aboutsummaryrefslogtreecommitdiffstats
path: root/boot.php
diff options
context:
space:
mode:
authorFriendika <info@friendika.com>2010-12-07 14:37:56 -0800
committerFriendika <info@friendika.com>2010-12-07 14:37:56 -0800
commitf3e8b55a7a72ee35fb62211bc9b545b382f962fb (patch)
tree4e20f60e5934319bac077ba1ef22efa0bb3b861b /boot.php
parent32881234d002f017feacc67f21644ccd1803d3e2 (diff)
downloadvolse-hubzilla-f3e8b55a7a72ee35fb62211bc9b545b382f962fb.tar.gz
volse-hubzilla-f3e8b55a7a72ee35fb62211bc9b545b382f962fb.tar.bz2
volse-hubzilla-f3e8b55a7a72ee35fb62211bc9b545b382f962fb.zip
removed high-bit angle-char stripping from input filter - interfering with utf-8 chars
Diffstat (limited to 'boot.php')
-rw-r--r--boot.php27
1 files changed, 20 insertions, 7 deletions
diff --git a/boot.php b/boot.php
index 49679c3b7..a80832b89 100644
--- a/boot.php
+++ b/boot.php
@@ -518,16 +518,29 @@ function random_string() {
return(hash('sha256',uniqid(rand(),true)));
}}
-// This is our primary input filter. The high bit hack only involved some old
-// IE browser, forget which.
-// Use this on any text input where angle chars are not valid or permitted
-// They will be replaced with safer brackets. This may be filtered further
-// if these are not allowed either.
+/**
+ * This is our primary input filter.
+ *
+ * The high bit hack only involved some old IE browser, forget which (IE5/Mac?)
+ * that had an XSS attack vector due to stripping the high-bit on an 8-bit character
+ * after cleansing, and angle chars with the high bit set could get through as markup.
+ *
+ * This is now disabled because it was interfering with some legitimate unicode sequences
+ * and hopefully there aren't a lot of those browsers left.
+ *
+ * Use this on any text input where angle chars are not valid or permitted
+ * They will be replaced with safer brackets. This may be filtered further
+ * if these are not allowed either.
+ *
+ */
if(! function_exists('notags')) {
function notags($string) {
- // protect against :<> with high-bit set
- return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string));
+
+ return(str_replace(array("<",">"), array('[',']'), $string));
+
+// High-bit filter no longer used
+// return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string));
}}
// use this on "body" or "content" input where angle chars shouldn't be removed,