From 719b2ff834f71bff10fa18ae35f2ee0957b02410 Mon Sep 17 00:00:00 2001
From: Ralf Becker <RalfBecker@outdoor-training.de>
Date: Tue, 7 Nov 2017 12:16:11 +0100
Subject: [PATCH] also log if _check_script_tag was able to disarm XSS
 automatic

---
 api/src/loader/security.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/api/src/loader/security.php b/api/src/loader/security.php
index 925fa6dc97..fb8ddf1fae 100755
--- a/api/src/loader/security.php
+++ b/api/src/loader/security.php
@@ -60,16 +60,20 @@ function _check_script_tag(&$var,$name='',$log=true)
 					//error_log(__FUNCTION__."(,$name) ${name}[$key] = ".$var[$key]);
 					$GLOBALS['egw_unset_vars'][$name.'['.$key.']'] = $var[$key];
 					// attempt to clean the thing
-					$var[$key] = $val = Api\Html\HtmLawed::purify($val);
+					$var[$key] = Api\Html\HtmLawed::purify($val);
 					// check if we succeeded, if not drop the var anyway, keep the egw_unset_var in any case
-					if (preg_match($preg,$val))
+					if (preg_match($preg, $var[$key]))
 					{
 						if($log)
 						{
-							error_log("*** _check_script_tag($name): unset(${name}[$key]) with value $val***");
+							error_log("*** _check_script_tag($name): unset(${name}[$key]) with value '$val'");
 						}
 						unset($var[$key]);
 					}
+					elseif($log)
+					{
+						error_log("*** _check_script_tag($name): HtmlLawed::purify(${name}[$key]) succeeded '$val' --> '{$var[$key]}'");
+					}
 				}
 			}
 		}