xss_clean() problems

[cheesegrits]

I'm seeing problems with this line in xss_clean():

Code:

$str = preg_replace('#(<[^>]+.*?)(onblur|onchange|onclick|onfocus|onload|onmouseover|onmouseup|onmousedown|onselect|onsubmit|onunload|onkeypress|onkeydown|onkeyup|onresize)[^>]*>#iU',"\\1>",$str);

With what should be valid input (no matches), the preg_replace blows $str away by returning NULL, rather than returning the string unchanged. I've been noodling around with it in a test script, and I think it may be tickling a bug in PHP 5.2. Once there are a certain number of potential matches (<foo), it just gives up and returns NULL. Seems to work OK on earlier versions of PHP.

Is anyone else seeing this? Symptom is that you create a formatted description (for, say a Seller Store) in TinyMCE, submit it, and it comes back blank.

-- hugh

[cheesegrits]

I worked round the problem thusly:

Around line 764 in functions.php:

Code:

                        // $$$ hugh - wrapped preg_match around the preg_replace, because the preg_replace
                        // return NULL on some perfectly valid inputs.  So only run the replace if there is
                        // actually a js action in the string.
                        $js_re = '#(<[^>]+.*?)(onblur|onchange|onclick|onfocus|onload|onmouseover|onmouseup|onmousedown|onselect|onsubmit|onunload|onkeypress|onkeydown|onkeyup|onresize)[^>]*>#iU';
                        if (preg_match($js_re,$str)) {
                                $str = preg_replace($js_re,"\\1>",$str);
                        }

-- hugh