holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

also log if _check_script_tag was able to disarm XSS automatic

Browse Source
This commit is contained in:
Ralf Becker 2017-11-07 12:16:11 +01:00
parent 5d598a042b
commit 1222ef1813
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
api/src/loader/security.php
View File

@ -60,16 +60,20 @@ function _check_script_tag(&$var,$name='',$log=true)
//error_log(__FUNCTION__."(,$name) ${name}[$key] = ".$var[$key]);
$GLOBALS['egw_unset_vars'][$name.'['.$key.']'] = $var[$key];
// attempt to clean the thing
$var[$key] = $val = Api\Html\HtmLawed::purify($val);
$var[$key] = Api\Html\HtmLawed::purify($val);
// check if we succeeded, if not drop the var anyway, keep the egw_unset_var in any case
if (preg_match($preg,$val))
if (preg_match($preg, $var[$key]))
{
if($log)
{
error_log("*** _check_script_tag($name): unset(${name}[$key]) with value $val***");
error_log("*** _check_script_tag($name): unset(${name}[$key]) with value '$val'");
}
unset($var[$key]);
}
elseif($log)
{
error_log("*** _check_script_tag($name): HtmlLawed::purify(${name}[$key]) succeeded '$val' --> '{$var[$key]}'");
}
}
}
}