diff options
| -rw-r--r-- | xss-check.php.sample | 10 | 
1 files changed, 5 insertions, 5 deletions
| diff --git a/xss-check.php.sample b/xss-check.php.sample index bfc7973..d68b3cb 100644 --- a/xss-check.php.sample +++ b/xss-check.php.sample @@ -19,8 +19,8 @@   * inside of "baseurl" might not be trusted (like email body files).   */  function xss_attack() { -	$siteurl = 'http://mckenzierobotics.org/';// basic trusted base -	$mmurl = $siteurl.'mm/';// where MessageManager is +	$siteurl_re = '^https?://(www\.)?mckenzierobotics\.org/';// basic trusted base +	$mmurl_re = $siteurl.'mm/';// where MessageManager is  	if (!isset($_SERVER['HTTP_REFERER']))  		return false; @@ -36,11 +36,11 @@ function xss_attack() {  	default: break;  	} -	if (substr($from,0,strlen($siteurl)) != $siteurl) +	if (!preg_match('@'.$siteurl_re.'@', $from))  		return true; -	$messages = '@^'.preg_quote($mmurl.'messages/','@').'.*/.@'; -	if (preg_match($messages, $from)) +	$messages_re = '@'.preg_quote($mmurl.'messages/','@').'.*/.@'; +	if (preg_match($messages_re, $from))  		// Someone cleverly tried to XSS us from inside a message  		return true; | 
