From d6dc8873e370c116fe332dc44beb34624fd5dc4e Mon Sep 17 00:00:00 2001
From: Luke Shumaker <lukeshu@sbcglobal.net>
Date: Sun, 25 Sep 2011 16:20:30 -0700
Subject: Make xss-check.php.sample use all regex

---
 xss-check.php.sample | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/xss-check.php.sample b/xss-check.php.sample
index bfc7973..d68b3cb 100644
--- a/xss-check.php.sample
+++ b/xss-check.php.sample
@@ -19,8 +19,8 @@
  * inside of "baseurl" might not be trusted (like email body files).
  */
 function xss_attack() {
-	$siteurl = 'http://mckenzierobotics.org/';// basic trusted base
-	$mmurl = $siteurl.'mm/';// where MessageManager is
+	$siteurl_re = '^https?://(www\.)?mckenzierobotics\.org/';// basic trusted base
+	$mmurl_re = $siteurl.'mm/';// where MessageManager is
 
 	if (!isset($_SERVER['HTTP_REFERER']))
 		return false;
@@ -36,11 +36,11 @@ function xss_attack() {
 	default: break;
 	}
 
-	if (substr($from,0,strlen($siteurl)) != $siteurl)
+	if (!preg_match('@'.$siteurl_re.'@', $from))
 		return true;
 
-	$messages = '@^'.preg_quote($mmurl.'messages/','@').'.*/.@';
-	if (preg_match($messages, $from))
+	$messages_re = '@'.preg_quote($mmurl.'messages/','@').'.*/.@';
+	if (preg_match($messages_re, $from))
 		// Someone cleverly tried to XSS us from inside a message
 		return true;
 
-- 
cgit v1.2.3