dépôts / lhc / web / wiklou.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d21cd41)
BUG#244 Backed out changes done in Patch 1.33 due to major
authorJens Frank <jeluf@users.mediawiki.org>
Sun, 29 Aug 2004 19:07:18 +0000 (19:07 +0000)
committerJens Frank <jeluf@users.mediawiki.org>
Sun, 29 Aug 2004 19:07:18 +0000 (19:07 +0000)
security problems. HTML tags were not escaped and it was possible to execute arbitrary javascript code

includes/DifferenceEngine.php patch | blob | history

diff --git a/includes/DifferenceEngine.php b/includes/DifferenceEngine.php
index 3bc8269..f4a3a9f 100644 (file)
--- a/includes/DifferenceEngine.php
+++ b/includes/DifferenceEngine.php
@@ -211,8 +211,8 @@ class DifferenceEngine {
        {
                global $wgOut, $wgUseExternalDiffEngine;
 
-               $otext = str_replace( "\r\n", "\n", $otext );
-               $ntext = str_replace( "\r\n", "\n", $ntext );
+               $otext = str_replace( "\r\n", "\n", htmlspecialchars( $otext ) );
+               $ntext = str_replace( "\r\n", "\n", htmlspecialchars( $ntext ) );
 
 
                        $wgOut->addHTML( "<table border='0' width='98%'
@@ -1154,11 +1154,11 @@ class _HWLDF_WordAccumulator {
 
        function _flushGroup ($new_tag) {
                if ($this->_group !== '') {
-                       if ($this->_tag == 'mark')
-                               $this->_line .= '<span class="diffchange">'.htmlspecialchars ( $this->_group ).'</span>';
-                       else
-                               $this->_line .= htmlspecialchars ( $this->_group );
-               }
+         if ($this->_tag == 'mark')
+                       $this->_line .= '<span class="diffchange">'.$this->_group.'</span>';
+         else
+               $this->_line .= $this->_group;
+       }
                $this->_group = '';
                $this->_tag = $new_tag;
        }
@@ -1166,9 +1166,7 @@ class _HWLDF_WordAccumulator {
        function _flushLine ($new_tag) {
                $this->_flushGroup($new_tag);
                if ($this->_line != '')
-                       array_push ( $this->_lines, $this->_line );
-               else
-                       array_push ( $this->_lines, NBSP );
+                       $this->_lines[] = $this->_line;
                $this->_line = '';
        }
 
@@ -1181,6 +1179,7 @@ class _HWLDF_WordAccumulator {
                        if ($word == '')
                                continue;
                        if ($word[0] == "\n") {
+                               $this->_group .= NBSP;
                                $this->_flushLine($tag);
                                $word = substr($word, 1);
                        }
@@ -1207,6 +1206,8 @@ class WordLevelDiff extends MappedDiff
        }
 
        function _split($lines) {
+               // FIXME: fix POSIX char class.
+#               if (!preg_match_all('/ ( [^\S\n]+ | [[:alnum:]]+ | . ) (?: (?!< \n) [^\S\n])? /xs',
                if (!preg_match_all('/ ( [^\S\n]+ | [0-9_A-Za-z\x80-\xff]+ | . ) (?: (?!< \n) [^\S\n])? /xs',
                                                        implode("\n", $lines),
                                                        $m)) {
@@ -1256,7 +1257,7 @@ class TableDiffFormatter extends DiffFormatter
                $l2 = wfMsg( 'lineno', $ybeg );
 
                $r = '<tr><td colspan="2" align="left"><strong>'.$l1."</strong></td>\n" .
-                       '<td colspan="2" align="left"><strong>'.$l2."</strong></td></tr>\n";
+                 '<td colspan="2" align="left"><strong>'.$l2."</strong></td></tr>\n";
                return $r;
        }
 
@@ -1273,12 +1274,12 @@ class TableDiffFormatter extends DiffFormatter
 
        function addedLine( $line ) {
                return '<td>+</td><td class="diff-addedline">' .
-                       $line . '</td>';
+                 $line.'</td>';
        }
 
        function deletedLine( $line ) {
                return '<td>-</td><td class="diff-deletedline">' .
-                       $line . '</td>';
+                 $line.'</td>';
        }
 
        function emptyLine() {
@@ -1286,22 +1287,21 @@ class TableDiffFormatter extends DiffFormatter
        }
 
        function contextLine( $line ) {
-               return '<td> </td><td class="diff-context">' .
-                       htmlspecialchars ( $line ) . '</td>';
+               return '<td> </td><td class="diff-context">'.$line.'</td>';
        }
 
        function _added($lines) {
                global $wgOut;
                foreach ($lines as $line) {
                        $wgOut->addHTML( '<tr>' . $this->emptyLine() .
-                         $this->addedLine( htmlspecialchars ( $line ) ) . "</tr>\n" );
+                         $this->addedLine( $line ) . "</tr>\n" );
                }
        }
 
        function _deleted($lines) {
                global $wgOut;
                foreach ($lines as $line) {
-                       $wgOut->addHTML( '<tr>' . $this->deletedLine( htmlspecialchars ( $line ) ) .
+                       $wgOut->addHTML( '<tr>' . $this->deletedLine( $line ) .
                          $this->emptyLine() . "</tr>\n" );
                }
        }
Wiklou, le Wiki du Wiklou