From 0c0604d24d13254982912979c901a557bef4196b Mon Sep 17 00:00:00 2001
From: ovclas <ovclas@gmail.com>
Date: Thu, 22 Nov 2012 02:37:50 +0000
Subject: [PATCH] XSS, Webshell defence

git-svn-id: http://xe-core.googlecode.com/svn/branches/1.5.3.2@12278 201d5d3c-b55e-5fd7-737f-ddc643e51545
---
 modules/document/document.admin.view.php     | 3 +++
 modules/install/install.admin.controller.php | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/document/document.admin.view.php b/modules/document/document.admin.view.php
index 0022fb365..53eb92212 100644
--- a/modules/document/document.admin.view.php
+++ b/modules/document/document.admin.view.php
@@ -59,6 +59,9 @@
             Context::set('status_name_list', $statusNameList);
             Context::set('page_navigation', $output->page_navigation);
 
+			$oSecurity = new Security();
+			$oSecurity->encodeHTML('document_list..variables.');
+
             // set a search option used in the template
             $count_search_option = count($this->search_option);
             for($i=0;$i<$count_search_option;$i++) {
diff --git a/modules/install/install.admin.controller.php b/modules/install/install.admin.controller.php
index a0618d56f..1020a0393 100644
--- a/modules/install/install.admin.controller.php
+++ b/modules/install/install.admin.controller.php
@@ -150,7 +150,7 @@
             $buff = '<?php if(!defined("__ZBXE__")) exit();'."\n";
             foreach($ftp_info as $key => $val) {
                 if(!$val) continue;
-				if(preg_match('/(<\?|<\?php|\?>)/xsm', preg_replace('/\s/', '', $val)))
+				if(preg_match('/(<\?|<\?php|\?>|fputs|fopen|fwrite|fgets|fread|\/\*|\*\/|chr\()/xsm', preg_replace('/\s/', '', $val)))
 				{
 					continue;
 				}