Example #1
0
/**
 * This function checks attribute values for entity-encoded values
 * and returns them translated into 8-bit strings so we can run
 * checks on them.
 *
 * @param  $attvalue A string to run entity check against.
 * @return           Nothing, modifies a reference value.
 */
function defang(&$attvalue)
{
    $me = 'defang';
    /**
     * Skip this if there aren't ampersands or backslashes.
     */
    //htmlfilter_debug("$me: Checking '$attvalue' for suspicious content\n");
    if (strpos($attvalue, '&') === false && strpos($attvalue, '\\') === false) {
        //htmlfilter_debug("$me: no suspicious content found, returning.\n");
        return;
    }
    $m = false;
    do {
        $m = false;
        $m = $m || deent($attvalue, '/\\&#0*(\\d+);*/s');
        $m = $m || deent($attvalue, '/\\&#x0*((\\d|[a-f])+);*/si', true);
        $m = $m || deent($attvalue, '/\\\\(\\d+)/s', true);
        //htmlfilter_debug("$me: m=$m\n");
    } while ($m == true);
    $attvalue = stripslashes($attvalue);
    //htmlfilter_debug("$me: translated into: $attvalue\n");
}
Example #2
0
/**
 * This function checks attribute values for entity-encoded values
 * and returns them translated into 8-bit strings so we can run
 * checks on them.
 *
 * @param  $attvalue A string to run entity check against.
 * @return           Nothing, modifies a reference value.
 */
function defang(&$attvalue)
{
    $me = 'defang';
    /**
     * Skip this if there aren't ampersands or backslashes.
     */
    spew("{$me}: Checking '{$attvalue}' for suspicious content\n");
    if (strpos($attvalue, '&') === false && strpos($attvalue, '\\') === false) {
        spew("{$me}: no suspicious content found, returning.\n");
        return;
    }
    $m = false;
    do {
        $m = false;
        $m = $m || deent($attvalue, '/\\&#0*(\\d+);*/s');
        $m = $m || deent($attvalue, '/\\&#x0*((\\d|[a-f])+);*/si', true);
        $m = $m || deent($attvalue, '/\\\\(\\d+)/s', true);
        spew("{$me}: m={$m}\n");
    } while ($m == true);
    $attvalue = stripslashes($attvalue);
    spew("{$me}: translated into: {$attvalue}\n");
}