diff options
author | Pierre Schmitz <pierre@archlinux.de> | 2007-09-11 00:19:58 +0200 |
---|---|---|
committer | Pierre Schmitz <pierre@archlinux.de> | 2007-09-11 00:19:58 +0200 |
commit | d7d08bd1a17618c7d77a6b9b2989e9f7293d6ed6 (patch) | |
tree | d782e2d1f10104181ccdeb8231409f3f4b2aae12 /includes/api | |
parent | d354da0fd0f521019c67bf12eefe527d4cf84017 (diff) |
added security patch -> 1.10.2
Diffstat (limited to 'includes/api')
-rw-r--r-- | includes/api/ApiFormatBase.php | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php index 192c51a7..782a4161 100644 --- a/includes/api/ApiFormatBase.php +++ b/includes/api/ApiFormatBase.php @@ -145,8 +145,11 @@ for more information. * This method also replaces any '<' with < */ protected function formatHTML($text) { - // encode all tags as safe blue strings - $text = ereg_replace('\<([^>]+)\>', '<span style="color:blue;"><\1></span>', $text); + // Escape everything first for full coverage + $text = htmlspecialchars($text); + + // encode all comments or tags as safe blue strings + $text = preg_replace('/\<(!--.*?--|.*?)\>/', '<span style="color:blue;"><\1></span>', $text); // identify URLs $protos = "http|https|ftp|gopher"; $text = ereg_replace("($protos)://[^ '\"()<\n]+", '<a href="\\0">\\0</a>', $text); |