diff options
| author | Paweł Sroka <srokap@gmail.com> | 2013-09-12 05:59:18 +0200 |
|---|---|---|
| committer | Paweł Sroka <srokap@gmail.com> | 2013-09-12 05:59:18 +0200 |
| commit | c1ea910e3b3b0bcc27a214383c9f6355a05dd495 (patch) | |
| tree | 3c22e2c1015e775c3993329f16e9296dc2b57c1a /engine/lib/output.php | |
| parent | 96fd62420124d8b22e9a368532240a5c5066d628 (diff) | |
| download | elgg-c1ea910e3b3b0bcc27a214383c9f6355a05dd495.tar.gz elgg-c1ea910e3b3b0bcc27a214383c9f6355a05dd495.tar.bz2 | |
Added function for escaping query strings and fixed several XSRF vulnerabilities.
Diffstat (limited to 'engine/lib/output.php')
| -rw-r--r-- | engine/lib/output.php | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/engine/lib/output.php b/engine/lib/output.php index 6172a5c8d..de4f911fb 100644 --- a/engine/lib/output.php +++ b/engine/lib/output.php @@ -421,6 +421,25 @@ function _elgg_html_decode($string) { } /** + * Prepares query string for output to prevent CSRF attacks. + * + * @param string $string + * @return string + * + * @access private + */ +function _elgg_get_display_query($string) { + //encode <,>,&, quotes and characters above 127 + if (function_exists('mb_convert_encoding')) {
+ $display_query = mb_convert_encoding($string, 'HTML-ENTITIES', 'UTF-8');
+ } else {
+ // if no mbstring extension, we just strip characters
+ $display_query = preg_replace("/[^\x01-\x7F]/", "", $string);
+ }
+ return htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false); +} + +/** * Unit tests for Output * * @param string $hook unit_test |