From f3e8b55a7a72ee35fb62211bc9b545b382f962fb Mon Sep 17 00:00:00 2001 From: Friendika Date: Tue, 7 Dec 2010 14:37:56 -0800 Subject: removed high-bit angle-char stripping from input filter - interfering with utf-8 chars --- boot.php | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) (limited to 'boot.php') diff --git a/boot.php b/boot.php index 49679c3b7..a80832b89 100644 --- a/boot.php +++ b/boot.php @@ -518,16 +518,29 @@ function random_string() { return(hash('sha256',uniqid(rand(),true))); }} -// This is our primary input filter. The high bit hack only involved some old -// IE browser, forget which. -// Use this on any text input where angle chars are not valid or permitted -// They will be replaced with safer brackets. This may be filtered further -// if these are not allowed either. +/** + * This is our primary input filter. + * + * The high bit hack only involved some old IE browser, forget which (IE5/Mac?) + * that had an XSS attack vector due to stripping the high-bit on an 8-bit character + * after cleansing, and angle chars with the high bit set could get through as markup. + * + * This is now disabled because it was interfering with some legitimate unicode sequences + * and hopefully there aren't a lot of those browsers left. + * + * Use this on any text input where angle chars are not valid or permitted + * They will be replaced with safer brackets. This may be filtered further + * if these are not allowed either. + * + */ if(! function_exists('notags')) { function notags($string) { - // protect against :<> with high-bit set - return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string)); + + return(str_replace(array("<",">"), array('[',']'), $string)); + +// High-bit filter no longer used +// return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string)); }} // use this on "body" or "content" input where angle chars shouldn't be removed, -- cgit v1.2.3 From 5763d31b4f213fbb2eea4d366a9c7ad534a7f1ec Mon Sep 17 00:00:00 2001 From: Friendika Date: Tue, 7 Dec 2010 18:13:51 -0800 Subject: db prepare for enhanced magic profiles and remote privacy indicators, fixed $lang setting to use system config var, some other syntax issues --- boot.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'boot.php') diff --git a/boot.php b/boot.php index a80832b89..451a622c0 100644 --- a/boot.php +++ b/boot.php @@ -2,7 +2,7 @@ set_time_limit(0); -define ( 'BUILD_ID', 1021 ); +define ( 'BUILD_ID', 1022 ); define ( 'DFRN_PROTOCOL_VERSION', '2.0' ); define ( 'EOL', "
\r\n" ); -- cgit v1.2.3