|
@@ -1347,10 +1347,12 @@ function sq_getnxtag($body, $offset){
|
|
|
* A comment or an SGML declaration.
|
|
|
*/
|
|
|
if (substr($body, $pos+1, 2) == "--"){
|
|
|
- $gt = strpos($body, "-->", $pos)+2;
|
|
|
+ $gt = strpos($body, "-->", $pos);
|
|
|
if ($gt === false){
|
|
|
$gt = strlen($body);
|
|
|
- }
|
|
|
+ } else {
|
|
|
+ $gt += 2;
|
|
|
+ }
|
|
|
return Array(false, false, false, $lt, $gt);
|
|
|
} else {
|
|
|
$gt = sq_findnxstr($body, $pos, ">");
|
|
@@ -1759,10 +1761,14 @@ function sq_fixstyle($message, $id, $content){
|
|
|
}
|
|
|
|
|
|
/**
|
|
|
- * Fix stupid expression: declarations which lead to vulnerabilities
|
|
|
+ * Fix stupid css declarations which lead to vulnerabilities
|
|
|
* in IE.
|
|
|
*/
|
|
|
- $content = preg_replace("/expression\s*:/si", "idiocy:", $content);
|
|
|
+ $match = Array('/expression/si',
|
|
|
+ '/behaviou*r/si',
|
|
|
+ '/binding/si');
|
|
|
+ $replace = Array('idiocy', 'idiocy', 'idiocy');
|
|
|
+ $content = preg_replace($match, $replace, $content);
|
|
|
return $content;
|
|
|
}
|
|
|
|
|
@@ -1871,6 +1877,11 @@ function sq_sanitize($body,
|
|
|
$open_tags = Array();
|
|
|
$trusted = "<!-- begin sanitized html -->\n";
|
|
|
$skip_content = false;
|
|
|
+ /**
|
|
|
+ * Take care of netscape's stupid javascript entities like
|
|
|
+ * &{alert('boo')};
|
|
|
+ */
|
|
|
+ $body = preg_replace("/&(\{.*?\};)/si", "&\\1", $body);
|
|
|
|
|
|
while (($curtag=sq_getnxtag($body, $curpos)) != FALSE){
|
|
|
list($tagname, $attary, $tagtype, $lt, $gt) = $curtag;
|
|
@@ -2035,7 +2046,9 @@ function magicHTML($body, $id, $message){
|
|
|
"/.*/" =>
|
|
|
Array(
|
|
|
"/target/si",
|
|
|
- "/^on.*/si"
|
|
|
+ "/^on.*/si",
|
|
|
+ "/^dynsrc/si",
|
|
|
+ "/^data.*/si"
|
|
|
)
|
|
|
);
|
|
|
|
|
@@ -2047,22 +2060,30 @@ function magicHTML($body, $id, $message){
|
|
|
Array(
|
|
|
Array(
|
|
|
"|^([\'\"])\s*\.\./.*([\'\"])|si",
|
|
|
- "/^([\'\"])\s*\S+script\s*:.*([\'\"])/si"
|
|
|
+ "/^([\'\"])\s*\S+script\s*:.*([\'\"])/si",
|
|
|
+ "/^([\'\"])\s*mocha\s*:*(.*)([\'\"])/si",
|
|
|
+ "/^([\'\"])\s*about\s*:(.*)([\'\"])/si"
|
|
|
),
|
|
|
Array(
|
|
|
"\\1$secremoveimg\\2",
|
|
|
- "\\1$secremoveimg\\2"
|
|
|
+ "\\1$secremoveimg\\2",
|
|
|
+ "\\1$secremoveimg\\2",
|
|
|
+ "\\1$secremoveimg\\2"
|
|
|
)
|
|
|
),
|
|
|
"/^style/si" =>
|
|
|
Array(
|
|
|
Array(
|
|
|
- "/expression\s*:/si",
|
|
|
+ "/expression/si",
|
|
|
+ "/binding/si",
|
|
|
+ "/behaviou*r/si",
|
|
|
"|url\(([\'\"])\s*\.\./.*([\'\"])\)|si",
|
|
|
"/url\(([\'\"])\s*\S+script:.*([\'\"])\)/si"
|
|
|
),
|
|
|
Array(
|
|
|
- "idiocy:",
|
|
|
+ "idiocy",
|
|
|
+ "idiocy",
|
|
|
+ "idiocy",
|
|
|
"url(\\1$secremoveimg\\2)",
|
|
|
"url(\\1$secremoveimg\\2)"
|
|
|
)
|