includes/functions.php
changeset 163 54c79adfb694
parent 162 ad00dc1f8706
child 165 d53cc29308f4
child 170 4c5c2b66a34d
equal deleted inserted replaced
162:ad00dc1f8706 163:54c79adfb694
  1820       $html);
  1820       $html);
  1821 
  1821 
  1822   $tag_whitelist = array_keys ( setupAttributeWhitelist() );
  1822   $tag_whitelist = array_keys ( setupAttributeWhitelist() );
  1823   if ( !$filter_php )
  1823   if ( !$filter_php )
  1824     $tag_whitelist[] = '?php';
  1824     $tag_whitelist[] = '?php';
       
  1825   // allow HTML comments
       
  1826   $tag_whitelist[] = '!--';
  1825   $len = strlen($html);
  1827   $len = strlen($html);
  1826   $in_quote = false;
  1828   $in_quote = false;
  1827   $quote_char = '';
  1829   $quote_char = '';
  1828   $tag_start = 0;
  1830   $tag_start = 0;
  1829   $tag_name = '';
  1831   $tag_name = '';
  1880         $tag_name = '';
  1882         $tag_name = '';
  1881         continue;
  1883         continue;
  1882       }
  1884       }
  1883       else
  1885       else
  1884       {
  1886       {
       
  1887         // If not filtering PHP, don't bother to strip
  1885         if ( $tag_name == '?php' && !$filter_php )
  1888         if ( $tag_name == '?php' && !$filter_php )
       
  1889           continue;
       
  1890         // If this is a comment, likewise skip this "tag"
       
  1891         if ( $tag_name == '!--' )
  1886           continue;
  1892           continue;
  1887         $f = fixTagAttributes( $attribs_only, $tag_name );
  1893         $f = fixTagAttributes( $attribs_only, $tag_name );
  1888         $s = ( empty($f) ) ? '' : ' ';
  1894         $s = ( empty($f) ) ? '' : ' ';
  1889 
  1895 
  1890         $sanitized = '<' . $tag_name . $f . '>';
  1896         $sanitized = '<' . $tag_name . $f . '>';
  1909         $trk_name = false;
  1915         $trk_name = false;
  1910       }
  1916       }
  1911     }
  1917     }
  1912 
  1918 
  1913   }
  1919   }
  1914 
  1920   
  1915   // Vulnerability from ha.ckers.org/xss.html:
  1921   // Vulnerability from ha.ckers.org/xss.html:
  1916   // <script src="http://foo.com/xss.js"
  1922   // <script src="http://foo.com/xss.js"
  1917   // <
  1923   // <
  1918   // The rule is so specific because everything else will have been filtered by now
  1924   // The rule is so specific because everything else will have been filtered by now
  1919   $html = preg_replace('/<(script|iframe)(.+?)src=([^>]*)</i', '&lt;\\1\\2src=\\3&lt;', $html);
  1925   $html = preg_replace('/<(script|iframe)(.+?)src=([^>]*)</i', '&lt;\\1\\2src=\\3&lt;', $html);
  1920 
  1926 
  1921   // Unstrip comments
       
  1922   $html = preg_replace('/&lt;!--([^>]*?)--&gt;/i', '', $html);
       
  1923   
       
  1924   // Restore stripped comments
  1927   // Restore stripped comments
  1925   $i = 0;
  1928   $i = 0;
  1926   foreach ( $comment_match[0] as $comment )
  1929   foreach ( $comment_match[0] as $comment )
  1927   {
  1930   {
  1928     $html = str_replace_once("{HTMLCOMMENT:$i:$rand_seed}", $comment, $html);
  1931     $html = str_replace_once("{HTMLCOMMENT:$i:$rand_seed}", $comment, $html);