| Index: trunk/phpwiki/fpw/wikiTitle.php |
| — | — | @@ -68,13 +68,20 @@ |
| 69 | 69 | if ( $s != "" ) $s .= ":" ; |
| 70 | 70 | $s .= ucfirst ( trim ( $this->mainTitle ) ) ; |
| 71 | 71 | if ( trim ( $this->subpageTitle ) != "" ) $s .= "/".trim($this->subpageTitle) ; |
| 72 | | - $s = str_replace ( "\\\"" , "" , $s ) ; |
| 73 | | - $s = str_replace ( "\"" , "" , $s ) ; |
| | 72 | + |
| | 73 | + # Unescape apostrophes (does this always work?) |
| 74 | 74 | $s = str_replace ( "\\'" , "'" , $s ) ; |
| 75 | 75 | |
| | 76 | + # Strip forbidden characters |
| | 77 | + $s = str_replace ( "\\\"" , "" , $s ) ; |
| | 78 | + #$s = str_replace ( "\"" , "" , $s ) ; |
| | 79 | + # All non-alpha ASCII chars: !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~\127 |
| | 80 | + # FIXME: Decide exactly which ones to forbid. |
| | 81 | + $s = preg_replace ( "/[\"\#\$\%\&\\<>\[\]\{\|\}\127]/", "", $s); |
| | 82 | + |
| 76 | 83 | # Make it compatible with old wiki |
| 77 | 84 | $s = str_replace ( " " , "_" , $s ) ; |
| 78 | | - |
| | 85 | + |
| 79 | 86 | # If you use $this->secureTitle in a URL, Satan will eat your soul with a blunt spoon. |
| 80 | 87 | # I'm not kidding. Use $this->url instead or nurlencode() it if you're writing out a URL! |
| 81 | 88 | # secureTitle ONLY belongs in SQL queries and comparisons therewith. |