_check_script_tags function:

1) fixed problems pointed out by gulftech, iframes get now unset too
2) unset variables from _check_script_tags are now found in $GLOBALS['egw_unset_vars'], eg. a posted input-field called content would be found in $GLOBALS['egw_unset_vars']['_POST[content]'] (please not the array is only 1-dimensional!), if it has been unset by check_script_tags
3) speed up the function a bit, by not checking all possible names of the superglobals arrays, if nothing found in $_GET and $_POST
This commit is contained in:
Ralf Becker 2005-03-15 15:36:44 +00:00
parent e6947642bf
commit 1a5243c9c4

View File

@ -681,8 +681,10 @@
{ {
list($appname,$classname) = explode('.',$class); list($appname,$classname) = explode('.',$class);
include_once(EGW_INCLUDE_ROOT.'/'.$appname.'/inc/class.'.$classname.'.inc.php'); include_once($file=EGW_INCLUDE_ROOT.'/'.$appname.'/inc/class.'.$classname.'.inc.php');
if (class_exists($classname))
{
$args = func_get_args(); $args = func_get_args();
if(count($args) == 1) if(count($args) == 1)
{ {
@ -701,9 +703,10 @@
$code .= ');'; $code .= ');';
eval($code); eval($code);
} }
}
if (!is_object($obj)) if (!is_object($obj))
{ {
echo function_backtrace(1); echo "<p>CreateObject('$class'): Cant instanciate class!!!<br />\n".function_backtrace(1)."</p>\n";
} }
return $obj; return $obj;
} }
@ -1151,9 +1154,10 @@
} }
else else
{ {
if (preg_match('/<\/?[^>]*(script|onabort|onblur|onchange|onclick|ondblclick|onerror|onfocus|onkeydown|onkeypress|onkeyup|onload|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|onreset|onselect|onsubmit|onunload|javascript)+[^>]*>/i',$val)) if (preg_match('/<\/?[^>]*(iframe|script|onabort|onblur|onchange|onclick|ondblclick|onerror|onfocus|onkeydown|onkeypress|onkeyup|onload|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|onreset|onselect|onsubmit|onunload|javascript)+[^>]*>/i',$val))
{ {
//echo "<p>*** _check_script_tag($name): unset($name [$key]) ***</p>\n"; //echo "<p>*** _check_script_tag($name): unset(${name}[$key]) ***</p>\n";
$GLOBALS['egw_unset_vars'][$name.'['.$key.']'] =& $var[$key];
unset($var[$key]); unset($var[$key]);
} }
} }
@ -1163,7 +1167,7 @@
} }
} }
foreach(array('_GET','_POST','_REQUEST','HTTP_GET_VARS','HTTP_POST_VARS','HTTP_REQUEST_VARS') as $where) foreach(array('_GET','_POST','_REQUEST','HTTP_GET_VARS','HTTP_POST_VARS') as $n => $where)
{ {
$pregs = array( $pregs = array(
'order' => '/^[a-zA-Z0-9_]*$/', 'order' => '/^[a-zA-Z0-9_]*$/',
@ -1176,11 +1180,14 @@
$GLOBALS[$where][$name] = ''; $GLOBALS[$where][$name] = '';
} }
} }
if (is_array($GLOBALS[$where])) // do the check for script-tags only for _GET and _POST or if we found something in _GET and _POST
// speeds up the execusion a bit
if (is_array($GLOBALS[$where]) && ($n < 2 || is_array($GLOBALS['egw_unset_vars'])))
{ {
_check_script_tag($GLOBALS[$where],$where); _check_script_tag($GLOBALS[$where],$where);
} }
} }
//if (is_array($GLOBALS['egw_unset_vars'])) { echo "egw_unset_vars=<pre>".htmlspecialchars(print_r($GLOBALS['egw_unset_vars'],true))."</pre>"; exit; }
if(floor(phpversion()) <= 4) if(floor(phpversion()) <= 4)
{ {