diff options
| author | Andy Staudacher <andy.st@gmail.com> | 2009-09-01 00:52:21 -0700 |
|---|---|---|
| committer | Andy Staudacher <andy.st@gmail.com> | 2009-09-01 00:52:21 -0700 |
| commit | c0d4937e433b66b0ac4042f7b38c1af6c94f80bf (patch) | |
| tree | 46cbd319c98a7c5f591092fa5dfe962c1a665bf6 | |
| parent | 285e2b9cbeddb241655e42f824b5dadec94445c4 (diff) | |
Fix bug in XSS scanner for <script> block @ position 0 of inline_html
| -rw-r--r-- | modules/gallery/tests/Xss_Security_Test.php | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php index 7a6589bd..34ecc4fe 100644 --- a/modules/gallery/tests/Xss_Security_Test.php +++ b/modules/gallery/tests/Xss_Security_Test.php @@ -21,6 +21,7 @@ class Xss_Security_Test extends Unit_Test_Case { public function find_unescaped_variables_in_views_test() { $found = array(); foreach (glob("*/*/views/*.php") as $view) { + if ($view != "modules/tag/views/admin_tags.html.php") continue; // List of all tokens without whitespace, simplifying parsing. $tokens = array(); foreach (token_get_all(file_get_contents($view)) as $token) { @@ -66,7 +67,7 @@ class Xss_Security_Test extends Unit_Test_Case { // of opening / closing tag count since it would be meaningless. // Handle multiple start / end blocks on the same line? - $opening_script_pos = $closing_script_pos = 0; + $opening_script_pos = $closing_script_pos = -1; if (preg_match_all('{</script>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) { $last_match = array_pop($matches[0]); if (is_array($last_match)) { @@ -75,7 +76,7 @@ class Xss_Security_Test extends Unit_Test_Case { $closing_script_pos = $last_match; } } - if (preg_match('{<script\b[^>]*>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) { + if (preg_match_all('{<script\b[^>]*>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) { $last_match = array_pop($matches[0]); if (is_array($last_match)) { $opening_script_pos = $last_match[1]; |