sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Separated out html sanitise stuff from balance tags.

Browse Source 
Also made it slightly more robust.


git-svn-id: https://develop.svn.wordpress.org/trunk@284 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Mike Little 2003-08-02 13:26:26 +00:00
parent c781ee2d85
commit f3e54f37c6
1 changed files with 15 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
b2-include/b2functions.php
View File

@ -1113,6 +1113,20 @@ function pingback($content, $post_ID) {
debug_fclose($log);
}
/**
** sanitise HTML attributes, remove frame/applet/*script/mouseovers,etc. tags
** so that this kind of thing cannot be done:
** This is how we can do <b onmouseover="alert('badbadbad')">bad stuff</b>!
**/
function sanitise_html_attributes($text) {
$text = preg_replace('#( on[a-z]{1,}|style|class|id)="(.*?)"#i', '', $text);
$text = preg_replace('#( on[a-z]{1,}|style|class|id)=\'(.*?)\'#i', '', $text);
$text = preg_replace('#( on[a-z]{1,}|style|class|id)[ \t]*=[ \t]*([^ \t\>]*?)#i', '', $text);
$text = preg_replace('#([a-z]{1,})="(( |\t)*?)(javascript|vbscript|about):(.*?)"#i', '$1=""', $text);
$text = preg_replace('#([a-z]{1,})=\'(( |\t)*?)(javascript|vbscript|about):(.*?)\'#i', '$1=""', $text);
$text = preg_replace('#\<(\/{0,1})([a-z]{0,2})(frame|applet)(.*?)\>#i', '', $text);
return $text;
}
/*
balanceTags
@ -1132,19 +1146,11 @@ function pingback($content, $post_ID) {
Added Cleaning Hooks
1.0 First Version
*/
function balanceTags($text, $is_comment = 0) {
global $use_balanceTags;
if ($is_comment) {
$text = stripslashes($text);
// sanitise HTML attributes, remove frame/applet tags
$text = preg_replace('#( on[a-z]{1,}|style|class|id)="(.*?)"#i', '', $text);
$text = preg_replace('#( on[a-z]{1,}|style|class|id)=\'(.*?)\'#i', '', $text);
$text = preg_replace('#([a-z]{1,})="(( |\t)*?)(javascript|vbscript|about):(.*?)"#i', '$1=""', $text);
$text = preg_replace('#([a-z]{1,})=\'(( |\t)*?)(javascript|vbscript|about):(.*?)\'#i', '$1=""', $text);
$text = preg_replace('#\<(\/{0,1})([a-z]{0,2})(frame|applet)(.*?)\>#i', '', $text);
$text = addslashes($text);
$text = sanitise_html_attributes($text);
}
if ($use_balanceTags == 0) {