From b3ce7915610a6d272cc38ecd2a8b61e04ee4aeae Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Fri, 16 Feb 2007 19:35:03 +0000
Subject: Better input checking on GET and POST vars

---
 program/include/main.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'program/include/main.inc')

diff --git a/program/include/main.inc b/program/include/main.inc
index d914e3ecb..88c22b85e 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -1689,12 +1689,12 @@ function create_attrib_string($attrib, $allowed_attribs=array('id', 'class', 'st
 function parse_attrib_string($str)
   {
   $attrib = array();
-  preg_match_all('/\s*([-_a-z]+)=["]([^"]+)["]?/i', stripslashes($str), $regs, PREG_SET_ORDER);
+  preg_match_all('/\s*([-_a-z]+)=(["\'])([^"]+)\2/Ui', stripslashes($str), $regs, PREG_SET_ORDER);
 
   // convert attributes to an associative array (name => value)
   if ($regs)
     foreach ($regs as $attr)
-      $attrib[strtolower($attr[1])] = $attr[2];
+      $attrib[strtolower($attr[1])] = $attr[3];
 
   return $attrib;
   }
-- 
cgit v1.2.3