|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2006-09-23 12:02 UTC] tony2001@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Mon May 06 19:01:32 2024 UTC |
Description: ------------ preg_replace allows backreferences from the replacement string which seems insecure. Parsing every replacement string is necessary when data comes from a tainted source. Perl handles this nicely by only allowing backreference's that are used directly in the replacement text and not contained in a {tainted} string. Reproduce code: --------------- $text = 'This item costs $0.99'; $html = '<b>%COST%No items%COST%</b>'; print preg_replace('/%COST%.*?%COST%/i', $text, $html); Expected result: ---------------- <b>This item costs $0.99</b> Actual result: -------------- This item costs %COST%No items%COST%.99