← Back to branch summary

~ubuntu-branches/ubuntu/saucy/horde3/saucy

« back to all changes in this revision

Viewing changes to lib/Horde/Text/Filter/xss.php

  • Committer: Bazaar Package Importer
  • Author(s): Gregory Colpart
  • Date: 2008-09-22 03:28:05 UTC
  • mfrom: (1.1.8 upstream) (8.1.1 lenny)
  • Revision ID: james.westby@ubuntu.com-20080922032805-79iobt5nt5101bf6
Tags: 3.2.2+debian0-1
http://bugs.debian.org/499579
http://bugs.debian.org/499001
http://bugs.debian.org/493885
* New upstream release.
* This version is mainly for fixing two security bugs: unescaped output in
  the MIME library and improve the XSS filter for HTML (See CVE-2008-3823 for
  more information). (Closes: #499579)
* Add changelog entry with CVE ID in changelog for 3.2.1+debian0-1.
* Fix misspelling in Recommends: field. (Closes: #499001)
* Improve upgrade path Etch->Lenny with forcing to show diff of
  /etc/horde/horde3/registry.php because all horde components are now
  inactive by default. (Closes: #493885)
* Change Gregory Colpart's email address in debian/control file.

Show diffs side-by-side

added added

removed removed

Lines of Context:
lib/Horde/Text/Filter/xss.php
6
6
 * people *KNOW* HTML is a security hole, clean up what we can, and leave it
7
7
 * at that.
8
8
 *
9
 
 * $Horde: framework/Text_Filter/Filter/xss.php,v 1.1.2.13 2008/04/19 20:13:15 slusarz Exp $
 
9
 * $Horde: framework/Text_Filter/Filter/xss.php,v 1.1.2.13.4.1 2008/09/10 10:05:53 jan Exp $
10
10
 *
11
11
 * Copyright 2004-2008 The Horde Project (http://www.horde.org/)
12
12
 *
96
96
        $patterns[$preg] = '\1\8' . $this->_params['replace'];
97
97
 
98
98
        /* Get all on<foo>="bar()". NEVER allow these. */
99
 
        $patterns['/([\s"\']+' .
 
99
        $patterns['/([\s"\'\/]+' .
100
100
                  '(o|&#0*79;?|&#0*4f;?|&#0*111;?|&#0*6f;?)' .
101
101
                  '(n|&#0*78;?|&#0*4e;?|&#0*110;?|&#0*6e;?)' .
102
102
                  '\w+)[^=a-z0-9"\'>]*=/i'] = '\1' . $this->_params['replace'] . '=';