forked from GNUsocial/gnu-social
htmLawed extlib updated from 1.1.16 to 1.1.19
This commit is contained in:
parent
f5bb0431da
commit
35a9c65e4a
@ -1,7 +1,7 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
/*
|
/*
|
||||||
htmLawed 1.1.16, 29 August 2013
|
htmLawed 1.1.19, 19 January 2015
|
||||||
Copyright Santosh Patnaik
|
Copyright Santosh Patnaik
|
||||||
Dual licensed with LGPL 3 and GPL 2+
|
Dual licensed with LGPL 3 and GPL 2+
|
||||||
A PHP Labware internal utility; www.bioinformatics.org/phplabware/internal_utilities/htmLawed
|
A PHP Labware internal utility; www.bioinformatics.org/phplabware/internal_utilities/htmLawed
|
||||||
@ -379,7 +379,7 @@ return $r;
|
|||||||
function hl_spec($t){
|
function hl_spec($t){
|
||||||
// final $spec
|
// final $spec
|
||||||
$s = array();
|
$s = array();
|
||||||
$t = str_replace(array("\t", "\r", "\n", ' '), '', preg_replace('/"(?>(`.|[^"])*)"/sme', 'substr(str_replace(array(";", "|", "~", " ", ",", "/", "(", ")", \'`"\'), array("\x01", "\x02", "\x03", "\x04", "\x05", "\x06", "\x07", "\x08", "\""), "$0"), 1, -1)', trim($t)));
|
$t = str_replace(array("\t", "\r", "\n", ' '), '', preg_replace_callback('/"(?>(`.|[^"])*)"/sm', create_function('$m', 'return substr(str_replace(array(";", "|", "~", " ", ",", "/", "(", ")", \'`"\'), array("\x01", "\x02", "\x03", "\x04", "\x05", "\x06", "\x07", "\x08", "\""), $m[0]), 1, -1);'), trim($t)));
|
||||||
for($i = count(($t = explode(';', $t))); --$i>=0;){
|
for($i = count(($t = explode(';', $t))); --$i>=0;){
|
||||||
$w = $t[$i];
|
$w = $t[$i];
|
||||||
if(empty($w) or ($e = strpos($w, '=')) === false or !strlen(($a = substr($w, $e+1)))){continue;}
|
if(empty($w) or ($e = strpos($w, '=')) === false or !strlen(($a = substr($w, $e+1)))){continue;}
|
||||||
@ -475,7 +475,7 @@ while(strlen($a)){
|
|||||||
break; case 2: // Val
|
break; case 2: // Val
|
||||||
if(preg_match('`^((?:"[^"]*")|(?:\'[^\']*\')|(?:\s*[^\s"\']+))(.*)`', $a, $m)){
|
if(preg_match('`^((?:"[^"]*")|(?:\'[^\']*\')|(?:\s*[^\s"\']+))(.*)`', $a, $m)){
|
||||||
$a = ltrim($m[2]); $m = $m[1]; $w = 1; $mode = 0;
|
$a = ltrim($m[2]); $m = $m[1]; $w = 1; $mode = 0;
|
||||||
$aA[$nm] = trim(($m[0] == '"' or $m[0] == '\'') ? substr($m, 1, -1) : $m);
|
$aA[$nm] = trim(str_replace('<', '<', ($m[0] == '"' or $m[0] == '\'') ? substr($m, 1, -1) : $m));
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@ -504,7 +504,7 @@ foreach($aA as $k=>$v){
|
|||||||
$v = preg_replace_callback('`(url(?:\()(?: )*(?:\'|"|&(?:quot|apos);)?)(.+?)((?:\'|"|&(?:quot|apos);)?(?: )*(?:\)))`iS', 'hl_prot', $v);
|
$v = preg_replace_callback('`(url(?:\()(?: )*(?:\'|"|&(?:quot|apos);)?)(.+?)((?:\'|"|&(?:quot|apos);)?(?: )*(?:\)))`iS', 'hl_prot', $v);
|
||||||
$v = !$C['css_expression'] ? preg_replace('`expression`i', ' ', preg_replace('`\\\\\S|(/|(%2f))(\*|(%2a))`i', ' ', $v)) : $v;
|
$v = !$C['css_expression'] ? preg_replace('`expression`i', ' ', preg_replace('`\\\\\S|(/|(%2f))(\*|(%2a))`i', ' ', $v)) : $v;
|
||||||
}elseif(isset($aNP[$k]) or strpos($k, 'src') !== false or $k[0] == 'o'){
|
}elseif(isset($aNP[$k]) or strpos($k, 'src') !== false or $k[0] == 'o'){
|
||||||
$v = str_replace("\xad", ' ', (strpos($v, '&') !== false ? str_replace(array('­', '­', '­'), ' ', $v) : $v));
|
$v = str_replace("", ' ', (strpos($v, '&') !== false ? str_replace(array('­', '­', '­'), ' ', $v) : $v)); # double-quoted char is soft-hyphen; appears here as "" or hyphen or something else depending on viewing software
|
||||||
$v = hl_prot($v, $k);
|
$v = hl_prot($v, $k);
|
||||||
if($k == 'href'){ // X-spam
|
if($k == 'href'){ // X-spam
|
||||||
if($C['anti_mail_spam'] && strpos($v, 'mailto:') === 0){
|
if($C['anti_mail_spam'] && strpos($v, 'mailto:') === 0){
|
||||||
@ -698,7 +698,7 @@ return str_replace(array("\x01", "\x02", "\x03", "\x04", "\x05", "\x07"), array(
|
|||||||
|
|
||||||
function hl_version(){
|
function hl_version(){
|
||||||
// rel
|
// rel
|
||||||
return '1.1.16';
|
return '1.1.19';
|
||||||
// eof
|
// eof
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
htmLawedTest.php, 28 May 2013
|
htmLawedTest.php, 28 May 2013
|
||||||
htmLawed 1.1.16, 29 August 2013
|
htmLawed 1.1.19, 19 January 2015
|
||||||
Copyright Santosh Patnaik
|
Copyright Santosh Patnaik
|
||||||
Dual licensed with LGPL 3 and GPL 2+
|
Dual licensed with LGPL 3 and GPL 2+
|
||||||
A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
|
A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
|
||||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,6 @@
|
|||||||
/*
|
/*
|
||||||
htmLawed_TESTCASE.txt, 27 August 2013
|
htmLawed_TESTCASE.txt, 19 January 2015
|
||||||
htmLawed 1.1.16, 29 August 2013
|
htmLawed 1.1.19, 19 January 2015
|
||||||
Copyright Santosh Patnaik
|
Copyright Santosh Patnaik
|
||||||
Dual licensed with LGPL 3 and GPL 2+
|
Dual licensed with LGPL 3 and GPL 2+
|
||||||
A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
|
A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
|
||||||
@ -384,9 +384,11 @@ na Alemanha.
|
|||||||
<strong>CSS URLs:</strong> <div style="background-image: url('a.gif');"></div>, <div style="background-image: URL("a.gif");"></div>, <div style="background-image: url('http://a.com/a.gif');"></div>, <div style="background-image: url('./../a.gif');"></div>, <div style="background-image: url('js:xss')"></div><br />
|
<strong>CSS URLs:</strong> <div style="background-image: url('a.gif');"></div>, <div style="background-image: URL("a.gif");"></div>, <div style="background-image: url('http://a.com/a.gif');"></div>, <div style="background-image: url('./../a.gif');"></div>, <div style="background-image: url('js:xss')"></div><br />
|
||||||
<strong>Double URLs:</strong> <a style="behaviour: url(foo) url(http://example.com/xss.htc)">b</a><br />
|
<strong>Double URLs:</strong> <a style="behaviour: url(foo) url(http://example.com/xss.htc)">b</a><br />
|
||||||
<strong>Anti-spam:</strong> (try regex for 'http://a.com', etc.) <a href="mailto:x@y.com"></a>, <a href="http://a.com/b@d.f"></a>, <a href="a.com/d.f" rel="nofollow"></a>, <a href="a.com/d.f" rel="1, 2"></a>, <a href="a.com/d.f"></a>, <a href="b.com/d.f"></a>, <a href="c.com/d.f">, <a href="denied:http://c.com/d.f"></a><br />
|
<strong>Anti-spam:</strong> (try regex for 'http://a.com', etc.) <a href="mailto:x@y.com"></a>, <a href="http://a.com/b@d.f"></a>, <a href="a.com/d.f" rel="nofollow"></a>, <a href="a.com/d.f" rel="1, 2"></a>, <a href="a.com/d.f"></a>, <a href="b.com/d.f"></a>, <a href="c.com/d.f">, <a href="denied:http://c.com/d.f"></a><br />
|
||||||
|
<strong>Soft-hyphen:</strong> <a href="http://q=ídisc">ídisc</a>
|
||||||
|
|
||||||
<h6>XSS</h6>
|
<h6>XSS</h6>
|
||||||
|
|
||||||
|
<img alt="<img onmouseover=confirm(1)//"<"">
|
||||||
'';!--"<xss>=&{()}<br />
|
'';!--"<xss>=&{()}<br />
|
||||||
<img src="javascript%3Aalert('xss');" /><br />
|
<img src="javascript%3Aalert('xss');" /><br />
|
||||||
<img src="javascript:alert('xss');" /><br />
|
<img src="javascript:alert('xss');" /><br />
|
||||||
|
Loading…
Reference in New Issue
Block a user