From e540f8f862339dbb2c24a9680cb5d93d6447eafd Mon Sep 17 00:00:00 2001
From: =?utf8?q?Roland=20H=C3=A4der?= <roland@mxchange.org>
Date: Wed, 30 Jun 2010 04:14:49 +0000
Subject: [PATCH] Possible fix for bad escaping of single-quotes

---
 inc/libs/security_functions.php | 7 +------
 inc/template-functions.php      | 5 ++++-
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/inc/libs/security_functions.php b/inc/libs/security_functions.php
index c57d1e4c6e..7fc8a5ec11 100644
--- a/inc/libs/security_functions.php
+++ b/inc/libs/security_functions.php
@@ -151,17 +151,12 @@ if (!isset($_POST)) {
 	$_POST = $GLOBALS['_POST'];
 } // END - if
 
-// Include IP-Filter here
-//include("/usr/share/php/ipfilter.php");
-
 // Generate arrays which holds the relevante chars to replace
 $GLOBALS['security_chars'] = array(
 	// The chars we are looking for...
-	'from' => array('{', '}', '/', '.', "'", '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--'),
+	'from' => array('/', '.', "'", '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--'),
 	// ... and we will replace to.
 	'to'   => array(
-		'{OPEN_ANCHOR2}',
-		'{CLOSE_ANCHOR2}',
 		'{SLASH}',
 		'{DOT}',
 		'{QUOT}',
diff --git a/inc/template-functions.php b/inc/template-functions.php
index 768cf677c4..e29ca2856e 100644
--- a/inc/template-functions.php
+++ b/inc/template-functions.php
@@ -242,7 +242,7 @@ function doFinalCompilation ($code, $insertComments = true) {
 		// Compile it
 		//* DEBUG: */ debugOutput('<pre>'.encodeEntities($code).'</pre>');
 		$eval = '$newContent = "' . str_replace('{DQUOTE}', '"', compileCode(escapeQuotes($code))) . '";';
-		//* DEBUG: */ if ($insertComments) die('<pre>'.linenumberCode($eval).'</pre>');
+		//* DEBUG: */ if (!$insertComments) print('<pre>'.linenumberCode($eval).'</pre>');
 		eval($eval);
 		//* DEBUG: */ die('<pre>'.encodeEntities($newContent).'</pre>');
 
@@ -1450,6 +1450,9 @@ function escapeQuotes ($str, $single = false) {
 		// Escape all (including null)
 		$str = addslashes($str);
 	} else {
+		// Remove escaping of single quotes
+		$str = str_replace("\'", "'", $str);
+
 		// Escape only double-quotes but prevent double-quoting
 		$str = str_replace("\\\\", "\\", str_replace('"', "\\\"", $str));
 	}
-- 
2.39.2