removed high-bit angle-char stripping from input filter - interfering with utf-8 chars
This commit is contained in:
parent
32881234d0
commit
f3e8b55a7a
1 changed files with 20 additions and 7 deletions
27
boot.php
27
boot.php
|
@ -518,16 +518,29 @@ function random_string() {
|
||||||
return(hash('sha256',uniqid(rand(),true)));
|
return(hash('sha256',uniqid(rand(),true)));
|
||||||
}}
|
}}
|
||||||
|
|
||||||
// This is our primary input filter. The high bit hack only involved some old
|
/**
|
||||||
// IE browser, forget which.
|
* This is our primary input filter.
|
||||||
// Use this on any text input where angle chars are not valid or permitted
|
*
|
||||||
// They will be replaced with safer brackets. This may be filtered further
|
* The high bit hack only involved some old IE browser, forget which (IE5/Mac?)
|
||||||
// if these are not allowed either.
|
* that had an XSS attack vector due to stripping the high-bit on an 8-bit character
|
||||||
|
* after cleansing, and angle chars with the high bit set could get through as markup.
|
||||||
|
*
|
||||||
|
* This is now disabled because it was interfering with some legitimate unicode sequences
|
||||||
|
* and hopefully there aren't a lot of those browsers left.
|
||||||
|
*
|
||||||
|
* Use this on any text input where angle chars are not valid or permitted
|
||||||
|
* They will be replaced with safer brackets. This may be filtered further
|
||||||
|
* if these are not allowed either.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
if(! function_exists('notags')) {
|
if(! function_exists('notags')) {
|
||||||
function notags($string) {
|
function notags($string) {
|
||||||
// protect against :<> with high-bit set
|
|
||||||
return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string));
|
return(str_replace(array("<",">"), array('[',']'), $string));
|
||||||
|
|
||||||
|
// High-bit filter no longer used
|
||||||
|
// return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string));
|
||||||
}}
|
}}
|
||||||
|
|
||||||
// use this on "body" or "content" input where angle chars shouldn't be removed,
|
// use this on "body" or "content" input where angle chars shouldn't be removed,
|
||||||
|
|
Loading…
Reference in a new issue