removed high-bit angle-char stripping from input filter - interfering with utf-8 chars

This commit is contained in:
Friendika 2010-12-07 14:37:56 -08:00
parent 32881234d0
commit f3e8b55a7a
1 changed files with 20 additions and 7 deletions

View File

@ -518,16 +518,29 @@ function random_string() {
return(hash('sha256',uniqid(rand(),true)));
}}
// This is our primary input filter. The high bit hack only involved some old
// IE browser, forget which.
// Use this on any text input where angle chars are not valid or permitted
// They will be replaced with safer brackets. This may be filtered further
// if these are not allowed either.
/**
* This is our primary input filter.
*
* The high bit hack only involved some old IE browser, forget which (IE5/Mac?)
* that had an XSS attack vector due to stripping the high-bit on an 8-bit character
* after cleansing, and angle chars with the high bit set could get through as markup.
*
* This is now disabled because it was interfering with some legitimate unicode sequences
* and hopefully there aren't a lot of those browsers left.
*
* Use this on any text input where angle chars are not valid or permitted
* They will be replaced with safer brackets. This may be filtered further
* if these are not allowed either.
*
*/
if(! function_exists('notags')) {
function notags($string) {
// protect against :<> with high-bit set
return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string));
return(str_replace(array("<",">"), array('[',']'), $string));
// High-bit filter no longer used
// return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string));
}}
// use this on "body" or "content" input where angle chars shouldn't be removed,