diff options
author | Christian Schneider | 2007-05-31 14:26:33 +0000 |
---|---|---|
committer | Christian Schneider | 2007-05-31 14:26:33 +0000 |
commit | d4f1cdd77775a1af2139d82207d6ed0248b860a5 (patch) | |
tree | e7fb38a20492e5b8c8750a0244a86314b905b607 /banner/banner.class | |
parent | f11576b2077d5d95a2d0dd59c523d655326eed0c (diff) | |
download | itools-d4f1cdd77775a1af2139d82207d6ed0248b860a5.tar.gz itools-d4f1cdd77775a1af2139d82207d6ed0248b860a5.tar.bz2 itools-d4f1cdd77775a1af2139d82207d6ed0248b860a5.zip |
Fix XSS possibility and var visibility
Diffstat (limited to 'banner/banner.class')
-rw-r--r-- | banner/banner.class | 74 |
1 files changed, 26 insertions, 48 deletions
diff --git a/banner/banner.class b/banner/banner.class index 37ae213..b0b241a 100644 --- a/banner/banner.class +++ b/banner/banner.class @@ -213,75 +213,53 @@ function render_banner($banner, $nocount = false) $banner['width'] = $this->p['width']; if ($this->p['height']) $banner['height'] = $this->p['height']; - $l = $banner['locationid']; - if (strlen($banner['matchingkeyword']) + strlen($banner['matchingcategory']) + strlen($banner['matchingregion']) + strlen($banner['language']) > 0) - $l .= "|" . $banner['matchingkeyword']; - if (strlen($banner['matchingcategory']) + strlen($banner['matchingregion']) + strlen($banner['language']) > 0) - $l .= "|" . $banner['matchingcategory']; - if (strlen($banner['matchingregion']) + strlen($banner['language']) > 0) - $l .= "|" . $banner['matchingregion']; - if (strlen($banner['language']) > 0) - $l .= "|" . $banner['language']; - $l = str_replace("/", "_", $l); - - $rand = $this->rand; + + $l = it::replace("/" => "_", rtrim($banner['locationid'] . "|" . $banner['matchingkeyword'] . "|" . $banner['matchingcategory'] . "|" . $banner['matchingregion'] . "|" . $banner['language'], "|")); $pathinfo = "/c=" . $banner['campaignid'] . ":" . urlencode($banner['campaignname']) . "/b=" . $banner['bannerid'] . ":" . urlencode($banner['bannername']) . "/l=" . urlencode($l); $nocountinfo = $nocount ? "/nocount=1" : ""; - $viewpre = $this->p['server'] . "view.html$pathinfo$nocountinfo/img="; - $clickpre = $this->p['server'] . "click.html$pathinfo/url="; - $clickpreenc = urlencode($clickpre); - $auditurl = $viewpre . "empty.gif"; - - $keyword = $this->p['keyword']; - $keyword = preg_replace('/<country_[^>]*>/', '', $keyword); - $keyword = ereg_replace('\]\[', ' ', $keyword); - $keyword = ereg_replace('^\[ +', '', $keyword); - $keyword = ereg_replace(' +\]$', '', $keyword); - $keywordhtml = htmlentities(substr($keyword, 0, 30)); - $keywordurl = urlencode($keyword); - - extract($this->p['vars'], EXTR_SKIP); - - while (eregi("__([a-z]*)__", $banner['alttext'], $r)) - $banner['alttext'] = str_replace($r[0], ${strtolower($r[1])}, $banner['alttext']); - while (eregi("__([a-z]*)__", $banner['extraline'], $r)) - $banner['extraline'] = str_replace($r[0], ${strtolower($r[1])}, $banner['extraline']); - while (eregi("__([a-z]*)__", $banner['path'], $r)) - $banner['path'] = str_replace($r[0], ${strtolower($r[1])}, $banner['path']); - while (eregi("__([a-z]*)__", $banner['url'], $r)) - $banner['url'] = str_replace($r[0], ${strtolower($r[1])}, $banner['url']); - $viewurl = $viewpre . $banner['path']; - $clickurl = $clickpre . $banner['url']; - while (eregi("__([a-z]*)__", $banner['data'], $r)) - $banner['data'] = str_replace($r[0], ${strtolower($r[1])}, $banner['data']); + $keyword = it::replace('<country_[^>]*>' => "", '\]\[' => "", '^\[ +' => "", ' +\]$' => "", $this->p['keyword']); + $vars = array( + 'viewpre' => $this->p['server'] . "view.html$pathinfo$nocountinfo/img=", + 'clickpre' => $this->p['server'] . "click.html$pathinfo/url=", + 'clickpreenc' => urlencode($clickpre), + 'auditurl' => $viewpre . "empty.gif", + 'keyword' => $keyword, + 'keywordhtml' => substr($keyword, 0, 30), + 'keywordurl' => urlencode($keyword), + 'viewurl' => $viewpre . $banner['path'], + 'clickurl' => $clickpre . $banner['url'], + 'rand' => $this->rand, + ) + $this->p['vars']; + + foreach (array('alttext', 'extraline', 'path', 'url', 'data') as $field) + { + while ($var = it::match("__([a-z]+)__", $banner[$field])) + $banner[$field] = str_replace("__{$var}__", htmlspecialchars($vars[strtolower($var)]), $banner[$field]); + } switch ($banner['type']) { case 0: - if (eregi('&', $viewurl) && !eregi('&[a-z]+;', $viewurl)) - $viewurl = htmlspecialchars($viewurl); - - if (eregi('&', $clickurl) && !eregi('&[a-z]+;', $clickurl)) - $clickurl = htmlspecialchars($clickurl); - if($banner['url'] != 'http://') { - $linkstart = "<a href=\"$clickurl\" target=\"" . urlencode($this->p['target']) . "\">"; + $linkstart = "<a href=\"" . htmlspecialchars($vars['clickurl']) ."\" target=\"" . htmlspecialchars($this->p['target']) . "\">"; $linkend = "</a>"; } - echo "$linkstart<img src=\"$viewurl\" alt=\"" . $banner['alttext'] . "\" width=\"" . $banner['width'] . "\" height=\"" . $banner['height'] . "\" border=\"0\" />$linkend"; + echo "$linkstart<img src=\"" . htmlspecialchars($vars['viewurl']) . "\" alt=\"" . $banner['alttext'] . "\" width=\"" . $banner['width'] . "\" height=\"" . $banner['height'] . "\" border=\"0\" />$linkend"; if (strlen($banner['extraline']) > 0) echo "<br />$linkstart" . $banner['extraline'] . $linkend; if (strlen($banner['extraline']) == 0 && $this->p['addextraline']) echo "<br /> "; - break; + break; + case 1: echo $banner['data']; break; + case 2: if ($this->p['enablephpbanners']) eval("?>" . $banner['data']); |