From 414a3e675fb9a1668739df57feb9bb48e51da1a1 Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Mon, 12 Oct 2015 13:27:16 +0000 Subject: [PATCH] special handling for $_POST[json_data] in _check_script_tag, to decend into its decoded content, fixing json direct might break json syntax --- phpgwapi/inc/common_functions.inc.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/phpgwapi/inc/common_functions.inc.php b/phpgwapi/inc/common_functions.inc.php index 5c565168ac..0aae5651ac 100755 --- a/phpgwapi/inc/common_functions.inc.php +++ b/phpgwapi/inc/common_functions.inc.php @@ -1383,6 +1383,13 @@ function _check_script_tag(&$var,$name='') static $preg = '/<\/?[^>]*\b(iframe|script|javascript|on(before)?(abort|blur|change|click|dblclick|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|reset|select|submit|unload))\b[^>]*>/i'; if (preg_match($preg,$val)) { + // special handling for $_POST[json_data], to decend into it's decoded content, fixing json direct might break json syntax + if ($name == '_POST' && $key == 'json_data' && ($json_data = json_decode($val, true))) + { + _check_script_tag($json_data, $name.'[json_data]'); + $_REQUEST[$key] = $var[$key] = json_encode($json_data); + continue; + } error_log(__FUNCTION__."(,$name) ${name}[$key] = ".$var[$key]); $GLOBALS['egw_unset_vars'][$name.'['.$key.']'] = $var[$key]; // attempt to clean the thing