From: <lph...@us...> - 2008-10-15 13:56:17
|
Revision: 15155 http://tikiwiki.svn.sourceforge.net/tikiwiki/?rev=15155&view=rev Author: lphuberdeau Date: 2008-10-15 13:51:54 +0000 (Wed, 15 Oct 2008) Log Message: ----------- [FIX] No parse syntax could be used to bypass sanitization Modified Paths: -------------- branches/2.0/lib/tikilib.php Modified: branches/2.0/lib/tikilib.php =================================================================== --- branches/2.0/lib/tikilib.php 2008-10-15 12:36:55 UTC (rev 15154) +++ branches/2.0/lib/tikilib.php 2008-10-15 13:51:54 UTC (rev 15155) @@ -5483,7 +5483,7 @@ // Converts <x> (<x> tag using HTML entities) into the tag <x>. This tag comes from the input sanitizer (XSS filter). // This is not HTML valid and avoids using <x> in a wiki text, // but hide '<x>' text inside some words like 'style' that are considered as dangerous by the sanitizer. - $data = str_replace('<x>', '<x>', $data); + $data = str_replace( array( '<x>', '~np~', '~/np~' ), array( '<x>', ' ~np~', '~/np~ ' ), $data ); // Fix false positive in wiki syntax // It can't be done in the sanitizer, that can't know if the input will be wiki parsed or not This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |