect ) != "" ) $r[] = trim ( $collect ) ; - -$t = $r ; -$r = array () ; -foreach ( $t AS $x ) +function fixTableTags ( $t ) { - $y = explode ( "=" , $x , 2 ) ; - if ( count ( $y ) == 1 ) $y[] = "" ; - $k = trim ( $y[0] ) ; - $v = trim ( $y[1] ) ; - - # Filtering - if ( "on" == strtolower ( substr ( $k , 0 , 2 ) ) ) $k = "" ; - if ( $v == "" && "nowrap" != strtolower ( $k ) ) $k = "" ; - - if ( $k == "" ) $v = "" ; - if ( $v != "" ) $k .= "={$v}" ; - if ( $k != "" ) $r[] = $k ; -} - $t = implode ( " " , $r ) ; -return $t ; + if ( trim ( $t ) == "" ) return "" ; # Saves runtime ;-) + $htmlattrs = $this->getHTMLattrs() ; + +# Strip non-approved attributes from the tag + $t = preg_replace( + "/(\\w+)(\\s*=\\s*([^\\s\">]+|\"[^\">]*\"))?/e", + "(in_array(strtolower(\"\$1\"),\$htmlattrs)?(\"\$1\".((\"x\$3\" != \"x\")?\"=\$3\":'')):'')", + $t); + + return trim ( $t ) ; } function doTableStuff ( $t ) @@ -1274,18 +1259,8 @@ $t[] = "" ; $htmlsingle = array_merge( $tabletags, $htmlsingle ); $htmlelements = array_merge( $htmlsingle, $htmlpairs ); - $htmlattrs = array( # Allowed attributes--no scripting, etc. - "title", "align", "lang", "dir", "width", "height", - "bgcolor", "clear", /* BR */ "noshade", /* HR */ - "cite", /* BLOCKQUOTE, Q */ "size", "face", "color", - /* FONT */ "type", "start", "value", "compact", - /* For various lists, mostly deprecated but safe */ - "summary", "width", "border", "frame", "rules", - "cellspacing", "cellpadding", "valign", "char", - "charoff", "colgroup", "col", "span", "abbr", "axis", - "headers", "scope", "rowspan", "colspan", /* Tables */ - "id", "class", "name", "style" /* For CSS */ - ); + + $htmlattrs = $this->getHTMLattrs (); # Remove HTML comments $text = preg_replace( "//sU", "", $text );