From 38ba7a4706b28a21f2a1ced3b85f8e77a7844d37 Mon Sep 17 00:00:00 2001 From: h2lsoft Date: Fri, 11 Sep 2015 17:50:15 +0200 Subject: [PATCH] improve auto security for php vars --- library/php/TPLN/TPLN.php | 5 ++--- nuts/_inc/Page.class.php | 7 ++++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/library/php/TPLN/TPLN.php b/library/php/TPLN/TPLN.php index 2e94dc81..5e6208c5 100644 --- a/library/php/TPLN/TPLN.php +++ b/library/php/TPLN/TPLN.php @@ -53,9 +53,8 @@ function tpln_auto_security($value, $urldecode_before=false, $sanitize=true, $st // naughty scripting - $value = preg_replace('#(alert|cmd|passthru|eval|shell_exec|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', - '\\1\\2(\\3)', - $value); + $value = preg_replace('#(alert|cmd|passthru|eval|shell_exec|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#i', + '[XSS-PROTECT:\\1] (\\3)', $value); // never allowed $_never_allowed_str = array('document.cookie', 'document.write', '.parentNode', '.innerHTML', 'window.location', '-moz-binding'); diff --git a/nuts/_inc/Page.class.php b/nuts/_inc/Page.class.php index 0eb176d1..6e4ceeba 100644 --- a/nuts/_inc/Page.class.php +++ b/nuts/_inc/Page.class.php @@ -380,12 +380,14 @@ public function write() $url_tmp = @parse_url($_SERVER['REQUEST_URI']); if(!$url_tmp)$this->error404(); - if(isset($url_tmp['query'])) - parse_str($url_tmp['query'], $_GET); + // if(isset($url_tmp['query'])) + // parse_str($url_tmp['query'], $_GET); // get information page $port = ($_SERVER['SERVER_PORT'] == 80) ? '' : ':'.$_SERVER['SERVER_PORT']; $url = 'http'.((!empty($_SERVER['HTTPS'])) ? 's' : '').'://'.$_SERVER['SERVER_NAME'].$port.$_SERVER['REQUEST_URI']; + $url = str_replace(':443', '', $url); + // no query string for control $url = explode('?', $url); @@ -395,7 +397,6 @@ public function write() $curl = explode('/', $curl); - // homepage ? $this->isHome = false; if(count($curl) == 0 || $curl[0] == '' || $curl[0] == 'index.php')