From 6cf384a37e5ceed99018defc8e7c69873a94a6f8 Mon Sep 17 00:00:00 2001
From: ovclas <ovclas@gmail.com>
Date: Thu, 3 Jan 2013 08:23:31 +0000
Subject: [PATCH] security defence

git-svn-id: http://xe-core.googlecode.com/svn/branches/luminous@12510 201d5d3c-b55e-5fd7-737f-ddc643e51545
---
 classes/security/EmbedFilter.class.php | 56 ++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/classes/security/EmbedFilter.class.php b/classes/security/EmbedFilter.class.php
index afc98d291..f674bfbe5 100644
--- a/classes/security/EmbedFilter.class.php
+++ b/classes/security/EmbedFilter.class.php
@@ -3,6 +3,16 @@ include _XE_PATH_ . 'classes/security/phphtmlparser/src/htmlparser.inc';
 
 class EmbedFilter
 {
+	/**
+	 * allow script access list
+	 * @var array
+	 */
+	var $allowscriptaccessList = array();
+	/**
+	 * allow script access key
+	 * @var int
+	 */
+	var $allowscriptaccessKey = 0;
 	var $whiteUrlXmlFile = './classes/security/conf/embedWhiteUrl.xml';
 	var $whiteUrlCacheFile = './files/cache/embedfilter/embedWhiteUrl.php';
 	var $whiteUrlList = array();
@@ -275,6 +285,9 @@ class EmbedFilter
 	 */
 	function check(&$content)
 	{
+		$content = preg_replace_callback('/<(object|param|embed)[^>]*/is', array($this, '_checkAllowScriptAccess'), $content);
+		$content = preg_replace_callback('/<object[^>]*>/is', array($this, '_addAllowScriptAccess'), $content);
+
 		$this->checkObjectTag($content);
 		$this->checkEmbedTag($content);
 		$this->checkIframeTag($content);
@@ -530,6 +543,49 @@ class EmbedFilter
 		return false;
 	}
 
+	function _checkAllowScriptAccess($m)
+	{
+		if($m[1] == 'object')
+		{
+			$this->allowscriptaccessList[] = 1;
+		}
+
+		if($m[1] == 'param')
+		{
+			if(strpos(strtolower($m[0]), 'allowscriptaccess'))
+			{
+				$m[0] = '<param name="allowscriptaccess" value="never"';
+				if(substr($m[0], -1) == '/')
+				{
+					$m[0] .= '/';
+				}
+				$this->allowscriptaccessList[count($this->allowscriptaccessList)-1]--;
+			}
+		}
+		else if($m[1] == 'embed')
+		{
+			if(strpos(strtolower($m[0]), 'allowscriptaccess'))
+			{
+				$m[0] = preg_replace('/always|samedomain/i', 'never', $m[0]);
+			}
+			else
+			{
+				$m[0] = preg_replace('/\<embed/i', '<embed allowscriptaccess="never"', $m[0]);
+			}
+		}
+		return $m[0];
+	}
+
+	function _addAllowScriptAccess($m)
+	{
+		if($this->allowscriptaccessList[$this->allowscriptaccessKey] == 1)
+		{
+			$m[0] = $m[0].'<param name="allowscriptaccess" value="never"></param>';
+		}
+		$this->allowscriptaccessKey++;
+		return $m[0];
+	}
+
 	/**
 	 * Make white domain list cache file from xml config file.
 	 * @return void