From: Oliver H. <ro...@re...> - 2004-05-02 11:29:56
|
On 2 May 2004 at 12:54, mose wrote: > > $patterns['string'] = "/^[^<>\";&#]*$/"; // find, and such extended chars > > > > This is going to break a good number of my pages, and I can't think of a > > good reason for *any* of them. A string is a string. Can someone > > explain what's going on here? > > - that pattern only applies on declared values in $vartype array, that > for now only affects the variables $theme and $page. $vartype is > possibly extendable by local (per-file level) declaration if needed. > > The function used is varcheck(), we needed to add it essentially to > protect $offset and $sort_mode, and some other sources of possible XSS > or injection attacks. Maybe we should comment such things in the sourcecode. :-) Bye, Oliver |