mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-03-14 04:30:15 +01:00
Code Issues Projects Releases Wiki Activity

MDL-20981 admin/lang.php escapes all variables but $a placeholders

Browse Source
This commit is contained in:
David Mudrak 2009-11-26 14:46:01 +00:00
parent 02281852c8
commit 93e1207e9e
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
admin/lang.php
View File

@ -1024,6 +1024,10 @@ function lang_fix_value_before_save($value='') {
if (ini_get_bool('magic_quotes_sybase')) { // Unescape escaped sybase quotes
$value = str_replace("''", "'", $value);
}
// escape all embedded variables
$value = str_replace('$', '\$', $value); // Add slashes for $
// unescape placeholders: only $a and $a->something are allowed. All other $variables are left escaped
$value = preg_replace('/\\\\\$a($|[^_a-zA-Z0-9\-]|\->[a-zA-Z0-9_]+)/', '$a\\1', $value);
$value = str_replace("'", "\\'", $value); // Add slashes for '
$value = str_replace('"', "\\\"", $value); // Add slashes for "
$value = str_replace("%","%%",$value); // Escape % characters