improve auto security for php vars

h2lsoft · Sep 11, 2015 · 38ba7a4 · 38ba7a4
1 parent 3d599b2
commit 38ba7a4
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/library/php/TPLN/TPLN.php b/library/php/TPLN/TPLN.php
@@ -53,9 +53,8 @@ function tpln_auto_security($value, $urldecode_before=false, $sanitize=true, $st
 
 
 	// naughty scripting
-	$value = preg_replace('#(alert|cmd|passthru|eval|shell_exec|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si',
-					'\\1\\2&#40;\\3&#41;',
-					$value);
+	$value = preg_replace('#(alert|cmd|passthru|eval|shell_exec|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#i',
+					'[XSS-PROTECT:\\1] &#40;\\3&#41;', $value);
 
 	// never allowed
 	$_never_allowed_str =	array('document.cookie', 'document.write', '.parentNode', '.innerHTML', 'window.location', '-moz-binding');

diff --git a/nuts/_inc/Page.class.php b/nuts/_inc/Page.class.php
@@ -380,12 +380,14 @@ public function write()
 		$url_tmp = @parse_url($_SERVER['REQUEST_URI']);
         if(!$url_tmp)$this->error404();
 
-		if(isset($url_tmp['query']))
-			parse_str($url_tmp['query'], $_GET);
+		// if(isset($url_tmp['query']))
+			// parse_str($url_tmp['query'], $_GET);
 
         // get information page
         $port = ($_SERVER['SERVER_PORT'] == 80) ? '' : ':'.$_SERVER['SERVER_PORT'];
 		$url = 'http'.((!empty($_SERVER['HTTPS'])) ? 's' : '').'://'.$_SERVER['SERVER_NAME'].$port.$_SERVER['REQUEST_URI'];
+		$url = str_replace(':443', '', $url);
+
 
 		// no query string for control
 		$url = explode('?', $url);
@@ -395,7 +397,6 @@ public function write()
 		$curl = explode('/', $curl);
 
 
-
 		// homepage ?
 		$this->isHome = false;
 		if(count($curl) == 0 || $curl[0] == '' || $curl[0] == 'index.php')