Make WordPress Core

Changeset 594


Ignore:
Timestamp:
12/09/2003 02:39:30 PM (21 years ago)
Author:
emc3
Message:

Fixed XSS vulnerability in comments

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/b2-include/b2functions.php

    r578 r594  
    12081208 **/
    12091209function sanitise_html_attributes($text) {
    1210     $text = preg_replace('#( on[a-z]{1,}|style|class|id)="(.*?)"#i', '', $text);
    1211     $text = preg_replace('#( on[a-z]{1,}|style|class|id)=\'(.*?)\'#i', '', $text);
    1212     $text = preg_replace('#( on[a-z]{1,}|style|class|id)[ \t]*=[ \t]*([^ \t\>]*?)#i', '', $text);
     1210    $text = preg_replace('#(([\s"\'])on[a-z]{1,}|style|class|id)="(.*?)"#i', '$1', $text);
     1211    $text = preg_replace('#(([\s"\'])on[a-z]{1,}|style|class|id)=\'(.*?)\'#i', '$1', $text);
     1212    $text = preg_replace('#(([\s"\'])on[a-z]{1,}|style|class|id)[ \t]*=[ \t]*([^ \t\>]*?)#i', '$1', $text);
    12131213    $text = preg_replace('#([a-z]{1,})="(( |\t)*?)(javascript|vbscript|about):(.*?)"#i', '$1=""', $text);
    12141214    $text = preg_replace('#([a-z]{1,})=\'(( |\t)*?)(javascript|vbscript|about):(.*?)\'#i', '$1=""', $text);
Note: See TracChangeset for help on using the changeset viewer.