diff options
author | Luke Shumaker <lukeshu@sbcglobal.net> | 2011-09-25 16:20:30 -0700 |
---|---|---|
committer | Luke Shumaker <lukeshu@sbcglobal.net> | 2011-09-25 16:20:30 -0700 |
commit | d6dc8873e370c116fe332dc44beb34624fd5dc4e (patch) | |
tree | cf063412bf08d673b78ca7b679f4bc22c980b30d /xss-check.php.sample | |
parent | 514d9393ff9d7752426aaaa9b840ee1f94229491 (diff) |
Make xss-check.php.sample use all regex
Diffstat (limited to 'xss-check.php.sample')
-rw-r--r-- | xss-check.php.sample | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/xss-check.php.sample b/xss-check.php.sample index bfc7973..d68b3cb 100644 --- a/xss-check.php.sample +++ b/xss-check.php.sample @@ -19,8 +19,8 @@ * inside of "baseurl" might not be trusted (like email body files). */ function xss_attack() { - $siteurl = 'http://mckenzierobotics.org/';// basic trusted base - $mmurl = $siteurl.'mm/';// where MessageManager is + $siteurl_re = '^https?://(www\.)?mckenzierobotics\.org/';// basic trusted base + $mmurl_re = $siteurl.'mm/';// where MessageManager is if (!isset($_SERVER['HTTP_REFERER'])) return false; @@ -36,11 +36,11 @@ function xss_attack() { default: break; } - if (substr($from,0,strlen($siteurl)) != $siteurl) + if (!preg_match('@'.$siteurl_re.'@', $from)) return true; - $messages = '@^'.preg_quote($mmurl.'messages/','@').'.*/.@'; - if (preg_match($messages, $from)) + $messages_re = '@'.preg_quote($mmurl.'messages/','@').'.*/.@'; + if (preg_match($messages_re, $from)) // Someone cleverly tried to XSS us from inside a message return true; |