From 5aa9f5230c240a952cdc6eb685b65df36fe7abfd Mon Sep 17 00:00:00 2001 From: Jason Oster Date: Tue, 13 Apr 2010 15:45:47 +0000 Subject: Properly sanitize dollar signs in event text (regression from new sanitize code in 2.4) --- functions/date_functions.php | 14 ++++++++++---- functions/init/sanitize.php | 2 ++ 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/functions/date_functions.php b/functions/date_functions.php index 0aeef60..43a15a0 100644 --- a/functions/date_functions.php +++ b/functions/date_functions.php @@ -222,12 +222,18 @@ function makeTitle($arr, $time) { */ function openevent($event_date, $time, $uid, $arr, $lines = 0, $length = 0, $link_class = '', $pre_text = '', $post_text = '') { global $cpath, $timeFormat, $dateFormat_week; + + # Strip all dollar signs from printable array entries; regex functions will mutilate them + foreach ($arr as $key => $val) { + $arr[$key] = str_replace('$', '$', $val); + } + $return = ''; - $event_text = stripslashes(urldecode($arr["event_text"])); + $event_text = stripslashes(urldecode($arr['event_text'])); # build tooltip $title = makeTitle($arr, $time); # for iCal pseudo tag comptability - if (ereg("<([[:alpha:]]+://)([^<>[:space:]]+)>",$event_text,$matches)) { + if (ereg('<([[:alpha:]]+://)([^<>[:space:]]+)>',$event_text,$matches)) { $full_event_text = $matches[1] . $matches[2]; $event_text = $matches[2]; } else { @@ -238,12 +244,12 @@ function openevent($event_date, $time, $uid, $arr, $lines = 0, $length = 0, $lin if (!empty($link_class)) $link_class = ' class="'.$link_class.'"'; if (!empty($event_text)) { - $title = strip_tags(str_replace("
","\n",$title)); + $title = strip_tags(str_replace('
',"\n",$title)); if ($lines > 0) { $event_text = word_wrap($event_text, $length, $lines); } - if ((!(ereg("([[:alpha:]]+://[^<>[:space:]]+)", $full_event_text, $res))) || ($arr['description'])) { + if ((!(ereg('([[:alpha:]]+://[^<>[:space:]]+)', $full_event_text, $res))) || ($arr['description'])) { $escaped_date = addslashes($event_date); $escaped_time = addslashes($time); $escaped_uid = addslashes($uid); diff --git a/functions/init/sanitize.php b/functions/init/sanitize.php index 39b8246..e3e6525 100644 --- a/functions/init/sanitize.php +++ b/functions/init/sanitize.php @@ -53,11 +53,13 @@ function chopToWordCount($string, $count) { function sanitizeForWeb($string) { $string = preg_replace('//', "\n", $string); + $string = str_replace('$', '$', $string); $string = str_replace('&', '&', $string); $string = str_replace('<', '<', $string); $string = str_replace('>', '>', $string); $string = str_replace('\'', ''', $string); $string = str_replace('"', '"', $string); + $string = str_replace('$', '$', $string); $string = str_replace("\n", '
', $string); $string = str_replace("\t", '     ', $string); -- cgit v1.2.3