[cvs] commit: framework/Text_Filter/Filter xss.php

Chuck Hagenbuch chuck at horde.org
Fri Mar 21 05:17:28 UTC 2008


Yar - nice detective work, anyway...

Quoting Michael M Slusarz <slusarz at horde.org>:

> slusarz     2008-03-21 01:13:27 EDT
>
>   Modified files:
>     Text_Filter/Filter   xss.php
>   Log:
>   As of PHP 5.2 PHP established a backtrack limit on PCRE expressions.  This
>   backtrack limit is fairly small (100,000 characters by default), so long
>   matching strings could potentnially fail.  The worst part is, instead of
>   returning the original string, preg_* funcs return null and output no
>   error messages - you must use the preg_last_error() func (new as  
> of PHP 5.2)
>   to determine the issue.
>
>   This is a long way of describing the issue seen here with certain HTML
>   messages when viewed inline.  The check for a body/html tag in the XSS
>   filter was doing excessive backtrack if no body/html was found in the
>   message.  These messages occurred more often in tidy-cleaned messages since
>   tidy is configured in IMP to remove body/html tags already.  The solution
>   (I think): use a once-only subpattern to indicate that the entire  
> tag string
>   must be matched and don't do backtracking if not (see the PHP PCRE Pattern
>   Syntax page for more information).
>
>   This is a useful note for all devs in the future when dealing with a PCRE
>   expression that isn't matching anything but returns null.  It only took me
>   2 hours to figure this out :(
>
>   Revision  Changes    Path
>   1.13      +2 -2      framework/Text_Filter/Filter/xss.php
>
>   Chora Links:
>    
> http://cvs.horde.org/diff.php/framework/Text_Filter/Filter/xss.php?r1=1.12&r2=1.13&ty=u
>
> --
> To unsubscribe, mail: cvs-unsubscribe at lists.horde.org
>



-chuck


More information about the cvs mailing list