make sure there is a wordboundary after script, while testing for malicious code (as text like < blabla description blabla > triggered the expunge of the text

This commit is contained in:
Klaus Leithoff 2009-11-02 11:36:00 +00:00
parent a49344abf1
commit c5453aa3f9

View File

@ -1274,9 +1274,9 @@ function _check_script_tag(&$var,$name='')
} }
else else
{ {
if (preg_match('/<\/?[^>]*(iframe|script|onabort|onblur|onchange|onclick|ondblclick|onerror|onfocus|onkeydown|onkeypress|onkeyup|onload|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|onreset|onselect|onsubmit|onunload|javascript)+[^>]*>/i',$val)) if (preg_match('/<\/?[^>]*(iframe|script\b|onabort|onblur|onchange|onclick|ondblclick|onerror|onfocus|onkeydown|onkeypress|onkeyup|onload|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|onreset|onselect|onsubmit|onunload|javascript)+[^>]*>/i',$val))
{ {
//echo "<p>*** _check_script_tag($name): unset(${name}[$key]) ***</p>\n"; error_log("*** _check_script_tag($name): unset(${name}[$key]) with value $val***");
error_log(__FUNCTION__."(,$name) ${name}[$key] = ".$var[$key]); error_log(__FUNCTION__."(,$name) ${name}[$key] = ".$var[$key]);
$GLOBALS['egw_unset_vars'][$name.'['.$key.']'] =& $var[$key]; $GLOBALS['egw_unset_vars'][$name.'['.$key.']'] =& $var[$key];
unset($var[$key]); unset($var[$key]);