From 6a6b3f90f36293a40cba091c3ac387abb64f3c1a Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Mon, 14 May 2012 21:54:41 -0700
Subject: Verify that where() clauses are well formed.  Fixes #1865.

---
 system/libraries/Database_Builder.php | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'system')

diff --git a/system/libraries/Database_Builder.php b/system/libraries/Database_Builder.php
index e86ce379..553ffd98 100644
--- a/system/libraries/Database_Builder.php
+++ b/system/libraries/Database_Builder.php
@@ -190,6 +190,8 @@ class Database_Builder_Core {
 		{
 			foreach ($columns as $column)
 			{
+                                if (count($column) != 3)
+                                        throw new Database_Exception('Column triplets require a column, op and value');
 				$this->where[] = array('AND' => $column);
 			}
 		}
@@ -216,6 +218,8 @@ class Database_Builder_Core {
 		{
 			foreach ($columns as $column)
 			{
+                                if (count($column) != 3)
+                                        throw new Database_Exception('Column triplets require a column, op and value');
 				$this->where[] = array('OR' => $column);
 			}
 		}
@@ -422,6 +426,8 @@ class Database_Builder_Core {
 		{
 			foreach ($columns as $column)
 			{
+                                if (count($column) != 3)
+                                        throw new Database_Exception('Column triplets require a column, op and value');
 				$this->having[] = array('AND' => $column);
 			}
 		}
@@ -447,6 +453,8 @@ class Database_Builder_Core {
 		{
 			foreach ($columns as $column)
 			{
+                                if (count($column) != 3)
+                                        throw new Database_Exception('Column triplets require a column, op and value');
 				$this->having[] = array('OR' => $column);
 			}
 		}
-- 
cgit v1.2.3


From 0d5187eadf3e19729c6aa25c3bf30d2787fd66a3 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Tue, 15 May 2012 09:33:43 -0700
Subject: Revert "Verify that where() clauses are well formed.  Fixes #1865."

This reverts commit 6a6b3f90f36293a40cba091c3ac387abb64f3c1a.
---
 modules/kohana23_compat/libraries/MY_Database_Builder.php | 6 ------
 system/libraries/Database_Builder.php                     | 8 --------
 2 files changed, 14 deletions(-)

(limited to 'system')

diff --git a/modules/kohana23_compat/libraries/MY_Database_Builder.php b/modules/kohana23_compat/libraries/MY_Database_Builder.php
index 54429ab1..0b9dbe28 100644
--- a/modules/kohana23_compat/libraries/MY_Database_Builder.php
+++ b/modules/kohana23_compat/libraries/MY_Database_Builder.php
@@ -25,9 +25,6 @@ class Database_Builder extends Database_Builder_Core {
   public function merge_where($tuples) {
     if ($tuples) {
       foreach ($tuples as $tuple) {
-        if (count($tuple) != 3) {
-          throw new Database_Exception("Column triplets require a column, op and value");
-        }
         $this->where($tuple[0], $tuple[1], $tuple[2]);
       }
     }
@@ -41,9 +38,6 @@ class Database_Builder extends Database_Builder_Core {
   public function merge_or_where($tuples) {
     if ($tuples) {
       foreach ($tuples as $tuple) {
-        if (count($tuple) != 3) {
-          throw new Database_Exception("Column triplets require a column, op and value");
-        }
         $this->or_where($tuple[0], $tuple[1], $tuple[2]);
       }
     }
diff --git a/system/libraries/Database_Builder.php b/system/libraries/Database_Builder.php
index 553ffd98..e86ce379 100644
--- a/system/libraries/Database_Builder.php
+++ b/system/libraries/Database_Builder.php
@@ -190,8 +190,6 @@ class Database_Builder_Core {
 		{
 			foreach ($columns as $column)
 			{
-                                if (count($column) != 3)
-                                        throw new Database_Exception('Column triplets require a column, op and value');
 				$this->where[] = array('AND' => $column);
 			}
 		}
@@ -218,8 +216,6 @@ class Database_Builder_Core {
 		{
 			foreach ($columns as $column)
 			{
-                                if (count($column) != 3)
-                                        throw new Database_Exception('Column triplets require a column, op and value');
 				$this->where[] = array('OR' => $column);
 			}
 		}
@@ -426,8 +422,6 @@ class Database_Builder_Core {
 		{
 			foreach ($columns as $column)
 			{
-                                if (count($column) != 3)
-                                        throw new Database_Exception('Column triplets require a column, op and value');
 				$this->having[] = array('AND' => $column);
 			}
 		}
@@ -453,8 +447,6 @@ class Database_Builder_Core {
 		{
 			foreach ($columns as $column)
 			{
-                                if (count($column) != 3)
-                                        throw new Database_Exception('Column triplets require a column, op and value');
 				$this->having[] = array('OR' => $column);
 			}
 		}
-- 
cgit v1.2.3


From d095022c601539258940a1774a477c20becd5b0f Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sat, 19 May 2012 11:47:27 -0700
Subject: Filter out all style attributes - we don't want them.  Further fix
 for #1849.

---
 system/libraries/Input.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'system')

diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index 2bef3ff4..fa984a88 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php
@@ -356,10 +356,10 @@ class Input_Core {
 			$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
 			$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);
 
-			// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
-			$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
-			$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
-			$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);
+                        //remove any style attributes, IE allows too much stupid things in them, eg.
+                        //<span style="width: expression(alert('Ping!'));"></span>
+                        // and in general you really don't want style declarations in your UGC
+                        $data = preg_replace('#(<[^>]+[\x00-\x20\"\'\/])style[^>]*>#iUu', "$1>", $data);
 
 			// Remove namespaced elements (we do not need them)
 			$data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);
-- 
cgit v1.2.3