From 1a5243c9c4be12ae4b76e338f2d0795711293da5 Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Tue, 15 Mar 2005 15:36:44 +0000 Subject: [PATCH] _check_script_tags function: 1) fixed problems pointed out by gulftech, iframes get now unset too 2) unset variables from _check_script_tags are now found in $GLOBALS['egw_unset_vars'], eg. a posted input-field called content would be found in $GLOBALS['egw_unset_vars']['_POST[content]'] (please not the array is only 1-dimensional!), if it has been unset by check_script_tags 3) speed up the function a bit, by not checking all possible names of the superglobals arrays, if nothing found in $_GET and $_POST --- phpgwapi/inc/common_functions.inc.php | 49 +++++++++++++++------------ 1 file changed, 28 insertions(+), 21 deletions(-) diff --git a/phpgwapi/inc/common_functions.inc.php b/phpgwapi/inc/common_functions.inc.php index 8657a9f56a..3ef5bda819 100755 --- a/phpgwapi/inc/common_functions.inc.php +++ b/phpgwapi/inc/common_functions.inc.php @@ -681,29 +681,32 @@ { list($appname,$classname) = explode('.',$class); - include_once(EGW_INCLUDE_ROOT.'/'.$appname.'/inc/class.'.$classname.'.inc.php'); + include_once($file=EGW_INCLUDE_ROOT.'/'.$appname.'/inc/class.'.$classname.'.inc.php'); - $args = func_get_args(); - if(count($args) == 1) + if (class_exists($classname)) { - $obj =& new $classname; - } - else - { - $code = '$obj =& new ' . $classname . '('; - foreach($args as $n => $arg) + $args = func_get_args(); + if(count($args) == 1) { - if ($n) - { - $code .= ($n > 1 ? ',' : '') . '$args[' . $n . ']'; - } + $obj =& new $classname; + } + else + { + $code = '$obj =& new ' . $classname . '('; + foreach($args as $n => $arg) + { + if ($n) + { + $code .= ($n > 1 ? ',' : '') . '$args[' . $n . ']'; + } + } + $code .= ');'; + eval($code); } - $code .= ');'; - eval($code); } if (!is_object($obj)) { - echo function_backtrace(1); + echo "

CreateObject('$class'): Cant instanciate class!!!
\n".function_backtrace(1)."

\n"; } return $obj; } @@ -1151,9 +1154,10 @@ } else { - if (preg_match('/<\/?[^>]*(script|onabort|onblur|onchange|onclick|ondblclick|onerror|onfocus|onkeydown|onkeypress|onkeyup|onload|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|onreset|onselect|onsubmit|onunload|javascript)+[^>]*>/i',$val)) + if (preg_match('/<\/?[^>]*(iframe|script|onabort|onblur|onchange|onclick|ondblclick|onerror|onfocus|onkeydown|onkeypress|onkeyup|onload|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|onreset|onselect|onsubmit|onunload|javascript)+[^>]*>/i',$val)) { - //echo "

*** _check_script_tag($name): unset($name [$key]) ***

\n"; + //echo "

*** _check_script_tag($name): unset(${name}[$key]) ***

\n"; + $GLOBALS['egw_unset_vars'][$name.'['.$key.']'] =& $var[$key]; unset($var[$key]); } } @@ -1163,7 +1167,7 @@ } } - foreach(array('_GET','_POST','_REQUEST','HTTP_GET_VARS','HTTP_POST_VARS','HTTP_REQUEST_VARS') as $where) + foreach(array('_GET','_POST','_REQUEST','HTTP_GET_VARS','HTTP_POST_VARS') as $n => $where) { $pregs = array( 'order' => '/^[a-zA-Z0-9_]*$/', @@ -1176,12 +1180,15 @@ $GLOBALS[$where][$name] = ''; } } - if (is_array($GLOBALS[$where])) + // do the check for script-tags only for _GET and _POST or if we found something in _GET and _POST + // speeds up the execusion a bit + if (is_array($GLOBALS[$where]) && ($n < 2 || is_array($GLOBALS['egw_unset_vars']))) { _check_script_tag($GLOBALS[$where],$where); } } - + //if (is_array($GLOBALS['egw_unset_vars'])) { echo "egw_unset_vars=
".htmlspecialchars(print_r($GLOBALS['egw_unset_vars'],true))."
"; exit; } + if(floor(phpversion()) <= 4) { /**