diff options
| author | Nils Adermann <naderman@naderman.de> | 2010-11-20 17:55:56 +0100 |
|---|---|---|
| committer | Nils Adermann <naderman@naderman.de> | 2010-11-20 17:55:56 +0100 |
| commit | d2778e67eaff5453042e6fd851b7d678141be58d (patch) | |
| tree | fd2b892f29eaa61038ab418b0abb3d473cbeb5a6 /phpBB/includes | |
| parent | fbca4e9c7b2f723dde8e0034b7f5fedc9d0c8483 (diff) | |
| parent | af4c2a3eb15fc4318b23dcb7794c230cf3ec2a0f (diff) | |
| download | forums-d2778e67eaff5453042e6fd851b7d678141be58d.tar forums-d2778e67eaff5453042e6fd851b7d678141be58d.tar.gz forums-d2778e67eaff5453042e6fd851b7d678141be58d.tar.bz2 forums-d2778e67eaff5453042e6fd851b7d678141be58d.tar.xz forums-d2778e67eaff5453042e6fd851b7d678141be58d.zip | |
Merge branch 'prep-release-3.0.8' into develop-olympus
* prep-release-3.0.8:
[prep-release-3.0.8] Incrementing version number to 3.0.8 and update changelog
[ticket/9903] Script for detecting potentially malicious flash bbcodes
[ticket/9904] Update WebPI Parameters.xml to work with WebMatrix.
[ticket/9903] Fix XSS in BBcode-parser's Flash-BBcode.
Conflicts:
phpBB/includes/constants.php
phpBB/install/database_update.php
phpBB/install/schemas/schema_data.sql
Diffstat (limited to 'phpBB/includes')
| -rw-r--r-- | phpBB/includes/constants.php | 2 | ||||
| -rw-r--r-- | phpBB/includes/message_parser.php | 9 |
2 files changed, 10 insertions, 1 deletions
diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php index 2b19aa185d..90440f74b8 100644 --- a/phpBB/includes/constants.php +++ b/phpBB/includes/constants.php @@ -275,4 +275,4 @@ define('ZEBRA_TABLE', $table_prefix . 'zebra'); // Additional tables -?>
\ No newline at end of file +?> diff --git a/phpBB/includes/message_parser.php b/phpBB/includes/message_parser.php index 952b55cc8c..b2d0b6c566 100644 --- a/phpBB/includes/message_parser.php +++ b/phpBB/includes/message_parser.php @@ -352,6 +352,15 @@ class bbcode_firstpass extends bbcode return '[flash=' . $width . ',' . $height . ']' . $in . '[/flash]'; } + $in = str_replace(' ', '%20', $in); + + // Make sure $in is a URL. + if (!preg_match('#^' . get_preg_expression('url') . '$#i', $in) && + !preg_match('#^' . get_preg_expression('www_url') . '$#i', $in)) + { + return '[flash=' . $width . ',' . $height . ']' . $in . '[/flash]'; + } + // Apply the same size checks on flash files as on images if ($config['max_' . $this->mode . '_img_height'] || $config['max_' . $this->mode . '_img_width']) { |