Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: gallery/gallery3
base: f5de683
...
head fork: gallery/gallery3
compare: 21ceea6
Checking mergeability… Don't worry, you can still create the pull request.
  • 4 commits
  • 2 files changed
  • 0 commit comments
  • 2 contributors
Showing with 5 additions and 5 deletions.
  1. +1 −1  modules/gallery/helpers/ajax.php
  2. +4 −4 system/libraries/Input.php
View
2  modules/gallery/helpers/ajax.php
@@ -26,6 +26,6 @@ class ajax_Core {
static function response($content) {
header("Content-Type: text/plain; charset=" . Kohana::CHARSET);
print "<meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\">\n";
- print html::clean($content);
+ print $content;
}
}
View
8 system/libraries/Input.php
@@ -356,10 +356,10 @@ protected function xss_filter_default($data)
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);
- // Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
- $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
- $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
- $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);
+ //remove any style attributes, IE allows too much stupid things in them, eg.
+ //<span style="width: expression(alert('Ping!'));"></span>
+ // and in general you really don't want style declarations in your UGC
+ $data = preg_replace('#(<[^>]+[\x00-\x20\"\'\/])style[^>]*>#iUu', "$1>", $data);
// Remove namespaced elements (we do not need them)
$data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);

No commit comments for this range

Something went wrong with that request. Please try again.