summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuke Shumaker <lukeshu@sbcglobal.net>2011-09-25 16:20:30 -0700
committerLuke Shumaker <lukeshu@sbcglobal.net>2011-09-25 16:20:30 -0700
commitd6dc8873e370c116fe332dc44beb34624fd5dc4e (patch)
treecf063412bf08d673b78ca7b679f4bc22c980b30d
parent514d9393ff9d7752426aaaa9b840ee1f94229491 (diff)
Make xss-check.php.sample use all regex
-rw-r--r--xss-check.php.sample10
1 files changed, 5 insertions, 5 deletions
diff --git a/xss-check.php.sample b/xss-check.php.sample
index bfc7973..d68b3cb 100644
--- a/xss-check.php.sample
+++ b/xss-check.php.sample
@@ -19,8 +19,8 @@
* inside of "baseurl" might not be trusted (like email body files).
*/
function xss_attack() {
- $siteurl = 'http://mckenzierobotics.org/';// basic trusted base
- $mmurl = $siteurl.'mm/';// where MessageManager is
+ $siteurl_re = '^https?://(www\.)?mckenzierobotics\.org/';// basic trusted base
+ $mmurl_re = $siteurl.'mm/';// where MessageManager is
if (!isset($_SERVER['HTTP_REFERER']))
return false;
@@ -36,11 +36,11 @@ function xss_attack() {
default: break;
}
- if (substr($from,0,strlen($siteurl)) != $siteurl)
+ if (!preg_match('@'.$siteurl_re.'@', $from))
return true;
- $messages = '@^'.preg_quote($mmurl.'messages/','@').'.*/.@';
- if (preg_match($messages, $from))
+ $messages_re = '@'.preg_quote($mmurl.'messages/','@').'.*/.@';
+ if (preg_match($messages_re, $from))
// Someone cleverly tried to XSS us from inside a message
return true;