fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-04 01:01:41 +09:00
Code Issues Projects Releases Packages Wiki Activity

Additional XSS checks #1088

Browse source
This commit is contained in:
Kijin Sung 2018-09-18 13:27:55 +09:00
parent e03ccbd7a9
commit 19331e6746
2 changed files with 12 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

17
classes/context/Context.class.php
View file

@ -1407,20 +1407,17 @@ class Context
}
elseif($_val = trim($_val))
{
if(in_array($key, array('page', 'cpage')) || ends_with('srl', $key, false))
if(in_array($key, array('page', 'cpage')) || ends_with('srl', $key, false) && preg_match('/[^0-9,]/', $_val))
{
if(preg_match('/[^0-9,]/', $_val))
{
$_val = (int)$_val;
}
$_val = (int)$_val;
}
elseif(in_array($key, array('mid', 'search_keyword', 'xe_validator_id')))
elseif(in_array($key, array('mid', 'vid', 'search_target', 'search_keyword', 'xe_validator_id')) || count($_GET))
{
$_val = escape($_val, false);
}
elseif($key === 'vid')
{
$_val = urlencode($_val);
if(ends_with('url', $key, false))
{
$_val = strtr($_val, array('&' => '&'));
}
}
}
$result[escape($_key)] = $_val;

6
classes/security/UploadFileFilter.class.php
View file

@ -67,7 +67,11 @@ class UploadFileFilter
*/
protected static function _checkSVG($fp, $from, $to)
{
if (self::_matchStream('/<script|xlink:href\s*=\s*"(?!data:)/i', $fp, $from, $to))
if (self::_matchStream('/<script|<handler\b|xlink:href\s*=\s*"(?!data:)/i', $fp, $from, $to))
{
return false;
}
if (self::_matchStream('/\b(?:ev:(?:event|listener|observer)|on[a-z]+)\s*=/i', $fp, $from, $to))
{
return false;
}