[phpMyChat CVS] CVS: phpMyChat-0.15/chat/lib format_messages.lib.php3,1.14,1.15

[Sergei I. G. <si...@pr...>]

Update of /cvsroot/phpmychat/phpMyChat-0.15/chat/lib
In directory sc8-pr-cvs1:/tmp/cvs-serv3500/chat/lib

Modified Files:
	format_messages.lib.php3 
Log Message:
Check for dangerous chars not only latin1 charsets
Don't replace &quot with " in $theMessage


Index: format_messages.lib.php3
===================================================================
RCS file: /cvsroot/phpmychat/phpMyChat-0.15/chat/lib/format_messages.lib.php3,v
retrieving revision 1.14
retrieving revision 1.15
diff -C2 -r1.14 -r1.15
*** format_messages.lib.php3	18 Nov 2002 07:11:00 -0000	1.14
--- format_messages.lib.php3	18 Nov 2002 12:54:53 -0000	1.15
***************
*** 62,68 ****
  function pmcCheckLinks(&$str)
  {
- 	// Protect from malicious html injection
- 	$str			= htmlspecialchars($str, ENT_QUOTES);
- 
  	// Handle urls and 'news:' links
  	$urlPattern		= '(^| )(([^ ]+://[^ ]+)|(news:[^ ]+))( |$)';
--- 62,65 ----
***************
*** 142,185 ****
  	pmcCheckLinks($theMessage);
  
! 	// transform ISO-8859-1 special characters
! 	if ($latin1)
  	{
! 		// Avoid nick transformation
! 		if ($GLOBALS['msgTo'] != '')
! 		{
! 			$pattern = '(.*)(' . $GLOBALS['msgTo']. '(>)?)(.*)';
! 			ereg($pattern, $theMessage, $regs);
! 		}
! 		$regs[1]	= (isset($regs[1])) ? $regs[1] : '';
! 		$regs[2]	= (isset($regs[2])) ? $regs[2] : '';
! 		$regs[4]	= (isset($regs[4])) ? $regs[4] : '';
! 		if ($regs[1] == '' && $regs[4] == '')
! 		{
! 			$regs[4] = $theMessage;
! 		}
  
! 		// Do the work
! 		if (!ereg('&[[:alnum:]]{1,10}', $regs[1])
! 			&& !ereg('&[[:alnum:]]{1,10}', $regs[4]))
  		{
! 			for ($i = 1; $i < 5; $i += 3)
  			{
! 				if ($regs[$i] == '')
! 				{
! 					continue;
! 				}
! 				$part		= $regs[$i];
! 				$part		= htmlentities($part);
! 				$part		= str_replace('&lt;', '<', $part);
! 				$part		= str_replace('&gt;', '>', $part);
! 				$part		= str_replace('&amp;lt;', '&lt;', $part);
! 				$part		= str_replace('&amp;gt;', '&gt;', $part);
! 				$part		= str_replace('&quot;', '"', $part);
! 				$part		= ereg_replace('&amp;(#[[:digit:]]{2,5})', '&\\1', $part);
! 				$regs[$i]	= $part;
  			}
! 			$theMessage		= $regs[1] . $regs[2] . $regs[4];
  		}
! 	} // end if ($latin1)
  
  	// Slashes the slash character
--- 139,178 ----
  	pmcCheckLinks($theMessage);
  
! 	// Avoid nick transformation
! 	if ($GLOBALS['msgTo'] != '')
  	{
! 		$pattern = '(.*)(' . $GLOBALS['msgTo']. '(&gt;)?)(.*)';
! 		ereg($pattern, $theMessage, $regs);
! 	}
! 	$regs[1]	= (isset($regs[1])) ? $regs[1] : '';
! 	$regs[2]	= (isset($regs[2])) ? $regs[2] : '';
! 	$regs[4]	= (isset($regs[4])) ? $regs[4] : '';
! 	if ($regs[1] == '' && $regs[4] == '')
! 	{
! 		$regs[4] = $theMessage;
! 	}
  
! 	// Do the work
! 	if (!ereg('&[[:alnum:]]{1,10}', $regs[1])
! 		&& !ereg('&[[:alnum:]]{1,10}', $regs[4]))
! 	{
! 		for ($i = 1; $i < 5; $i += 3)
  		{
! 			if ($regs[$i] == '')
  			{
! 				continue;
  			}
! 			$part		= $regs[$i];
! 			$part		= htmlspecialchars($part, ENT_QUOTES);
! 			$part		= str_replace('&lt;', '<', $part);
! 			$part		= str_replace('&gt;', '>', $part);
! 			$part		= str_replace('&amp;lt;', '&lt;', $part);
! 			$part		= str_replace('&amp;gt;', '&gt;', $part);
! //			$part		= str_replace('&quot;', '"', $part);
! 			$part		= ereg_replace('&amp;(#[[:digit:]]{2,5})', '&\\1', $part);
! 			$regs[$i]	= $part;
  		}
! 		$theMessage		= $regs[1] . $regs[2] . $regs[4];
! 	}
  
  	// Slashes the slash character