From f3e8b55a7a72ee35fb62211bc9b545b382f962fb Mon Sep 17 00:00:00 2001 From: Friendika Date: Tue, 7 Dec 2010 14:37:56 -0800 Subject: [PATCH] removed high-bit angle-char stripping from input filter - interfering with utf-8 chars --- boot.php | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/boot.php b/boot.php index 49679c3b7f..a80832b89a 100644 --- a/boot.php +++ b/boot.php @@ -518,16 +518,29 @@ function random_string() { return(hash('sha256',uniqid(rand(),true))); }} -// This is our primary input filter. The high bit hack only involved some old -// IE browser, forget which. -// Use this on any text input where angle chars are not valid or permitted -// They will be replaced with safer brackets. This may be filtered further -// if these are not allowed either. +/** + * This is our primary input filter. + * + * The high bit hack only involved some old IE browser, forget which (IE5/Mac?) + * that had an XSS attack vector due to stripping the high-bit on an 8-bit character + * after cleansing, and angle chars with the high bit set could get through as markup. + * + * This is now disabled because it was interfering with some legitimate unicode sequences + * and hopefully there aren't a lot of those browsers left. + * + * Use this on any text input where angle chars are not valid or permitted + * They will be replaced with safer brackets. This may be filtered further + * if these are not allowed either. + * + */ if(! function_exists('notags')) { function notags($string) { - // protect against :<> with high-bit set - return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string)); + + return(str_replace(array("<",">"), array('[',']'), $string)); + +// High-bit filter no longer used +// return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string)); }} // use this on "body" or "content" input where angle chars shouldn't be removed,