removed high-bit angle-char stripping from input filter - interfering with utf-8 chars

This commit is contained in:
Friendika 2010-12-07 14:37:56 -08:00
parent 32881234d0
commit f3e8b55a7a

View file

@ -518,16 +518,29 @@ function random_string() {
return(hash('sha256',uniqid(rand(),true))); return(hash('sha256',uniqid(rand(),true)));
}} }}
// This is our primary input filter. The high bit hack only involved some old /**
// IE browser, forget which. * This is our primary input filter.
// Use this on any text input where angle chars are not valid or permitted *
// They will be replaced with safer brackets. This may be filtered further * The high bit hack only involved some old IE browser, forget which (IE5/Mac?)
// if these are not allowed either. * that had an XSS attack vector due to stripping the high-bit on an 8-bit character
* after cleansing, and angle chars with the high bit set could get through as markup.
*
* This is now disabled because it was interfering with some legitimate unicode sequences
* and hopefully there aren't a lot of those browsers left.
*
* Use this on any text input where angle chars are not valid or permitted
* They will be replaced with safer brackets. This may be filtered further
* if these are not allowed either.
*
*/
if(! function_exists('notags')) { if(! function_exists('notags')) {
function notags($string) { function notags($string) {
// protect against :<> with high-bit set
return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string)); return(str_replace(array("<",">"), array('[',']'), $string));
// High-bit filter no longer used
// return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string));
}} }}
// use this on "body" or "content" input where angle chars shouldn't be removed, // use this on "body" or "content" input where angle chars shouldn't be removed,