fix XSS tests to not fail something starting like a forbidden html tag, eg. "<mathias@stylite.de>"

2024-11-22 07:53:39 +01:00 · 2015-12-14 09:29:52 +00:00 · 2015-12-14 09:29:52 +00:00 · 688cc2a76d
commit 688cc2a76d
parent e580e7991c
1 changed files with 2 additions and 1 deletions
--- a/phpgwapi/inc/common_functions.inc.php
+++ b/phpgwapi/inc/common_functions.inc.php
@ -1455,7 +1455,7 @@ function _check_script_tag(&$var,$name='')
 	//old: '/<\/?[^>]*\b(iframe|script|javascript|on(before)?(abort|blur|change|click|dblclick|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|reset|select|submit|unload))\b[^>]*>/i';
 	if (!isset($preg)) $preg =
 		// forbidden tags like iframe or script
-		'/(<(\s*\/)?\s*(iframe|script|object|embed|math|meta)|'.
+		'/(<(\s*\/)?\s*(iframe|script|object|embed|math|meta)[^a-z0-9]|'.
 		// on* attributes
 		'<[^>]*on(before)?(abort|blur|change|click|dblclick|error|focus|keydown|keypress|keyup|load|mouse[^=]+|reset|select|submit|unload|resize|propertychange|page[^=]*|scroll|readystatechange|start|popstate|form[^=]+|input)\s*=|'.
 		// ="javascript:*" diverse javascript attribute value
@ -1531,6 +1531,7 @@ if (isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME'] == __FILE_
 		'<div>Script and Javascript: not evil ;-)' => false,
 		'<span>style=background-color' => false,
 		'<font face="Script MT Bold" size="4"><span style="font-size:16pt;">Hugo Sonstwas</span></font>' => false,
+		'<mathias@stylite.de>' => false,
 	);
 	foreach($patterns as $pattern => $should_fail)
 	{