diff options
| author | Ludovic Arnaud <ludovic_arnaud@users.sourceforge.net> | 2006-07-23 22:16:05 +0000 |
|---|---|---|
| committer | Ludovic Arnaud <ludovic_arnaud@users.sourceforge.net> | 2006-07-23 22:16:05 +0000 |
| commit | ed69875649303564671deba54a8ffc1fe3edd9ec (patch) | |
| tree | 7fc7dc41beabe0af0acce507ccbd8055494cceb7 /phpBB/includes/functions_template.php | |
| parent | afad755f938c3ff287bf677dc55a952655ab1720 (diff) | |
| download | forums-ed69875649303564671deba54a8ffc1fe3edd9ec.tar forums-ed69875649303564671deba54a8ffc1fe3edd9ec.tar.gz forums-ed69875649303564671deba54a8ffc1fe3edd9ec.tar.bz2 forums-ed69875649303564671deba54a8ffc1fe3edd9ec.tar.xz forums-ed69875649303564671deba54a8ffc1fe3edd9ec.zip | |
Fixed: bug #3352 (function token_get_all() is missing)
git-svn-id: file:///svn/phpbb/trunk@6206 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB/includes/functions_template.php')
| -rw-r--r-- | phpBB/includes/functions_template.php | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/phpBB/includes/functions_template.php b/phpBB/includes/functions_template.php index d9368ef395..9ced5273ef 100644 --- a/phpBB/includes/functions_template.php +++ b/phpBB/includes/functions_template.php @@ -82,6 +82,39 @@ class template_compile */ function remove_php_tags(&$code) { + if (!function_exists('token_get_all')) + { + /** + * If the tokenizer extension is not available, try to load it and if + * it's still not available we fall back to some pattern replacement. + * + * Note that the pattern replacement may affect the well-formedness + * of the HTML if a PHP tag is found because even if we escape PHP + * opening tags we do NOT escape PHP closing tags and cannot do so + * reliably without the use of a full-blown tokenizer. + * + * The bottom line is, a template should NEVER contain PHP because it + * would comprise the security of the installation, that's why we + * prevent it from being executed. Our job is to secure the installation, + * not fix unsecure templates. if a template contains some PHP then it + * should not be used at all. + */ + @dl('tokenizer'); + + if (!function_exists('token_get_all')) + { + $match = array( + '\\?php[\n\r\s\t]+', + '\\?=', + '\\?[\n\r\s\t]', + 'script[\n\r\s\t]+language[\n\r\s\t]*=[\n\r\s\t]*[\'"]php[\'"]' + ); + + $code = preg_replace('#<(' . implode('|', $match) . ')#is', '<$1', $code); + return; + } + } + do { $tokens = token_get_all('<?php ?>' . $code); |