aboutsummaryrefslogtreecommitdiff
path: root/engine/lib
diff options
context:
space:
mode:
authorPaweł Sroka <srokap@gmail.com>2014-01-01 13:12:10 +0100
committerPaweł Sroka <srokap@gmail.com>2014-01-01 13:12:10 +0100
commit7006294fcbfab450289403b6519edb9d5d30ff35 (patch)
tree5dd58bccbe443795fd41aaa4afeafba6ed2a96d5 /engine/lib
parent82b30f63043eba9c18999bd2a15301d62ead4a76 (diff)
parentc1ea910e3b3b0bcc27a214383c9f6355a05dd495 (diff)
downloadelgg-7006294fcbfab450289403b6519edb9d5d30ff35.tar.gz
elgg-7006294fcbfab450289403b6519edb9d5d30ff35.tar.bz2
Merged in csrf_fix (pull request #7)
Added function for escaping query strings and fixed several XSRF vulnerabilities.
Diffstat (limited to 'engine/lib')
-rw-r--r--engine/lib/output.php19
1 files changed, 19 insertions, 0 deletions
diff --git a/engine/lib/output.php b/engine/lib/output.php
index 6172a5c8d..de4f911fb 100644
--- a/engine/lib/output.php
+++ b/engine/lib/output.php
@@ -421,6 +421,25 @@ function _elgg_html_decode($string) {
}
/**
+ * Prepares query string for output to prevent CSRF attacks.
+ *
+ * @param string $string
+ * @return string
+ *
+ * @access private
+ */
+function _elgg_get_display_query($string) {
+ //encode <,>,&, quotes and characters above 127
+ if (function_exists('mb_convert_encoding')) {
+ $display_query = mb_convert_encoding($string, 'HTML-ENTITIES', 'UTF-8');
+ } else {
+ // if no mbstring extension, we just strip characters
+ $display_query = preg_replace("/[^\x01-\x7F]/", "", $string);
+ }
+ return htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false);
+}
+
+/**
* Unit tests for Output
*
* @param string $hook unit_test