From ede25aabce2e25ce8134157853ff4c7f45e2f784 Mon Sep 17 00:00:00 2001 From: friendica Date: Wed, 16 Nov 2011 14:23:06 -0800 Subject: [PATCH] check all attribute names for validity --- boot.php | 2 +- library/HTML5/TreeBuilder.php | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/boot.php b/boot.php index 0e9472c001..7d9337b2ed 100644 --- a/boot.php +++ b/boot.php @@ -9,7 +9,7 @@ require_once('include/nav.php'); require_once('include/cache.php'); define ( 'FRIENDIKA_PLATFORM', 'Friendica'); -define ( 'FRIENDIKA_VERSION', '2.3.1166' ); +define ( 'FRIENDIKA_VERSION', '2.3.1167' ); define ( 'DFRN_PROTOCOL_VERSION', '2.22' ); define ( 'DB_UPDATE_VERSION', 1104 ); diff --git a/library/HTML5/TreeBuilder.php b/library/HTML5/TreeBuilder.php index 10d446d1ea..578e73682b 100644 --- a/library/HTML5/TreeBuilder.php +++ b/library/HTML5/TreeBuilder.php @@ -3041,9 +3041,13 @@ class HTML5_TreeBuilder { if (!empty($token['attr'])) { foreach($token['attr'] as $attr) { - // mike@macgirvin.com 2011-10-21, stray double quotes and/or numeric tags cause everything to abort - $attr['name'] = str_replace('"','',$attr['name']); - if($attr['name'] && (!$el->hasAttribute($attr['name'])) && (! is_numeric($attr['name']))) { + + // mike@macgirvin.com 2011-11-17, check attribute name for + // validity (ignoring extenders and combiners) as illegal chars in names + // causes everything to abort + + $valid = preg_match('/^[a-zA-Z\_\:]([\-a-zA-Z0-9\_\:\.]+$)/',$attr['name'],$matches); + if($attr['name'] && (!$el->hasAttribute($attr['name'])) && ($valid)) { $el->setAttribute($attr['name'], $attr['value']); } }