forked from GNUsocial/gnu-social
htmLawed extlib updated from 1.1.16 to 1.1.19
This commit is contained in:
parent
f5bb0431da
commit
35a9c65e4a
@ -1,7 +1,7 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
htmLawed 1.1.16, 29 August 2013
|
||||
htmLawed 1.1.19, 19 January 2015
|
||||
Copyright Santosh Patnaik
|
||||
Dual licensed with LGPL 3 and GPL 2+
|
||||
A PHP Labware internal utility; www.bioinformatics.org/phplabware/internal_utilities/htmLawed
|
||||
@ -379,7 +379,7 @@ return $r;
|
||||
function hl_spec($t){
|
||||
// final $spec
|
||||
$s = array();
|
||||
$t = str_replace(array("\t", "\r", "\n", ' '), '', preg_replace('/"(?>(`.|[^"])*)"/sme', 'substr(str_replace(array(";", "|", "~", " ", ",", "/", "(", ")", \'`"\'), array("\x01", "\x02", "\x03", "\x04", "\x05", "\x06", "\x07", "\x08", "\""), "$0"), 1, -1)', trim($t)));
|
||||
$t = str_replace(array("\t", "\r", "\n", ' '), '', preg_replace_callback('/"(?>(`.|[^"])*)"/sm', create_function('$m', 'return substr(str_replace(array(";", "|", "~", " ", ",", "/", "(", ")", \'`"\'), array("\x01", "\x02", "\x03", "\x04", "\x05", "\x06", "\x07", "\x08", "\""), $m[0]), 1, -1);'), trim($t)));
|
||||
for($i = count(($t = explode(';', $t))); --$i>=0;){
|
||||
$w = $t[$i];
|
||||
if(empty($w) or ($e = strpos($w, '=')) === false or !strlen(($a = substr($w, $e+1)))){continue;}
|
||||
@ -475,7 +475,7 @@ while(strlen($a)){
|
||||
break; case 2: // Val
|
||||
if(preg_match('`^((?:"[^"]*")|(?:\'[^\']*\')|(?:\s*[^\s"\']+))(.*)`', $a, $m)){
|
||||
$a = ltrim($m[2]); $m = $m[1]; $w = 1; $mode = 0;
|
||||
$aA[$nm] = trim(($m[0] == '"' or $m[0] == '\'') ? substr($m, 1, -1) : $m);
|
||||
$aA[$nm] = trim(str_replace('<', '<', ($m[0] == '"' or $m[0] == '\'') ? substr($m, 1, -1) : $m));
|
||||
}
|
||||
break;
|
||||
}
|
||||
@ -504,7 +504,7 @@ foreach($aA as $k=>$v){
|
||||
$v = preg_replace_callback('`(url(?:\()(?: )*(?:\'|"|&(?:quot|apos);)?)(.+?)((?:\'|"|&(?:quot|apos);)?(?: )*(?:\)))`iS', 'hl_prot', $v);
|
||||
$v = !$C['css_expression'] ? preg_replace('`expression`i', ' ', preg_replace('`\\\\\S|(/|(%2f))(\*|(%2a))`i', ' ', $v)) : $v;
|
||||
}elseif(isset($aNP[$k]) or strpos($k, 'src') !== false or $k[0] == 'o'){
|
||||
$v = str_replace("\xad", ' ', (strpos($v, '&') !== false ? str_replace(array('­', '­', '­'), ' ', $v) : $v));
|
||||
$v = str_replace("", ' ', (strpos($v, '&') !== false ? str_replace(array('­', '­', '­'), ' ', $v) : $v)); # double-quoted char is soft-hyphen; appears here as "" or hyphen or something else depending on viewing software
|
||||
$v = hl_prot($v, $k);
|
||||
if($k == 'href'){ // X-spam
|
||||
if($C['anti_mail_spam'] && strpos($v, 'mailto:') === 0){
|
||||
@ -698,7 +698,7 @@ return str_replace(array("\x01", "\x02", "\x03", "\x04", "\x05", "\x07"), array(
|
||||
|
||||
function hl_version(){
|
||||
// rel
|
||||
return '1.1.16';
|
||||
return '1.1.19';
|
||||
// eof
|
||||
}
|
||||
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
/*
|
||||
htmLawedTest.php, 28 May 2013
|
||||
htmLawed 1.1.16, 29 August 2013
|
||||
htmLawed 1.1.19, 19 January 2015
|
||||
Copyright Santosh Patnaik
|
||||
Dual licensed with LGPL 3 and GPL 2+
|
||||
A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
|
||||
|
@ -110,8 +110,8 @@ span.totop a, span.totop a:visited {color: #6699cc;}
|
||||
|
||||
<div id="body">
|
||||
<br />
|
||||
<div class="comment">htmLawed_README.txt, 29 August 2013<br />
|
||||
htmLawed 1.1.16, 29 August 2013<br />
|
||||
<div class="comment">htmLawed_README.txt, 19 January 2015<br />
|
||||
htmLawed 1.1.19, 19 January 2015<br />
|
||||
Copyright Santosh Patnaik<br />
|
||||
Dual licensed with LGPL 3 and GPL 2+<br />
|
||||
A PHP Labware internal utility - <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed</a> </div>
|
||||
@ -1773,7 +1773,13 @@ A PHP Labware internal utility - <a href="http://www.bioinformatics.org/phpl
|
||||
<br />
|
||||
  <em>Version number - Release date. Notes</em><br />
|
||||
<br />
|
||||
  1.1.16 - 29 August 2013. Fix for a potential security vulnerability arising from specialy encoded space characters in URL schemes/protocols<br />
|
||||
  1.1.19 - 19 January 2015. Fix for a bug in cleaning of soft-hyphens in URL values, etc.<br />
|
||||
<br />
|
||||
  1.1.18 - 2 August 2014. Fix for a potential security vulnerability arising from specially encoded text with serial opening tags<br />
|
||||
<br />
|
||||
  1.1.17 - 11 March 2014. Removed use of PHP function preg_replace with <span class="term">e</span> modifier for compatibility with PHP 5.5<br />
|
||||
<br />
|
||||
  1.1.16 - 29 August 2013. Fix for a potential security vulnerability arising from specially encoded space characters in URL schemes/protocols<br />
|
||||
<br />
|
||||
  1.1.15 - 11 August 2013. Improved tidying/prettifying functionality<br />
|
||||
<br />
|
||||
@ -1783,9 +1789,9 @@ A PHP Labware internal utility - <a href="http://www.bioinformatics.org/phpl
|
||||
<br />
|
||||
  1.1.12 - 5 July 2012. Fix for a bug in identifying an unquoted value of the <span class="term">face</span> attribute<br />
|
||||
<br />
|
||||
  1.1.11 - 5 June 2012. Fix for possible problem with handling of multi-byte characters in attribute values in an mbstring.func_overload enviroment. <span class="term">$config["hook_tag"]</span>, if specified, now receives names of elements in closing tags.<br />
|
||||
  1.1.11 - 5 June 2012. Fix for possible problem with handling of multi-byte characters in attribute values in an mbstring.func_overload environment. <span class="term">$config["hook_tag"]</span>, if specified, now receives names of elements in closing tags.<br />
|
||||
<br />
|
||||
  1.1.10 - 22 October 2011. Fix for a bug in the <span class="term">tidy</span> functionality that caused the entire input to be replaced with a single space; new parameter, <span class="term">$config["direct_list_nest"]</span> to allow direct descendance of a list in a list. (5 April 2012. Dual licensing from LGPLv3 to LGPLv3 and GPLv2+.)<br />
|
||||
  1.1.10 - 22 October 2011. Fix for a bug in the <span class="term">tidy</span> functionality that caused the entire input to be replaced with a single space; new parameter, <span class="term">$config["direct_list_nest"]</span> to allow direct descendence of a list in a list. (5 April 2012. Dual licensing from LGPLv3 to LGPLv3 and GPLv2+.)<br />
|
||||
<br />
|
||||
  1.1.9.5 - 6 July 2011. Minor correction of a rule for nesting of <span class="term">li</span> within <span class="term">dir</span><br />
|
||||
<br />
|
||||
@ -1902,7 +1908,7 @@ A PHP Labware internal utility - <a href="http://www.bioinformatics.org/phpl
|
||||
<a name="s4.10" id="s4.10"></a><span class="item-no">4.10</span>  Acknowledgements
|
||||
</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
|
||||
<br />
|
||||
  Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Dac Chartrand, Ulf Harnhammer, Gareth Heyes, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Harro Verton, Edward Yang, and many anonymous users.<br />
|
||||
  Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Dac Chartrand, Ulf Harnhammer, Gareth Heyes, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Psych0tr1a, Lincoln Russell, Tomas Sykorka, Harro Verton, Edward Yang, and many anonymous users.<br />
|
||||
<br />
|
||||
  Thank you!<br />
|
||||
|
||||
@ -2171,7 +2177,7 @@ A PHP Labware internal utility - <a href="http://www.bioinformatics.org/phpl
|
||||
</div>
|
||||
</div>
|
||||
<br />
|
||||
<hr /><br /><br /><span class="subtle"><small>HTM version of <em><a href="htmLawed_README.txt">htmLawed_README.txt</a></em> generated on 29 Aug, 2013 using <a href="http://www.bioinformatics.org/phplabware/internal_utilities">rTxt2htm</a> from PHP Labware</small></span>
|
||||
<hr /><br /><br /><span class="subtle"><small>HTM version of <em><a href="htmLawed_README.txt">htmLawed_README.txt</a></em> generated on 19 Jan, 2015 using <a href="http://www.bioinformatics.org/phplabware/internal_utilities">rTxt2htm</a> from PHP Labware</small></span>
|
||||
</div><!-- ended div body -->
|
||||
</div><!-- ended div top -->
|
||||
</body>
|
||||
|
@ -1,6 +1,6 @@
|
||||
/*
|
||||
htmLawed_README.txt, 29 August 2013
|
||||
htmLawed 1.1.16, 29 August 2013
|
||||
htmLawed_README.txt, 19 January 2015
|
||||
htmLawed 1.1.19, 19 January 2015
|
||||
Copyright Santosh Patnaik
|
||||
Dual licensed with LGPL 3 and GPL 2+
|
||||
A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
|
||||
@ -1344,7 +1344,13 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern
|
||||
|
||||
`Version number - Release date. Notes`
|
||||
|
||||
1.1.16 - 29 August 2013. Fix for a potential security vulnerability arising from specialy encoded space characters in URL schemes/protocols
|
||||
1.1.19 - 19 January 2015. Fix for a bug in cleaning of soft-hyphens in URL values, etc.
|
||||
|
||||
1.1.18 - 2 August 2014. Fix for a potential security vulnerability arising from specially encoded text with serial opening tags
|
||||
|
||||
1.1.17 - 11 March 2014. Removed use of PHP function preg_replace with 'e' modifier for compatibility with PHP 5.5
|
||||
|
||||
1.1.16 - 29 August 2013. Fix for a potential security vulnerability arising from specially encoded space characters in URL schemes/protocols
|
||||
|
||||
1.1.15 - 11 August 2013. Improved tidying/prettifying functionality
|
||||
|
||||
@ -1354,9 +1360,9 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern
|
||||
|
||||
1.1.12 - 5 July 2012. Fix for a bug in identifying an unquoted value of the 'face' attribute
|
||||
|
||||
1.1.11 - 5 June 2012. Fix for possible problem with handling of multi-byte characters in attribute values in an mbstring.func_overload enviroment. '$config["hook_tag"]', if specified, now receives names of elements in closing tags.
|
||||
1.1.11 - 5 June 2012. Fix for possible problem with handling of multi-byte characters in attribute values in an mbstring.func_overload environment. '$config["hook_tag"]', if specified, now receives names of elements in closing tags.
|
||||
|
||||
1.1.10 - 22 October 2011. Fix for a bug in the 'tidy' functionality that caused the entire input to be replaced with a single space; new parameter, '$config["direct_list_nest"]' to allow direct descendance of a list in a list. (5 April 2012. Dual licensing from LGPLv3 to LGPLv3 and GPLv2+.)
|
||||
1.1.10 - 22 October 2011. Fix for a bug in the 'tidy' functionality that caused the entire input to be replaced with a single space; new parameter, '$config["direct_list_nest"]' to allow direct descendence of a list in a list. (5 April 2012. Dual licensing from LGPLv3 to LGPLv3 and GPLv2+.)
|
||||
|
||||
1.1.9.5 - 6 July 2011. Minor correction of a rule for nesting of 'li' within 'dir'
|
||||
|
||||
@ -1466,7 +1472,7 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern
|
||||
-- 4.10 Acknowledgements ------------------------------------------o
|
||||
|
||||
|
||||
Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Dac Chartrand, Ulf Harnhammer, Gareth Heyes, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Harro Verton, Edward Yang, and many anonymous users.
|
||||
Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Dac Chartrand, Ulf Harnhammer, Gareth Heyes, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Psych0tr1a, Lincoln Russell, Tomas Sykorka, Harro Verton, Edward Yang, and many anonymous users.
|
||||
|
||||
Thank you!
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
/*
|
||||
htmLawed_TESTCASE.txt, 27 August 2013
|
||||
htmLawed 1.1.16, 29 August 2013
|
||||
htmLawed_TESTCASE.txt, 19 January 2015
|
||||
htmLawed 1.1.19, 19 January 2015
|
||||
Copyright Santosh Patnaik
|
||||
Dual licensed with LGPL 3 and GPL 2+
|
||||
A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
|
||||
@ -384,9 +384,11 @@ na Alemanha.
|
||||
<strong>CSS URLs:</strong> <div style="background-image: url('a.gif');"></div>, <div style="background-image: URL("a.gif");"></div>, <div style="background-image: url('http://a.com/a.gif');"></div>, <div style="background-image: url('./../a.gif');"></div>, <div style="background-image: url('js:xss')"></div><br />
|
||||
<strong>Double URLs:</strong> <a style="behaviour: url(foo) url(http://example.com/xss.htc)">b</a><br />
|
||||
<strong>Anti-spam:</strong> (try regex for 'http://a.com', etc.) <a href="mailto:x@y.com"></a>, <a href="http://a.com/b@d.f"></a>, <a href="a.com/d.f" rel="nofollow"></a>, <a href="a.com/d.f" rel="1, 2"></a>, <a href="a.com/d.f"></a>, <a href="b.com/d.f"></a>, <a href="c.com/d.f">, <a href="denied:http://c.com/d.f"></a><br />
|
||||
<strong>Soft-hyphen:</strong> <a href="http://q=ídisc">ídisc</a>
|
||||
|
||||
<h6>XSS</h6>
|
||||
|
||||
<img alt="<img onmouseover=confirm(1)//"<"">
|
||||
'';!--"<xss>=&{()}<br />
|
||||
<img src="javascript%3Aalert('xss');" /><br />
|
||||
<img src="javascript:alert('xss');" /><br />
|
||||
|
Loading…
Reference in New Issue
Block a user