--- a/includes/functions.php Sat Oct 06 13:01:46 2007 -0400
+++ b/includes/functions.php Sat Oct 06 13:18:30 2007 -0400
@@ -1822,6 +1822,8 @@
$tag_whitelist = array_keys ( setupAttributeWhitelist() );
if ( !$filter_php )
$tag_whitelist[] = '?php';
+ // allow HTML comments
+ $tag_whitelist[] = '!--';
$len = strlen($html);
$in_quote = false;
$quote_char = '';
@@ -1882,8 +1884,12 @@
}
else
{
+ // If not filtering PHP, don't bother to strip
if ( $tag_name == '?php' && !$filter_php )
continue;
+ // If this is a comment, likewise skip this "tag"
+ if ( $tag_name == '!--' )
+ continue;
$f = fixTagAttributes( $attribs_only, $tag_name );
$s = ( empty($f) ) ? '' : ' ';
@@ -1911,16 +1917,13 @@
}
}
-
+
// Vulnerability from ha.ckers.org/xss.html:
// <script src="http://foo.com/xss.js"
// <
// The rule is so specific because everything else will have been filtered by now
$html = preg_replace('/<(script|iframe)(.+?)src=([^>]*)</i', '<\\1\\2src=\\3<', $html);
- // Unstrip comments
- $html = preg_replace('/<!--([^>]*?)-->/i', '', $html);
-
// Restore stripped comments
$i = 0;
foreach ( $comment_match[0] as $comment )