[pmwiki-users] Fourth Post--ZAP bugs

The Editor editor at fast.st
Thu Oct 26 16:23:41 CDT 2006


Hi List,

I am about ready to pull my hair out.  This bug has got to be staring
me in the face.

When the post is submitted, the very first thing ZAP does after
authenticating the form and setting a few variables, is clean the post
from potentially harmful stuff.  I use these lines:

	foreach ($_POST as $field => $value) {
			if (get_magic_quotes_gpc()) $_POST[$field] = stripslashes($value);
			$_POST[$field] = preg_replace('/\\(:/', '(:', $value);
			$_POST[$field] = preg_replace('/\\{(\\w+)\\}/e', "\$_POST[$1]", $value);
			if (is_array($value)) $_POST[$field] = implode(",", $value);
			}

The first line is supposed to strip slashes, the second one disables
directives, the third is a shortcut that inserts values from one field
into another, and the fourth converts arrays to a CSV list.

Lines three and four work perfectly.  Lines one and two are completely
ignored.  Actually I'd like to change line 2 to both disable
directives and prevent accidently cutting off data by a smiley!  Now
that I'm using (:field: var:) format.  But this doesn't work either:

         preg_replace('/\:\)/', ':)', $value);

I also tried   $_POST[$field] = stripmagic($value);  for line 1.  No difference.

I have print_r'd the complete post before and after this snippet.  The
values are just what I expect going in, and unchanged coming out.
Where else could the problem be?

Until this bug is fixed, there is a pretty glaring problem...

Cheers,
Caveman




More information about the pmwiki-users mailing list