mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-11-22 07:53:39 +01:00
fix XSS tests to not fail something starting like a forbidden html tag, eg. "<mathias@stylite.de>"
This commit is contained in:
parent
e580e7991c
commit
688cc2a76d
@ -1455,7 +1455,7 @@ function _check_script_tag(&$var,$name='')
|
||||
//old: '/<\/?[^>]*\b(iframe|script|javascript|on(before)?(abort|blur|change|click|dblclick|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|reset|select|submit|unload))\b[^>]*>/i';
|
||||
if (!isset($preg)) $preg =
|
||||
// forbidden tags like iframe or script
|
||||
'/(<(\s*\/)?\s*(iframe|script|object|embed|math|meta)|'.
|
||||
'/(<(\s*\/)?\s*(iframe|script|object|embed|math|meta)[^a-z0-9]|'.
|
||||
// on* attributes
|
||||
'<[^>]*on(before)?(abort|blur|change|click|dblclick|error|focus|keydown|keypress|keyup|load|mouse[^=]+|reset|select|submit|unload|resize|propertychange|page[^=]*|scroll|readystatechange|start|popstate|form[^=]+|input)\s*=|'.
|
||||
// ="javascript:*" diverse javascript attribute value
|
||||
@ -1531,6 +1531,7 @@ if (isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME'] == __FILE_
|
||||
'<div>Script and Javascript: not evil ;-)' => false,
|
||||
'<span>style=background-color' => false,
|
||||
'<font face="Script MT Bold" size="4"><span style="font-size:16pt;">Hugo Sonstwas</span></font>' => false,
|
||||
'<mathias@stylite.de>' => false,
|
||||
);
|
||||
foreach($patterns as $pattern => $should_fail)
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user