This is now patched in the trunk of the SVN... No more slash apostrophe, or slash quote
the two files that changed are
le="color: #000000"><?php /htdocs/class/model/write.php /htdocs/kernel/object.php
This is the new cleanVars function in
/htdocs/kernel/object.phple="color: #000000"><?php /** * clean values of all variables of the object for storage. * also add slashes whereever needed * * @return bool true if successful * @access public */ function cleanVars() { $ts =& MyTextSanitizer::getInstance(); $existing_errors = $this->getErrors(); $this->_errors = array(); foreach ($this->vars as $k => $v) { $cleanv = $v['value']; if (!$v['changed']) { } else { $cleanv = is_string($cleanv) ? trim($cleanv) : $cleanv; switch ($v['data_type']) { case XOBJ_DTYPE_TXTBOX: if ($v['required'] && $cleanv != '0' && $cleanv == '') { $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k)); continue; } if (isset($v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) { $this->setErrors(sprintf(_XOBJ_ERR_SHORTERTHAN, $k, intval($v['maxlength']))); continue; } if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($ts->censorString($cleanv)); } else { $cleanv = $ts->censorString($cleanv); } break; case XOBJ_DTYPE_TXTAREA: if ($v['required'] && $cleanv != '0' && $cleanv == '') { $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k)); continue; } if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($ts->censorString($cleanv)); } else { $cleanv = $ts->censorString($cleanv); } break; case XOBJ_DTYPE_SOURCE: if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($cleanv); } else { $cleanv = $cleanv; } break; case XOBJ_DTYPE_INT: $cleanv = intval($cleanv); break; case XOBJ_DTYPE_EMAIL: if ($v['required'] && $cleanv == '') { $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k)); continue; } if ($cleanv != '' && !preg_match("/^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+([.][a-z0-9-]+)+$/i", $cleanv)) { $this->setErrors("Invalid Email"); continue; } if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($cleanv); } break; case XOBJ_DTYPE_URL: if ($v['required'] && $cleanv == '') { $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k)); continue; } if ($cleanv != '' && !preg_match("/^http[s]*:///i", $cleanv)) { $cleanv = 'http://' . $cleanv; } if (!$v['not_gpc']) { $cleanv =& $ts->stripSlashesGPC($cleanv); } break; case XOBJ_DTYPE_ARRAY: $cleanv = serialize($cleanv); break; case XOBJ_DTYPE_STIME: case XOBJ_DTYPE_MTIME: case XOBJ_DTYPE_LTIME: $cleanv = !is_string($cleanv) ? intval($cleanv) : strtotime($cleanv); break; case XOBJ_DTYPE_FLOAT: $cleanv = floatval($cleanv); break; case XOBJ_DTYPE_DECIMAL: $cleanv = doubleval($cleanv); break; case XOBJ_DTYPE_ENUM: if (!in_array($cleanv, $v['enumeration'])) { $this->setErrors("Invalid Enumeration"); continue; } break; case XOBJ_DTYPE_UNICODE_TXTBOX: if ($v['required'] && $cleanv != '0' && $cleanv == '') { $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k)); continue; } $cleanv = xoops_convert_encode($ts->censorString($cleanv)); if (isset($v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) { $this->setErrors(sprintf(_XOBJ_ERR_SHORTERTHAN, $k, intval($v['maxlength']))); continue; } if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($ts->censorString($cleanv)); } break; case XOBJ_DTYPE_UNICODE_TXTAREA: if ($v['required'] && $cleanv != '0' && $cleanv == '') { $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k)); continue; } $cleanv = xoops_convert_encode($ts->censorString($cleanv)); if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($cleanv); } break; case XOBJ_DTYPE_UNICODE_EMAIL: if ($v['required'] && $cleanv == '') { $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k)); continue; } $cleanv = xoops_convert_encode($ts->censorString($cleanv)); if ($cleanv != '' && !preg_match("/^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+([.][a-z0-9-]+)+$/i", $cleanv)) { $this->setErrors("Invalid Email"); continue; } if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($cleanv); } break; case XOBJ_DTYPE_UNICODE_URL: if ($v['required'] && $cleanv == '') { $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k)); continue; } if ($cleanv != '' && !preg_match("/^http[s]*:///i", $cleanv)) { $cleanv = 'http://' . $cleanv; } $cleanv = xoops_convert_encode($cleanv); if (!$v['not_gpc']) { $cleanv =& $ts->stripSlashesGPC($cleanv); } break; case XOBJ_DTYPE_UNICODE_ARRAY: $cleanv = serialize(array_walk($cleanv, 'xoops_aw_encode')); break; default: break; } } $this->cleanVars[$k] = str_replace('"', '"', $cleanv); unset($cleanv); } if (count($this->_errors) > 0) { $this->_errors = array_merge($existing_errors, $this->_errors); return false; } $this->_errors = array_merge($existing_errors, $this->_errors); $this->unsetDirty(); return true; }
This is the new cleanVars function in
/htdocs/class/model/write.phple="color: #000000"><?php /** * Clean values of all variables of the object for storage. * also add slashes and quote string whereever needed * * CleanVars only contains changed and cleaned variables * Reference is used for PHP4 compliance * * @return bool true if successful * @access public */ function cleanVars(&$object) { $ts =& MyTextSanitizer::getInstance(); $errors = array(); $vars = $object->getVars(); $object->cleanVars = array(); foreach ($vars as $k => $v) { if (!$v["changed"]) { continue; } $cleanv = $v['value']; switch ($v["data_type"]) { case XOBJ_DTYPE_UNICODE_TXTBOX: if ($v['required'] && $cleanv != '0' && $cleanv == '') { $errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k); continue; } if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC(xoops_convert_encode($ts->censorString($cleanv))); } else { $cleanv = xoops_convert_encode($ts->censorString($cleanv)); } if (isset($v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) { $errors[] = sprintf(_XOBJ_ERR_SHORTERTHAN, $k, intval($v['maxlength'])); continue; } $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_UNICODE_TXTAREA: if ($v['required'] && $cleanv != '0' && $cleanv == '') { $errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k); continue; } if (!$v['not_gpc']) { if (!empty($vars['dohtml']['value'])) { $cleanv = $ts->textFilter($cleanv); } $cleanv = $ts->stripSlashesGPC(xoops_convert_encode($ts->censorString($cleanv))); } else { $cleanv = $ts->censorString($cleanv); } $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_TXTBOX: if ($v['required'] && $cleanv != '0' && $cleanv == '') { $errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k); continue; } if (isset($v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) { $errors[] = sprintf(_XOBJ_ERR_SHORTERTHAN, $k, intval($v['maxlength'])); continue; } if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($ts->censorString($cleanv)); } else { $cleanv = $ts->censorString($cleanv); } $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_TXTAREA: if ($v['required'] && $cleanv != '0' && $cleanv == '') { $errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k); continue; } if (!$v['not_gpc']) { if (!empty($vars['dohtml']['value'])) { $cleanv = $ts->textFilter($cleanv); } $cleanv = $ts->stripSlashesGPC($ts->censorString($cleanv)); } else { $cleanv = $ts->censorString($cleanv); } $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_SOURCE: $cleanv = trim($cleanv); if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($cleanv); } else { $cleanv = $cleanv; } $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_UNICODE_EMAIL: $cleanv = trim($cleanv); if ($v['required'] && $cleanv == '') { $errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k); continue; } $cleanv = xoops_convert_encode($cleanv); if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($cleanv); } $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_EMAIL: $cleanv = trim($cleanv); if ($v['required'] && $cleanv == '') { $errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k); continue; } if ($cleanv != '' && !preg_match("/^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+([.][a-z0-9-]+)+$/i", $cleanv)) { $errors[] = "Invalid Email"; continue; } if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($cleanv); } $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_UNICODE_URL: $cleanv = trim($cleanv); if ($v['required'] && $cleanv == '') { $errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k); continue; } if ($cleanv != '' && !preg_match("/^http[s]*:///i", $cleanv)) { $cleanv = 'http://' . $cleanv; } $cleanv = xoops_convert_encode($cleanv); if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($cleanv); } $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_URL: $cleanv = trim($cleanv); if ($v['required'] && $cleanv == '') { $errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k); continue; } if ($cleanv != '' && !preg_match("/^http[s]*:///i", $cleanv)) { $cleanv = 'http://' . $cleanv; } if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($cleanv); } $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_UNICODE_OTHER: $cleanv = str_replace('"', '"', $this->handler->db->quote(xoops_convert_encode($cleanv))); break; case XOBJ_DTYPE_OTHER: $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_INT: $cleanv = intval($cleanv); break; case XOBJ_DTYPE_FLOAT: $cleanv = floatval($cleanv); break; case XOBJ_DTYPE_DECIMAL: $cleanv = doubleval($cleanv); break; case XOBJ_DTYPE_UNICODE_ARRAY: if (!$v['not_gpc']) { $cleanv = array_map(array(&$ts , "stripSlashesGPC"), $cleanv); } foreach (array_keys($cleanv) as $key) { $cleanv[$key] = str_replace('"', '"', addslashes($cleanv[$key])); } // TODO: Not encoding safe, should try base64_encode -- phppp $cleanv = "'" . serialize(array_walk($cleanv, 'xoops_aw_encode')) . "'"; break; case XOBJ_DTYPE_ARRAY: if (!$v['not_gpc']) { $cleanv = array_map(array(&$ts , "stripSlashesGPC"), $cleanv); } foreach (array_keys($cleanv) as $key) { $cleanv[$key] = str_replace('"', '"', addslashes($cleanv[$key])); } // TODO: Not encoding safe, should try base64_encode -- phppp $cleanv = "'" . serialize($cleanv) . "'"; break; case XOBJ_DTYPE_STIME: case XOBJ_DTYPE_MTIME: case XOBJ_DTYPE_LTIME: $cleanv = !is_string($cleanv) ? intval($cleanv) : strtotime($cleanv); break; default: $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; } $object->cleanVars[$k] = $cleanv; } if (!empty($errors)) { $object->setErrors($errors); } $object->unsetDirty(); return empty($errors) ? true : false; }