diff options
author | Friendika <info@friendika.com> | 2010-12-07 14:37:56 -0800 |
---|---|---|
committer | Friendika <info@friendika.com> | 2010-12-07 14:37:56 -0800 |
commit | f3e8b55a7a72ee35fb62211bc9b545b382f962fb (patch) | |
tree | 4e20f60e5934319bac077ba1ef22efa0bb3b861b /boot.php | |
parent | 32881234d002f017feacc67f21644ccd1803d3e2 (diff) | |
download | volse-hubzilla-f3e8b55a7a72ee35fb62211bc9b545b382f962fb.tar.gz volse-hubzilla-f3e8b55a7a72ee35fb62211bc9b545b382f962fb.tar.bz2 volse-hubzilla-f3e8b55a7a72ee35fb62211bc9b545b382f962fb.zip |
removed high-bit angle-char stripping from input filter - interfering with utf-8 chars
Diffstat (limited to 'boot.php')
-rw-r--r-- | boot.php | 27 |
1 files changed, 20 insertions, 7 deletions
@@ -518,16 +518,29 @@ function random_string() { return(hash('sha256',uniqid(rand(),true))); }} -// This is our primary input filter. The high bit hack only involved some old -// IE browser, forget which. -// Use this on any text input where angle chars are not valid or permitted -// They will be replaced with safer brackets. This may be filtered further -// if these are not allowed either. +/** + * This is our primary input filter. + * + * The high bit hack only involved some old IE browser, forget which (IE5/Mac?) + * that had an XSS attack vector due to stripping the high-bit on an 8-bit character + * after cleansing, and angle chars with the high bit set could get through as markup. + * + * This is now disabled because it was interfering with some legitimate unicode sequences + * and hopefully there aren't a lot of those browsers left. + * + * Use this on any text input where angle chars are not valid or permitted + * They will be replaced with safer brackets. This may be filtered further + * if these are not allowed either. + * + */ if(! function_exists('notags')) { function notags($string) { - // protect against :<> with high-bit set - return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string)); + + return(str_replace(array("<",">"), array('[',']'), $string)); + +// High-bit filter no longer used +// return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string)); }} // use this on "body" or "content" input where angle chars shouldn't be removed, |