fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-10 12:32:14 +09:00
Code Issues Projects Releases Packages Wiki Activity

XSS Defence by php version

Browse source 
git-svn-id: http://xe-core.googlecode.com/svn/branches/1.5.0@10612 201d5d3c-b55e-5fd7-737f-ddc643e51545
This commit is contained in:
ovclas 2012-04-25 06:19:59 +00:00
parent 415989a435
commit c230fbedff
1 changed files with 22 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

14
config/func.inc.php
View file

@ -697,6 +697,8 @@
// xmp tag 확인 및 추가 // xmp tag 확인 및 추가
$content = checkXmpTag($content); $content = checkXmpTag($content);
if(version_compare(PHP_VERSION, "5.3.0") >= 0)
{
// purifier setting // purifier setting
require_once _XE_PATH_.'classes/security/htmlpurifier/library/HTMLPurifier.auto.php'; require_once _XE_PATH_.'classes/security/htmlpurifier/library/HTMLPurifier.auto.php';
require_once 'HTMLPurifier.func.php'; require_once 'HTMLPurifier.func.php';
@ -706,6 +708,7 @@
$config->set('HTML.SafeObject', true); $config->set('HTML.SafeObject', true);
$purifier = new HTMLPurifier($config); $purifier = new HTMLPurifier($config);
$content = $purifier->purify($content); $content = $purifier->purify($content);
}
return $content; return $content;
} }
@ -751,6 +754,17 @@
$attr = array(); $attr = array();
foreach($attrs as $name=>$val) { foreach($attrs as $name=>$val) {
if($tag == 'object' || $tag == 'embed')
{
$attribute = strtolower(trim($name));
if($attribute == 'data' || $attribute == 'src')
{
if(strpos(strtolower($val), 'data:') === 0)
{
continue;
}
}
}
$val = str_replace('"', '"', $val); $val = str_replace('"', '"', $val);
$attr[] = $name."=\"{$val}\""; $attr[] = $name."=\"{$val}\"";
} }