summaryrefslogtreecommitdiff
path: root/banner/banner.class
diff options
context:
space:
mode:
authorChristian Schneider2007-05-31 14:26:33 +0000
committerChristian Schneider2007-05-31 14:26:33 +0000
commitd4f1cdd77775a1af2139d82207d6ed0248b860a5 (patch)
treee7fb38a20492e5b8c8750a0244a86314b905b607 /banner/banner.class
parentf11576b2077d5d95a2d0dd59c523d655326eed0c (diff)
downloaditools-d4f1cdd77775a1af2139d82207d6ed0248b860a5.tar.gz
itools-d4f1cdd77775a1af2139d82207d6ed0248b860a5.tar.bz2
itools-d4f1cdd77775a1af2139d82207d6ed0248b860a5.zip
Fix XSS possibility and var visibility
Diffstat (limited to 'banner/banner.class')
-rw-r--r--banner/banner.class74
1 files changed, 26 insertions, 48 deletions
diff --git a/banner/banner.class b/banner/banner.class
index 37ae213..b0b241a 100644
--- a/banner/banner.class
+++ b/banner/banner.class
@@ -213,75 +213,53 @@ function render_banner($banner, $nocount = false)
$banner['width'] = $this->p['width'];
if ($this->p['height'])
$banner['height'] = $this->p['height'];
- $l = $banner['locationid'];
- if (strlen($banner['matchingkeyword']) + strlen($banner['matchingcategory']) + strlen($banner['matchingregion']) + strlen($banner['language']) > 0)
- $l .= "|" . $banner['matchingkeyword'];
- if (strlen($banner['matchingcategory']) + strlen($banner['matchingregion']) + strlen($banner['language']) > 0)
- $l .= "|" . $banner['matchingcategory'];
- if (strlen($banner['matchingregion']) + strlen($banner['language']) > 0)
- $l .= "|" . $banner['matchingregion'];
- if (strlen($banner['language']) > 0)
- $l .= "|" . $banner['language'];
- $l = str_replace("/", "_", $l);
-
- $rand = $this->rand;
+
+ $l = it::replace("/" => "_", rtrim($banner['locationid'] . "|" . $banner['matchingkeyword'] . "|" . $banner['matchingcategory'] . "|" . $banner['matchingregion'] . "|" . $banner['language'], "|"));
$pathinfo = "/c=" . $banner['campaignid'] . ":" . urlencode($banner['campaignname']) . "/b=" . $banner['bannerid'] . ":" . urlencode($banner['bannername']) . "/l=" . urlencode($l);
$nocountinfo = $nocount ? "/nocount=1" : "";
- $viewpre = $this->p['server'] . "view.html$pathinfo$nocountinfo/img=";
- $clickpre = $this->p['server'] . "click.html$pathinfo/url=";
- $clickpreenc = urlencode($clickpre);
- $auditurl = $viewpre . "empty.gif";
-
- $keyword = $this->p['keyword'];
- $keyword = preg_replace('/<country_[^>]*>/', '', $keyword);
- $keyword = ereg_replace('\]\[', ' ', $keyword);
- $keyword = ereg_replace('^\[ +', '', $keyword);
- $keyword = ereg_replace(' +\]$', '', $keyword);
- $keywordhtml = htmlentities(substr($keyword, 0, 30));
- $keywordurl = urlencode($keyword);
-
- extract($this->p['vars'], EXTR_SKIP);
-
- while (eregi("__([a-z]*)__", $banner['alttext'], $r))
- $banner['alttext'] = str_replace($r[0], ${strtolower($r[1])}, $banner['alttext']);
- while (eregi("__([a-z]*)__", $banner['extraline'], $r))
- $banner['extraline'] = str_replace($r[0], ${strtolower($r[1])}, $banner['extraline']);
- while (eregi("__([a-z]*)__", $banner['path'], $r))
- $banner['path'] = str_replace($r[0], ${strtolower($r[1])}, $banner['path']);
- while (eregi("__([a-z]*)__", $banner['url'], $r))
- $banner['url'] = str_replace($r[0], ${strtolower($r[1])}, $banner['url']);
- $viewurl = $viewpre . $banner['path'];
- $clickurl = $clickpre . $banner['url'];
- while (eregi("__([a-z]*)__", $banner['data'], $r))
- $banner['data'] = str_replace($r[0], ${strtolower($r[1])}, $banner['data']);
+ $keyword = it::replace('<country_[^>]*>' => "", '\]\[' => "", '^\[ +' => "", ' +\]$' => "", $this->p['keyword']);
+ $vars = array(
+ 'viewpre' => $this->p['server'] . "view.html$pathinfo$nocountinfo/img=",
+ 'clickpre' => $this->p['server'] . "click.html$pathinfo/url=",
+ 'clickpreenc' => urlencode($clickpre),
+ 'auditurl' => $viewpre . "empty.gif",
+ 'keyword' => $keyword,
+ 'keywordhtml' => substr($keyword, 0, 30),
+ 'keywordurl' => urlencode($keyword),
+ 'viewurl' => $viewpre . $banner['path'],
+ 'clickurl' => $clickpre . $banner['url'],
+ 'rand' => $this->rand,
+ ) + $this->p['vars'];
+
+ foreach (array('alttext', 'extraline', 'path', 'url', 'data') as $field)
+ {
+ while ($var = it::match("__([a-z]+)__", $banner[$field]))
+ $banner[$field] = str_replace("__{$var}__", htmlspecialchars($vars[strtolower($var)]), $banner[$field]);
+ }
switch ($banner['type'])
{
case 0:
- if (eregi('&', $viewurl) && !eregi('&[a-z]+;', $viewurl))
- $viewurl = htmlspecialchars($viewurl);
-
- if (eregi('&', $clickurl) && !eregi('&[a-z]+;', $clickurl))
- $clickurl = htmlspecialchars($clickurl);
-
if($banner['url'] != 'http://')
{
- $linkstart = "<a href=\"$clickurl\" target=\"" . urlencode($this->p['target']) . "\">";
+ $linkstart = "<a href=\"" . htmlspecialchars($vars['clickurl']) ."\" target=\"" . htmlspecialchars($this->p['target']) . "\">";
$linkend = "</a>";
}
- echo "$linkstart<img src=\"$viewurl\" alt=\"" . $banner['alttext'] . "\" width=\"" . $banner['width'] . "\" height=\"" . $banner['height'] . "\" border=\"0\" />$linkend";
+ echo "$linkstart<img src=\"" . htmlspecialchars($vars['viewurl']) . "\" alt=\"" . $banner['alttext'] . "\" width=\"" . $banner['width'] . "\" height=\"" . $banner['height'] . "\" border=\"0\" />$linkend";
if (strlen($banner['extraline']) > 0)
echo "<br />$linkstart" . $banner['extraline'] . $linkend;
if (strlen($banner['extraline']) == 0 && $this->p['addextraline'])
echo "<br />&nbsp;";
- break;
+ break;
+
case 1:
echo $banner['data'];
break;
+
case 2:
if ($this->p['enablephpbanners'])
eval("?>" . $banner['data']);