fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-07 10:41:40 +09:00
Code Issues Projects Releases Packages Wiki Activity

XSS Defence by php version

Browse source 
git-svn-id: http://xe-core.googlecode.com/svn/branches/1.5.0@10612 201d5d3c-b55e-5fd7-737f-ddc643e51545
This commit is contained in:
ovclas 2012-04-25 06:19:59 +00:00
parent 415989a435
commit c230fbedff
1 changed files with 22 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

30
config/func.inc.php
View file

@ -697,15 +697,18 @@
// xmp tag 확인 및 추가
$content = checkXmpTag($content);
// purifier setting
require_once _XE_PATH_.'classes/security/htmlpurifier/library/HTMLPurifier.auto.php';
require_once 'HTMLPurifier.func.php';
if(version_compare(PHP_VERSION, "5.3.0") >= 0)
{
// purifier setting
require_once _XE_PATH_.'classes/security/htmlpurifier/library/HTMLPurifier.auto.php';
require_once 'HTMLPurifier.func.php';
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.TidyLevel', 'light');
$config->set('HTML.SafeObject', true);
$purifier = new HTMLPurifier($config);
$content = $purifier->purify($content);
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.TidyLevel', 'light');
$config->set('HTML.SafeObject', true);
$purifier = new HTMLPurifier($config);
$content = $purifier->purify($content);
}
return $content;
}
@ -751,6 +754,17 @@
$attr = array();
foreach($attrs as $name=>$val) {
if($tag == 'object' || $tag == 'embed')
{
$attribute = strtolower(trim($name));
if($attribute == 'data' || $attribute == 'src')
{
if(strpos(strtolower($val), 'data:') === 0)
{
continue;
}
}
}
$val = str_replace('"', '"', $val);
$attr[] = $name."=\"{$val}\"";
}