예제 #1
0
/**
 * Recursively strip slashes from the values of an array.
 * @param array array the array to strip, passed by reference
 * @return void
 */
function sqstripslashes(&$array)
{
    if (count($array) > 0) {
        foreach ($array as $index => $value) {
            if (is_array($array[$index])) {
                sqstripslashes($array[$index]);
            } else {
                $array[$index] = stripslashes($value);
            }
        }
    }
}
예제 #2
0
require SM_PATH . 'functions/plugin.php';
require SM_PATH . 'include/languages.php';
require SM_PATH . 'class/template/Template.class.php';
require SM_PATH . 'class/error.class.php';
/**
 * If magic_quotes_runtime is on, SquirrelMail breaks in new and creative ways.
 * Force magic_quotes_runtime off.
 * tassium@squirrelmail.org - I put it here in the hopes that all SM code includes this.
 * If there's a better place, please let me know.
 */
ini_set('magic_quotes_runtime', '0');
/* if running with magic_quotes_gpc then strip the slashes
   from POST and GET global arrays */
if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) {
    sqstripslashes($_GET);
    sqstripslashes($_POST);
}
/**
* Strip any tags added to the url from PHP_SELF.
* This fixes hand crafted url XXS expoits for any
* page that uses PHP_SELF as the FORM action
* Update: strip_tags() won't catch something like
* src/right_main.php?sort=0&startMessage=1&mailbox=INBOX&xxx="><script>window.open("http://example.com")</script>
* or
* contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E
* because it doesn't bother with broken tags.
* sm_encode_html_special_chars() is the preferred method.
* QUERY_STRING also needs the same treatment since it is
* used in php_self().
* Update again: the encoding of ampersands that occurs
* using sm_encode_html_special_chars() corrupts the query strings