From 199a0eaa766a9753ea2be6563195f87de740c091 Mon Sep 17 00:00:00 2001
From: Mike Little <mikelittle@git.wordpress.org>
Date: Mon, 23 Jun 2003 23:06:12 +0000
Subject: [PATCH] Security fix for comments: Strip out dangerousa tags. Fix by
 Michel V.

git-svn-id: https://develop.svn.wordpress.org/trunk@244 602fd350-edb4-49c9-b593-d223f7449a82
---
 b2-include/b2functions.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/b2-include/b2functions.php b/b2-include/b2functions.php
index 98dadcb18a..4593388008 100644
--- a/b2-include/b2functions.php
+++ b/b2-include/b2functions.php
@@ -1140,6 +1140,15 @@ function balanceTags($text, $is_comment = 0) {
 		return $text;
 	}
 
+	if ($is_comment) {
+		// sanitise HTML attributes, remove frame/applet tags
+		$text = preg_replace('#( on[a-z]{1,}|style|class|id)="(.*?)"#i', '', $text);
+		$text = preg_replace('#( on[a-z]{1,}|style|class|id)=\'(.*?)\'#i', '', $text);
+		$text = preg_replace('#([a-z]{1,})="(( |\t)*?)(javascript|vbscript|about):(.*?)"#i', '$1=""', $text);
+		$text = preg_replace('#([a-z]{1,})=\'(( |\t)*?)(javascript|vbscript|about):(.*?)\'#i', '$1=""', $text);
+		$text = preg_replace('#\<(\/{0,1})([a-z]{0,2})(frame|applet)(.*?)\>#i', '', $text);
+	}
+	
 	$tagstack = array();
 	$stacksize = 0;
 	$tagqueue = '';