Beispiel #1
0
function valid_input_data($data)
{
    if (is_array($data) || is_object($data)) {
        /*
         ** Form data can contain a number of nested arrays.
         */
        foreach ($data as $key => $value) {
            if (!valid_input_data($value)) {
                return 0;
            }
        }
    } else {
        /*
         ** Detect evil input data.
         */
        // check strings:
        $match = preg_match("/\\Wjavascript\\s*:/i", $data);
        $match += preg_match("/\\Wexpression\\s*\\(/i", $data);
        $match += preg_match("/\\Walert\\s*\\(/i", $data);
        // check attributes:
        $match += preg_match("/\\W(dynsrc|datasrc|data|lowsrc|on[a-z]+)\\s*=[^>]+?>/i", $data);
        // check tags:
        $match += preg_match("/<\\s*(applet|script|object|style|embed|form|blink|meta|html|frame|iframe|layer|ilayer|head|frameset|xml)/i", $data);
        if ($match) {
            return 0;
        }
    }
    return 1;
}
Beispiel #2
0
require_once "classes/field.php";
require_once "classes/person.php";
require_once "classes/league.php";
require_once "classes/team.php";
require_once "classes/game.php";
require_once "classes/slot.php";
require_once "classes/event.php";
require_once "classes/registration.php";
require_once "classes/registration_payment.php";
require_once "classes/formbuilder.php";
require_once "classes/session.php";
require_once "classes/spirit.php";
require_once "classes/field_report.php";
require_once "classes/note.php";
require_once "classes/season.php";
if (!valid_input_data($_REQUEST)) {
    die("terminated request due to suspicious input data");
}
require_once "Handler.php";
// configure sessions
lr_configure_sessions();
/* TODO Hack! */
$smarty->assign('session_valid', $lr_session->is_valid());
$smarty->assign('session_fullname', $lr_session->attr_get('fullname'));
$smarty->assign('session_userid', $lr_session->attr_get('user_id'));
// Headers have not been sent yet
global $headers_sent;
$headers_sent = 0;
/* Build menus */
menu_build();
if (array_key_exists('q', $_GET)) {
function valid_input_data($data)
{
    if (is_array($data) || is_object($data)) {
        foreach ($data as $key => $value) {
            if (!valid_input_data($key) || !valid_input_data($value)) {
                return FALSE;
            }
        }
    } else {
        if (isset($data)) {
            $data = $this->decode_entities($data, array('<', '&', '"'));
            $match = preg_match('/\\Wjavascript\\s*:/i', $data);
            $match += preg_match('/\\Wexpression\\s*\\(/i', $data);
            $match += preg_match('/\\Walert\\s*\\(/i', $data);
            $match += preg_match("/\\W(dynsrc|datasrc|data|lowsrc|on[a-z]+)\\s*=[^>]+?>/i", $data);
            $match += preg_match("/<\\s*(applet|script|object|style|embed|form|blink|meta|html|frame|iframe|layer|ilayer|head|frameset|xml)/i", $data);
            if ($match) {
                return FALSE;
            }
        }
    }
    return TRUE;
}