/** * This function checks attribute values for entity-encoded values * and returns them translated into 8-bit strings so we can run * checks on them. * * @param $attvalue A string to run entity check against. * @return Nothing, modifies a reference value. */ function defang(&$attvalue) { $me = 'defang'; /** * Skip this if there aren't ampersands or backslashes. */ //htmlfilter_debug("$me: Checking '$attvalue' for suspicious content\n"); if (strpos($attvalue, '&') === false && strpos($attvalue, '\\') === false) { //htmlfilter_debug("$me: no suspicious content found, returning.\n"); return; } $m = false; do { $m = false; $m = $m || deent($attvalue, '/\\�*(\\d+);*/s'); $m = $m || deent($attvalue, '/\\�*((\\d|[a-f])+);*/si', true); $m = $m || deent($attvalue, '/\\\\(\\d+)/s', true); //htmlfilter_debug("$me: m=$m\n"); } while ($m == true); $attvalue = stripslashes($attvalue); //htmlfilter_debug("$me: translated into: $attvalue\n"); }
/** * This function checks attribute values for entity-encoded values * and returns them translated into 8-bit strings so we can run * checks on them. * * @param $attvalue A string to run entity check against. * @return Nothing, modifies a reference value. */ function defang(&$attvalue) { $me = 'defang'; /** * Skip this if there aren't ampersands or backslashes. */ spew("{$me}: Checking '{$attvalue}' for suspicious content\n"); if (strpos($attvalue, '&') === false && strpos($attvalue, '\\') === false) { spew("{$me}: no suspicious content found, returning.\n"); return; } $m = false; do { $m = false; $m = $m || deent($attvalue, '/\\�*(\\d+);*/s'); $m = $m || deent($attvalue, '/\\�*((\\d|[a-f])+);*/si', true); $m = $m || deent($attvalue, '/\\\\(\\d+)/s', true); spew("{$me}: m={$m}\n"); } while ($m == true); $attvalue = stripslashes($attvalue); spew("{$me}: translated into: {$attvalue}\n"); }