[BUGFIX] t3lib_div::removeXSS does not remove some XSS
authorJigal van Hemert <jigal@xs4all.nl>
Wed, 27 Jul 2011 10:28:47 +0000 (12:28 +0200)
committerOliver Hader <oliver@typo3.org>
Wed, 27 Jul 2011 10:30:05 +0000 (12:30 +0200)
Change-Id: I136052f3296a17a021f0e30deca7e34fd5869ab3
Resolves: #20775
Reviewed-on: http://review.typo3.org/3749
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/contrib/RemoveXSS/RemoveXSS.php

index 5752835..fb3677c 100644 (file)
@@ -75,7 +75,7 @@ final class RemoveXSS {
                $ra_protocol = array('javascript', 'vbscript', 'expression');
 
                //remove the potential &#xxx; stuff for testing
-               $val2 = preg_replace('/(&#[xX]?0{0,8}(9|10|13|a|b);)*\s*/i', '', $val);
+               $val2 = preg_replace('/(&#[xX]?0{0,8}(9|10|13|a|b);?)*\s*/i', '', $val);
                $ra = array();
 
                foreach ($ra1 as $ra1word) {
@@ -107,7 +107,7 @@ final class RemoveXSS {
                                        $pattern = '';
                                        for ($j = 0; $j < strlen($ra[$i][0]); $j++) {
                                                if ($j > 0) {
-                                                       $pattern .= '((&#[xX]0{0,8}([9ab]);)|(&#0{0,8}(9|10|13);)|\s)*';
+                                                       $pattern .= '((&#[xX]0{0,8}([9ab]);?)|(&#0{0,8}(9|10|13);?)|\s)*';
                                                }
                                                $pattern .= $ra[$i][0][$j];
                                        }
@@ -115,11 +115,11 @@ final class RemoveXSS {
                                        switch ($ra[$i][1]) {
                                                case 'ra_protocol':
                                                        //these take the form of e.g. 'javascript:'
-                                                       $pattern .= '((&#[xX]0{0,8}([9ab]);)|(&#0{0,8}(9|10|13);)|\s)*(?=:)';
+                                                       $pattern .= '((&#[xX]0{0,8}([9ab]);?)|(&#0{0,8}(9|10|13);?)|\s)*(?=:)';
                                                        break;
                                                case 'ra_tag':
                                                        //these take the form of e.g. '<SCRIPT[^\da-z] ....';
-                                                       $pattern = '(?<=<)' . $pattern . '((&#[xX]0{0,8}([9ab]);)|(&#0{0,8}(9|10|13);)|\s)*(?=[^\da-z])';
+                                                       $pattern = '(?<=<)' . $pattern . '((&#[xX]0{0,8}([9ab]);?)|(&#0{0,8}(9|10|13);?)|\s)*(?=[^\da-z])';
                                                        break;
                                                case 'ra_attribute':
                                                        //these take the form of e.g. 'onload='  Beware that a lot of characters are allowed