extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2025-01-03 12:39:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

also log if _check_script_tag was able to disarm XSS automatic

Browse Source
This commit is contained in:
Ralf Becker 2017-11-07 12:16:11 +01:00
parent 7b0d92fabb
commit 719b2ff834
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
api/src/loader/security.php
View File

@ -60,16 +60,20 @@ function _check_script_tag(&$var,$name='',$log=true)
//error_log(__FUNCTION__."(,$name) ${name}[$key] = ".$var[$key]); //error_log(__FUNCTION__."(,$name) ${name}[$key] = ".$var[$key]);
$GLOBALS['egw_unset_vars'][$name.'['.$key.']'] = $var[$key]; $GLOBALS['egw_unset_vars'][$name.'['.$key.']'] = $var[$key];
// attempt to clean the thing // attempt to clean the thing
$var[$key] = $val = Api\Html\HtmLawed::purify($val); $var[$key] = Api\Html\HtmLawed::purify($val);
// check if we succeeded, if not drop the var anyway, keep the egw_unset_var in any case // check if we succeeded, if not drop the var anyway, keep the egw_unset_var in any case
if (preg_match($preg,$val)) if (preg_match($preg, $var[$key]))
{ {
if($log) if($log)
{ {
error_log("*** _check_script_tag($name): unset(${name}[$key]) with value $val***"); error_log("*** _check_script_tag($name): unset(${name}[$key]) with value '$val'");
} }
unset($var[$key]); unset($var[$key]);
} }
elseif($log)
{
error_log("*** _check_script_tag($name): HtmlLawed::purify(${name}[$key]) succeeded '$val' --> '{$var[$key]}'");
}
} }
} }
} }