Making Sanitize::stripScripts() to remove multi-line script and style blocks. Fixes #657

2025-01-31 09:06:17 +00:00 · 2010-05-03 22:31:55 -04:00 · 2010-05-03 22:31:55 -04:00 · ce10c85367
commit ce10c85367
parent 95dbae8acf
2 changed files with 27 additions and 1 deletions
--- a/cake/libs/sanitize.php
+++ b/cake/libs/sanitize.php
@ -156,7 +156,7 @@ class Sanitize {
 * @static
 */
 	function stripScripts($str) {
-		return preg_replace('/(<link[^>]+rel="[^"]*stylesheet"[^>]*>|<img[^>]*>|style="[^"]*")|<script[^>]*>.*?<\/script>|<style[^>]*>.*?<\/style>|<!--.*?-->/i', '', $str);
+		return preg_replace('/(<link[^>]+rel="[^"]*stylesheet"[^>]*>|<img[^>]*>|style="[^"]*")|<script[^>]*>.*?<\/script>|<style[^>]*>.*?<\/style>|<!--.*?-->/is', '', $str);
 	}

 /**
--- a/cake/tests/cases/libs/sanitize.test.php
+++ b/cake/tests/cases/libs/sanitize.test.php
@ -346,6 +346,32 @@ class SanitizeTest extends CakeTestCase {
 		$expected = '';
 		$result = Sanitize::stripScripts($string);
 		$this->assertEqual($result, $expected);
+
+		$string = <<<HTML
+text
+<style type="text/css">
+<!-- 
+#content { display:none; } 
+-->
+</style>
+text
+HTML;
+		$expected = "text\n\ntext";
+		$result = Sanitize::stripScripts($string);
+		$this->assertEqual($result, $expected);
+
+		$string = <<<HTML
+text
+<script type="text/javascript">
+<!-- 
+alert('wooo');
+-->
+</script>
+text
+HTML;
+		$expected = "text\n\ntext";
+		$result = Sanitize::stripScripts($string);
+		$this->assertEqual($result, $expected);
 	}

 /**