Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

An improvemement, I think, in the way Javascript is stripped in clean…

…_text
  • Loading branch information...
commit 09cbeb40a284f8d369be9bf982abf6b9b546f249 1 parent dc24657
moodler authored
Showing with 5 additions and 5 deletions.
  1. +5 −5 lib/weblib.php
View
10 lib/weblib.php
@@ -666,13 +666,13 @@ function clean_text($text, $format=FORMAT_MOODLE) {
case FORMAT_MOODLE:
case FORMAT_HTML:
case FORMAT_WIKI:
- /// Remove javascript: label
+ /// Remove tags that are not allowed
$text = strip_tags($text, $ALLOWED_TAGS);
- /// Remove javascript/VBScript
- $text = str_ireplace("javascript:", "xxx", $text);
+ /// Munge javascript: label
+ $text = str_ireplace("javascript:", "Xjavascript:", $text);
/// Remove script events
- $text = eregi_replace("([^a-z])language([[:space:]]*)=", "xxx", $text);
- $text = eregi_replace("([^a-z])on([a-z]+)([[:space:]]*)=", "xxx", $text);
+ $text = eregi_replace("([^a-z])language([[:space:]]*)=", "\\1Xlanguage=", $text);
+ $text = eregi_replace("([^a-z])on([a-z]+)([[:space:]]*)=", "\\1Xon\\2=", $text);
return $text;
case FORMAT_PLAIN:
Please sign in to comment.
Something went wrong with that request. Please try again.