aboutsummaryrefslogtreecommitdiffstats
path: root/boot.php
diff options
context:
space:
mode:
Diffstat (limited to 'boot.php')
-rw-r--r--boot.php27
1 files changed, 20 insertions, 7 deletions
diff --git a/boot.php b/boot.php
index 49679c3b7..a80832b89 100644
--- a/boot.php
+++ b/boot.php
@@ -518,16 +518,29 @@ function random_string() {
return(hash('sha256',uniqid(rand(),true)));
}}
-// This is our primary input filter. The high bit hack only involved some old
-// IE browser, forget which.
-// Use this on any text input where angle chars are not valid or permitted
-// They will be replaced with safer brackets. This may be filtered further
-// if these are not allowed either.
+/**
+ * This is our primary input filter.
+ *
+ * The high bit hack only involved some old IE browser, forget which (IE5/Mac?)
+ * that had an XSS attack vector due to stripping the high-bit on an 8-bit character
+ * after cleansing, and angle chars with the high bit set could get through as markup.
+ *
+ * This is now disabled because it was interfering with some legitimate unicode sequences
+ * and hopefully there aren't a lot of those browsers left.
+ *
+ * Use this on any text input where angle chars are not valid or permitted
+ * They will be replaced with safer brackets. This may be filtered further
+ * if these are not allowed either.
+ *
+ */
if(! function_exists('notags')) {
function notags($string) {
- // protect against :<> with high-bit set
- return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string));
+
+ return(str_replace(array("<",">"), array('[',']'), $string));
+
+// High-bit filter no longer used
+// return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string));
}}
// use this on "body" or "content" input where angle chars shouldn't be removed,