Skip to content

Commit

Permalink
Port changes from htmLawed 1.1.19.
Browse files Browse the repository at this point in the history
  • Loading branch information
tburry committed Feb 3, 2015
1 parent 50eb1cc commit 4127767
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 15 deletions.
6 changes: 3 additions & 3 deletions src/htmLawed/htmLawed.php
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<?php

/*
htmLawed 1.1.18, 2 August 2014
htmLawed 1.1.19, 19 January 2015
Copyright Santosh Patnaik
Dual licensed with LGPL 3 and GPL 2+
A PHP Labware internal utility; www.bioinformatics.org/phplabware/internal_utilities/htmLawed
Expand Down Expand Up @@ -771,7 +771,7 @@ function hl_tag($t) {
$v = preg_replace_callback('`(url(?:\()(?: )*(?:\'|"|&(?:quot|apos);)?)(.+?)((?:\'|"|&(?:quot|apos);)?(?: )*(?:\)))`iS', 'hl_prot', $v);
$v = !$C['css_expression'] ? preg_replace('`expression`i', ' ', preg_replace('`\\\\\S|(/|(%2f))(\*|(%2a))`i', ' ', $v)) : $v;
} elseif (isset($aNP[$k]) or strpos($k, 'src') !== false or $k[0] == 'o') {
$v = str_replace("\xad", ' ', (strpos($v, '&') !== false ? str_replace(array('&#xad;', '&#173;', '&shy;'), ' ', $v) : $v));
$v = str_replace("­", ' ', (strpos($v, '&') !== false ? str_replace(array('&#xad;', '&#173;', '&shy;'), ' ', $v) : $v)); # double-quoted char is soft-hyphen; appears here as "­" or hyphen or something else depending on viewing software
$v = hl_prot($v, $k);
if ($k == 'href') { // X-spam
if ($C['anti_mail_spam'] && strpos($v, 'mailto:') === 0) {
Expand Down Expand Up @@ -1043,7 +1043,7 @@ function hl_tidy($t, $w, $p) {

function hl_version() {
// rel
return '1.1.18';
return '1.1.19';
// eof
}

Expand Down
4 changes: 2 additions & 2 deletions src/htmLawed/htmLawedTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

/*
htmLawedTest.php, 28 May 2013
htmLawed 1.1.17, 11 March 2014
htmLawed 1.1.19, 19 January 2015
Copyright Santosh Patnaik
Dual licensed with LGPL 3 and GPL 2+
A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
Expand Down Expand Up @@ -647,4 +647,4 @@ function sndValidn(id, type){

</div>
</body>
</html>
</html>
18 changes: 11 additions & 7 deletions src/htmLawed/htmLawed_README.htm
Original file line number Diff line number Diff line change
Expand Up @@ -110,8 +110,8 @@ <h1><a id="peak" name="peak"></a>htmLawed documentation</h1>

<div id="body">
<br />
<div class="comment">htmLawed_README.txt, 11 March 2014<br />
htmLawed 1.1.17, 11 March 2014<br />
<div class="comment">htmLawed_README.txt, 19 January 2015<br />
htmLawed 1.1.19, 19 January 2015<br />
Copyright Santosh Patnaik<br />
Dual licensed with LGPL 3 and GPL 2+<br />
A PHP Labware internal utility &#45; <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed</a>&#160;</div>
Expand Down Expand Up @@ -257,7 +257,7 @@ <h1><a id="peak" name="peak"></a>htmLawed documentation</h1>
<a name="s1.6" id="s1.6"></a><span class="item-no">1.6</span>&#160; Availability
</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
<br />
&#160; htmLawed can be downloaded for free at its <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">website</a>. Besides the <span class="term">htmLawed.php</span>&#160;file, the download has the htmLawed documentation (this document) in plain <a href="htmLawed_README.txt">text</a>&#160;and <a href="htmLawed_README.htm">HTML</a>&#160;formats, a script for <a href="htmLawedTest.php">testing</a>, and a text file for <a href="../../tests/fixtures/htmLawed_TESTCASE.txt">test-cases</a>. htmLawed is also available as a PHP class (OOP code) on its website.<br />
&#160; htmLawed can be downloaded for free at its <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">website</a>. Besides the <span class="term">htmLawed.php</span>&#160;file, the download has the htmLawed documentation (this document) in plain <a href="htmLawed_README.txt">text</a>&#160;and <a href="htmLawed_README.htm">HTML</a>&#160;formats, a script for <a href="htmLawedTest.php">testing</a>, and a text file for <a href="htmLawed_TESTCASE.txt">test-cases</a>. htmLawed is also available as a PHP class (OOP code) on its website.<br />

</div>
</div>
Expand Down Expand Up @@ -1773,6 +1773,10 @@ <h1><a id="peak" name="peak"></a>htmLawed documentation</h1>
<br />
&#160; <em>Version number - Release date. Notes</em><br />
<br />
&#160; 1.1.19 - 19 January 2015. Fix for a bug in cleaning of soft-hyphens in URL values, etc.<br />
<br />
&#160; 1.1.18 - 2 August 2014. Fix for a potential security vulnerability arising from specially encoded text with serial opening tags<br />
<br />
&#160; 1.1.17 - 11 March 2014. Removed use of PHP function preg_replace with <span class="term">e</span>&#160;modifier for compatibility with PHP 5.5<br />
<br />
&#160; 1.1.16 - 29 August 2013. Fix for a potential security vulnerability arising from specially encoded space characters in URL schemes/protocols<br />
Expand Down Expand Up @@ -1840,7 +1844,7 @@ <h1><a id="peak" name="peak"></a>htmLawed documentation</h1>
<a name="s4.4" id="s4.4"></a><span class="item-no">4.4</span>&#160; Testing
</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
<br />
&#160; To test htmLawed using a form interface, a <a href="htmLawedTest.php">demo</a>&#160;web-page is provided with the htmLawed distribution (<span class="term">htmLawed.php</span>&#160;and <span class="term">htmLawedTest.php</span>&#160;should be in the same directory on the web-server). A file with <a href="../../tests/fixtures/htmLawed_TESTCASE.txt">test-cases</a>&#160;is also provided.<br />
&#160; To test htmLawed using a form interface, a <a href="htmLawedTest.php">demo</a>&#160;web-page is provided with the htmLawed distribution (<span class="term">htmLawed.php</span>&#160;and <span class="term">htmLawedTest.php</span>&#160;should be in the same directory on the web-server). A file with <a href="htmLawed_TESTCASE.txt">test-cases</a>&#160;is also provided.<br />

</div>
<div class="sub-section"><h3>
Expand Down Expand Up @@ -1904,7 +1908,7 @@ <h1><a id="peak" name="peak"></a>htmLawed documentation</h1>
<a name="s4.10" id="s4.10"></a><span class="item-no">4.10</span>&#160; Acknowledgements
</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
<br />
&#160; Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Dac Chartrand, Ulf Harnhammer, Gareth Heyes, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Harro Verton, Edward Yang, and many anonymous users.<br />
&#160; Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Dac Chartrand, Ulf Harnhammer, Gareth Heyes, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Psych0tr1a, Lincoln Russell, Tomas Sykorka, Harro Verton, Edward Yang, and many anonymous users.<br />
<br />
&#160; Thank you!<br />

Expand Down Expand Up @@ -2173,8 +2177,8 @@ <h1><a id="peak" name="peak"></a>htmLawed documentation</h1>
</div>
</div>
<br />
<hr /><br /><br /><span class="subtle"><small>HTM version of <em><a href="htmLawed_README.txt">htmLawed_README.txt</a></em> generated on 11 Mar, 2014 using <a href="http://www.bioinformatics.org/phplabware/internal_utilities">rTxt2htm</a> from PHP Labware</small></span>
<hr /><br /><br /><span class="subtle"><small>HTM version of <em><a href="htmLawed_README.txt">htmLawed_README.txt</a></em> generated on 19 Jan, 2015 using <a href="http://www.bioinformatics.org/phplabware/internal_utilities">rTxt2htm</a> from PHP Labware</small></span>
</div><!-- ended div body -->
</div><!-- ended div top -->
</body>
</html>
</html>
8 changes: 5 additions & 3 deletions src/htmLawed/htmLawed_TESTCASE.txt
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
/*
htmLawed_TESTCASE.txt, 27 August 2013
htmLawed 1.1.17, 11 March 2014
htmLawed_TESTCASE.txt, 19 January 2015
htmLawed 1.1.19, 19 January 2015
Copyright Santosh Patnaik
Dual licensed with LGPL 3 and GPL 2+
A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
Expand Down Expand Up @@ -384,9 +384,11 @@ na Alemanha.
<strong>CSS URLs:</strong> <div style="background-image: url('a.gif');"></div>, <div style="background-image: URL(&quot;a.gif&quot;);"></div>, <div style="background-image: url('http://a.com/a.gif');"></div>, <div style="background-image: url('./../a.gif');"></div>, <div style="background-image: &#117;r&#x6C;('js&#58;xss'&#x29;"></div><br />
<strong>Double URLs:</strong> <a style="behaviour: url(foo) url(http://example.com/xss.htc)">b</a><br />
<strong>Anti-spam:</strong> (try regex for 'http://a.com', etc.) <a href="mailto:x@y.com"></a>, <a href="http://a.com/b@d.f"></a>, <a href="a.com/d.f" rel="nofollow"></a>, <a href="a.com/d.f" rel="1, 2"></a>, <a href="a.com/d.f"></a>, <a href="b.com/d.f"></a>, <a href="c.com/d.f">, <a href="denied:http://c.com/d.f"></a><br />
<strong>Soft-hyphen:</strong> <a href="http://q=ídis­c">ídis­c</a>

<h6>XSS</h6>

<img alt="<img onmouseover=confirm(1)//"<"">
'';!--"<xss>=&{()}<br />
<img src="javascript%3Aalert('xss');" /><br />
<img src="javascript:alert('xss');" /><br />
Expand Down Expand Up @@ -447,4 +449,4 @@ age < 51 and a smoking history of < 51 pack-years <b>was</b> <br />
<b>age >51 and a smoking history of >51 pack-years</b> <br />
<b>age > 51 and a smoking history of >51 pack-years</b> <br />
<b>age <51 and a smoking history of <51 pack-years</b> <br />
<b>age < 51 and a smoking history of < 51 pack-years</b> <br />
<b>age < 51 and a smoking history of < 51 pack-years</b> <br />

0 comments on commit 4127767

Please sign in to comment.