holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

special handling for $_POST[json_data] in _check_script_tag, to decend into its decoded content, fixing json direct might break json syntax

Browse Source
This commit is contained in:
Ralf Becker 2015-10-12 13:27:16 +00:00
parent e0d751a8c1
commit 414a3e675f
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
phpgwapi/inc/common_functions.inc.php
View File

@ -1383,6 +1383,13 @@ function _check_script_tag(&$var,$name='')
static $preg = '/<\/?[^>]*\b(iframe|script|javascript|on(before)?(abort|blur|change|click|dblclick|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|reset|select|submit|unload))\b[^>]*>/i'; static $preg = '/<\/?[^>]*\b(iframe|script|javascript|on(before)?(abort|blur|change|click|dblclick|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|reset|select|submit|unload))\b[^>]*>/i';
if (preg_match($preg,$val)) if (preg_match($preg,$val))
{ {
// special handling for $_POST[json_data], to decend into it's decoded content, fixing json direct might break json syntax
if ($name == '_POST' && $key == 'json_data' && ($json_data = json_decode($val, true)))
{
_check_script_tag($json_data, $name.'[json_data]');
$_REQUEST[$key] = $var[$key] = json_encode($json_data);
continue;
}
error_log(__FUNCTION__."(,$name) ${name}[$key] = ".$var[$key]); error_log(__FUNCTION__."(,$name) ${name}[$key] = ".$var[$key]);
$GLOBALS['egw_unset_vars'][$name.'['.$key.']'] = $var[$key]; $GLOBALS['egw_unset_vars'][$name.'['.$key.']'] = $var[$key];
// attempt to clean the thing // attempt to clean the thing