- remove bad html-tags in ticket-subject and -message, thx to Edward Fjellskaal

2010-09-23 06:08:23 +00:00
parent 29d54671d3
commit 59b7ced862
2 changed files with 39 additions and 15 deletions
--- a/admin_tickets.php
+++ b/admin_tickets.php
@@ -168,7 +168,7 @@ if($page == 'tickets'
 				$newticket->Set('subject', validate($_POST['subject'], 'subject'), true, false);
 				$newticket->Set('priority', validate($_POST['priority'], 'priority'), true, false);
 				$newticket->Set('category', validate($_POST['category'], 'category'), true, false);
-				$newticket->Set('customer', validate($_POST['customer'], 'customer'), true, false);
+				$newticket->Set('customer', (int)$_POST['customer'], true, false);
 				$newticket->Set('message', validate(str_replace("\r\n", "\n", $_POST['message']), 'message', '/^[^\0]*$/'), true, false);

 				if($newticket->Get('subject') == null)
--- a/lib/classes/ticket/class.ticket.php
+++ b/lib/classes/ticket/class.ticket.php
@@ -706,11 +706,11 @@ class ticket
 			{
 				if(strtolower($_var) == 'message')
 				{
-					return str_replace('script>', 'pre>', htmlspecialchars_decode(nl2br($this->t_data[$_var])));
+					return $this->_removeBadTags(htmlspecialchars_decode(nl2br($this->t_data[$_var])));
 				}
 				elseif(strtolower($_var) == 'subject')
 				{
-					return str_replace('script>', 'pre>', htmlspecialchars_decode(nl2br($this->t_data[$_var])));
+					return $this->_removeBadTags(htmlspecialchars_decode(nl2br($this->t_data[$_var])));
 				}
 				else
 				{
@@ -751,6 +751,30 @@ class ticket
 			$this->t_data[$_var] = $_value;
 		}
 	}
+	
+	/**
+	 * removes unwanted HTML-tags from a string
+	 * 
+	 * @param string $s string to be cleaned
+	 * 
+	 * @return string cleaned string
+	 */
+	function _removeBadTags($str = null)
+	{
+		$tags = array('script', 'noframes', 'iframe');
+    		$content = '';
+		$stripContent = false;
+    		if(!is_array($tags)) {
+        		$tags = (strpos($str, '>') !== false ? explode('>', str_replace('<', '', $tags)) : array($tags));
+        		if(end($tags) == '') array_pop($tags);
+   		}
+    		foreach($tags as $tag) {
+        		if ($stripContent)
+            			 $content = '(.+</'.$tag.'[^>]*>|)';
+        		 $str = preg_replace('#</?'.$tag.'[^>]*>'.$content.'#is', '', $str);
+    		}
+    		return $str; 
+	}
 }

 ?>