From c69d33e3c2cad66f62c1f32151a4910fcba16f1d Mon Sep 17 00:00:00 2001
From: ovclas <ovclas@gmail.com>
Date: Sat, 28 Jan 2012 05:45:51 +0000
Subject: [PATCH] flash allowscriptaccess defense

git-svn-id: http://xe-core.googlecode.com/svn/branches/1.5.0@10046 201d5d3c-b55e-5fd7-737f-ddc643e51545
---
 modules/document/document.item.php  | 38 +++++++++++++++++++++++++++++
 modules/document/document.model.php |  6 ++---
 2 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/modules/document/document.item.php b/modules/document/document.item.php
index 2ab3a8134..a6684cb5d 100644
--- a/modules/document/document.item.php
+++ b/modules/document/document.item.php
@@ -259,12 +259,50 @@
 			if($result) $_SESSION['accessible'][$this->document_srl] = true;
 
             $content = $this->get('content');
+			$content = preg_replace_callback('@[\w\W]*(<[\s]*object[^>]*>)+[\w\W]*(<[\s]*/[\s]*object[\s]*>)+[\w\W]*@ixs', array($this, '_checkAllowScriptAccess'), $content);
 
             if($strlen) return cut_str(strip_tags($content),$strlen,'...');
 
             return htmlspecialchars($content);
         }
 
+		function _checkAllowScriptAccess($m)
+		{
+			//first, object element check.
+			preg_match('/[\w\W]*(name[\s]*=[\s]*(?:\'|")[\s]*allowscriptaccess[\s]*(?:\'|"))+[\s]+(value[\s]*=[\s]*(?:\'|")[\s]*(?:always|samedomain)[\s]*(?:\'|"))*[\w\W]*/ixs', $m[0], $m2);
+
+			if($m2[2])
+			{
+				$m[0] = preg_replace('/'.$m2[2].'/i', 'value="never"', $m[0]);
+			}
+			else
+			{
+				$m[0] = preg_replace('/<object[^>]*>/i', '$0<param name="allowscriptaccess" value="never" />', $m[0]);
+			}
+
+			//second, embed's property check.
+			preg_match('/[\w\W]*(allowscriptaccess[\s]*=[\s]*(?:\'|")[\s]*(?:always|samedomain)[\s]*(?:\'|"))+[\w\W]*/ixs', $m[0], $m3);
+			if($m3[1])
+			{
+				$m[0] = preg_replace('/'.$m3[1].'/i', 'allowscriptaccess="never"', $m[0]);
+			}
+			else
+			{
+				$m[0] = preg_replace('/<embed[\s>]*/i', '$0 allowscriptaccess="never" ', $m[0]);
+			}
+
+			return $m[0];
+		}
+
+		/*function _checkAllowScriptAccess2($m)
+		{
+			if($m[1])
+			{
+				$m[0] = preg_replace('/'.$m[1].'/i', 'value="never"', $m[0]);
+			}
+			return $m[0];
+		}*/
+
         function getContent($add_popup_menu = true, $add_content_info = true, $resource_realpath = false, $add_xe_content_class = true, $stripEmbedTagException = false) {
             if(!$this->document_srl) return;
 
diff --git a/modules/document/document.model.php b/modules/document/document.model.php
index 5d840e4f6..370b8014a 100644
--- a/modules/document/document.model.php
+++ b/modules/document/document.model.php
@@ -153,7 +153,7 @@
          **/
         function getDocumentList($obj, $except_notice = false, $load_extra_vars=true, $columnList = array()) {
             $sort_check = $this->_setSortIndex($obj, $load_extra_vars);
-            $obj->sort_index = $sort_check->sort_index; 
+            $obj->sort_index = $sort_check->sort_index;
         	// cache controll
 			$oCacheHandler = &CacheHandler::getInstance('object');
 			if($oCacheHandler->isSupport()){
@@ -909,8 +909,8 @@
             $output = executeQuery('document.getDocumentSrlByTitle', $args);
             if(!$output->data) return null;
             else return $output->data->document_srl;
-        }		
-		
+        }
+
 		function getAlias($document_srl){
 			if(!$document_srl) return null;
 			$args->document_srl = $document_srl;