Permalink
Browse files

MDL-20981 admin/lang.php escapes all variables but $a placeholders

  • Loading branch information...
1 parent fbb35a5 commit 6b67b00992975b8f33bbd67aa7275f97323b6ff6 @mudrd8mz mudrd8mz committed Nov 26, 2009
Showing with 4 additions and 0 deletions.
  1. +4 −0 admin/lang.php
View
@@ -1013,6 +1013,10 @@ function lang_fix_value_before_save($value='') {
if (ini_get_bool('magic_quotes_sybase')) { // Unescape escaped sybase quotes
$value = str_replace("''", "'", $value);
}
+ // escape all embedded variables
+ $value = str_replace('$', '\$', $value); // Add slashes for $
+ // unescape placeholders: only $a and $a->something are allowed. All other $variables are left escaped
+ $value = preg_replace('/\\\\\$a($|[^_a-zA-Z0-9\-]|\->[a-zA-Z0-9_]+)/', '$a\\1', $value);
$value = str_replace("'", "\\'", $value); // Add slashes for '
$value = str_replace('"', "\\\"", $value); // Add slashes for "
$value = str_replace("%","%%",$value); // Escape % characters

0 comments on commit 6b67b00

Please sign in to comment.