From c0d4937e433b66b0ac4042f7b38c1af6c94f80bf Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Tue, 1 Sep 2009 00:52:21 -0700
Subject: Fix bug in XSS scanner for <script> block @ position 0 of inline_html

---
 modules/gallery/tests/Xss_Security_Test.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'modules')

diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php
index 7a6589bd..34ecc4fe 100644
--- a/modules/gallery/tests/Xss_Security_Test.php
+++ b/modules/gallery/tests/Xss_Security_Test.php
@@ -21,6 +21,7 @@ class Xss_Security_Test extends Unit_Test_Case {
   public function find_unescaped_variables_in_views_test() {
     $found = array();
     foreach (glob("*/*/views/*.php") as $view) {
+      if ($view != "modules/tag/views/admin_tags.html.php") continue;
       // List of all tokens without whitespace, simplifying parsing.
       $tokens = array();
       foreach (token_get_all(file_get_contents($view)) as $token) {
@@ -66,7 +67,7 @@ class Xss_Security_Test extends Unit_Test_Case {
           // of opening / closing tag count since it would be meaningless.
 
           // Handle multiple start / end blocks on the same line?
-          $opening_script_pos = $closing_script_pos = 0;
+          $opening_script_pos = $closing_script_pos = -1;
           if (preg_match_all('{</script>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) {
             $last_match = array_pop($matches[0]);
             if (is_array($last_match)) {
@@ -75,7 +76,7 @@ class Xss_Security_Test extends Unit_Test_Case {
               $closing_script_pos = $last_match;
             }
           }
-          if (preg_match('{<script\b[^>]*>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) {
+          if (preg_match_all('{<script\b[^>]*>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) {
             $last_match = array_pop($matches[0]);
             if (is_array($last_match)) {
               $opening_script_pos = $last_match[1];
-- 
cgit v1.2.3