Conjunto de cambios 52861f4 en sipes para cord/modules/filter/filter.module
- Fecha y hora:
- 26/05/2016 19:22:36 (hace 8 años)
- Branches:
- stable, version-3.0
- Children:
- 6627152
- Parents:
- dedbde1
- Fichero:
-
- 1 editado
Leyenda
- No modificado
- Añadido
- Eliminado
-
cord/modules/filter/filter.module
rd7a822e r52861f4 1205 1205 1206 1206 /** 1207 * Processes an HTML attribute value and ensures it does not contain an URL1208 * with a disallowed protocol (e.g. javascript:)1209 *1210 * @param $string1211 * The string with the attribute value.1212 * @param $decode1213 * Whether to decode entities in the $string. Set to FALSE if the $string1214 * is in plain text, TRUE otherwise. Defaults to TRUE.1215 * @return1216 * Cleaned up and HTML-escaped version of $string.1217 */1218 function filter_xss_bad_protocol($string, $decode = TRUE) {1219 static $allowed_protocols;1220 if (!isset($allowed_protocols)) {1221 $allowed_protocols = array_flip(variable_get('filter_allowed_protocols', array('http', 'https', 'ftp', 'news', 'nntp', 'tel', 'telnet', 'mailto', 'irc', 'ssh', 'sftp', 'webcal', 'rtsp')));1222 }1223 1224 // Get the plain text representation of the attribute value (i.e. its meaning).1225 if ($decode) {1226 $string = decode_entities($string);1227 }1228 1229 // Iteratively remove any invalid protocol found.1230 1231 do {1232 $before = $string;1233 $colonpos = strpos($string, ':');1234 if ($colonpos > 0) {1235 // We found a colon, possibly a protocol. Verify.1236 $protocol = substr($string, 0, $colonpos);1237 // If a colon is preceded by a slash, question mark or hash, it cannot1238 // possibly be part of the URL scheme. This must be a relative URL,1239 // which inherits the (safe) protocol of the base document.1240 if (preg_match('![/?#]!', $protocol)) {1241 break;1242 }1243 // Per RFC2616, section 3.2.3 (URI Comparison) scheme comparison must be case-insensitive1244 // Check if this is a disallowed protocol.1245 if (!isset($allowed_protocols[strtolower($protocol)])) {1246 $string = substr($string, $colonpos + 1);1247 }1248 }1249 } while ($before != $string);1250 return check_plain($string);1251 }1252 1253 /**1254 1207 * @} End of "Standard filters". 1255 1208 */
Nota: Vea TracChangeset
para ayuda en el uso del visor de conjuntos de cambios.