From e540f8f862339dbb2c24a9680cb5d93d6447eafd Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Wed, 30 Jun 2010 04:14:49 +0000 Subject: [PATCH] Possible fix for bad escaping of single-quotes --- inc/libs/security_functions.php | 7 +------ inc/template-functions.php | 5 ++++- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/inc/libs/security_functions.php b/inc/libs/security_functions.php index c57d1e4c6e..7fc8a5ec11 100644 --- a/inc/libs/security_functions.php +++ b/inc/libs/security_functions.php @@ -151,17 +151,12 @@ if (!isset($_POST)) { $_POST = $GLOBALS['_POST']; } // END - if -// Include IP-Filter here -//include("/usr/share/php/ipfilter.php"); - // Generate arrays which holds the relevante chars to replace $GLOBALS['security_chars'] = array( // The chars we are looking for... - 'from' => array('{', '}', '/', '.', "'", '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--'), + 'from' => array('/', '.', "'", '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--'), // ... and we will replace to. 'to' => array( - '{OPEN_ANCHOR2}', - '{CLOSE_ANCHOR2}', '{SLASH}', '{DOT}', '{QUOT}', diff --git a/inc/template-functions.php b/inc/template-functions.php index 768cf677c4..e29ca2856e 100644 --- a/inc/template-functions.php +++ b/inc/template-functions.php @@ -242,7 +242,7 @@ function doFinalCompilation ($code, $insertComments = true) { // Compile it //* DEBUG: */ debugOutput('
'.encodeEntities($code).'
'); $eval = '$newContent = "' . str_replace('{DQUOTE}', '"', compileCode(escapeQuotes($code))) . '";'; - //* DEBUG: */ if ($insertComments) die('
'.linenumberCode($eval).'
'); + //* DEBUG: */ if (!$insertComments) print('
'.linenumberCode($eval).'
'); eval($eval); //* DEBUG: */ die('
'.encodeEntities($newContent).'
'); @@ -1450,6 +1450,9 @@ function escapeQuotes ($str, $single = false) { // Escape all (including null) $str = addslashes($str); } else { + // Remove escaping of single quotes + $str = str_replace("\'", "'", $str); + // Escape only double-quotes but prevent double-quoting $str = str_replace("\\\\", "\\", str_replace('"', "\\\"", $str)); } -- 2.39.5