* A comment or an SGML declaration.
*/
if (substr($body, $pos+1, 2) == "--"){
- $gt = strpos($body, "-->", $pos)+2;
+ $gt = strpos($body, "-->", $pos);
if ($gt === false){
$gt = strlen($body);
- }
+ } else {
+ $gt += 2;
+ }
return Array(false, false, false, $lt, $gt);
} else {
$gt = sq_findnxstr($body, $pos, ">");
}
/**
- * Fix stupid expression: declarations which lead to vulnerabilities
+ * Fix stupid css declarations which lead to vulnerabilities
* in IE.
*/
- $content = preg_replace("/expression\s*:/si", "idiocy:", $content);
+ $match = Array('/expression/si',
+ '/behaviou*r/si',
+ '/binding/si');
+ $replace = Array('idiocy', 'idiocy', 'idiocy');
+ $content = preg_replace($match, $replace, $content);
return $content;
}
$open_tags = Array();
$trusted = "<!-- begin sanitized html -->\n";
$skip_content = false;
+ /**
+ * Take care of netscape's stupid javascript entities like
+ * &{alert('boo')};
+ */
+ $body = preg_replace("/&(\{.*?\};)/si", "&\\1", $body);
while (($curtag=sq_getnxtag($body, $curpos)) != FALSE){
list($tagname, $attary, $tagtype, $lt, $gt) = $curtag;
"/.*/" =>
Array(
"/target/si",
- "/^on.*/si"
+ "/^on.*/si",
+ "/^dynsrc/si",
+ "/^data.*/si"
)
);
Array(
Array(
"|^([\'\"])\s*\.\./.*([\'\"])|si",
- "/^([\'\"])\s*\S+script\s*:.*([\'\"])/si"
+ "/^([\'\"])\s*\S+script\s*:.*([\'\"])/si",
+ "/^([\'\"])\s*mocha\s*:*(.*)([\'\"])/si",
+ "/^([\'\"])\s*about\s*:(.*)([\'\"])/si"
),
Array(
"\\1$secremoveimg\\2",
- "\\1$secremoveimg\\2"
+ "\\1$secremoveimg\\2",
+ "\\1$secremoveimg\\2",
+ "\\1$secremoveimg\\2"
)
),
"/^style/si" =>
Array(
Array(
- "/expression\s*:/si",
+ "/expression/si",
+ "/binding/si",
+ "/behaviou*r/si",
"|url\(([\'\"])\s*\.\./.*([\'\"])\)|si",
"/url\(([\'\"])\s*\S+script:.*([\'\"])\)/si"
),
Array(
- "idiocy:",
+ "idiocy",
+ "idiocy",
+ "idiocy",
"url(\\1$secremoveimg\\2)",
"url(\\1$secremoveimg\\2)"
)