I have
HLstatsX Community Edition 1.6.19-25. After saving the stats settings whitespaces in the site name option are removed. I think this is due to the
valid_request() function in
options.php on the line 86:
PHP Code:
if (($this->title == 'Fonts') || ($this->title == 'General')) {
$optval = $_POST[$opt->name];
$search_pattern = array('/script/i', '/;/', '/%/');
$replace_pattern = array('', '', '');
$optval = preg_replace($search_pattern, $replace_pattern, $optval);
$optval = $db->escape($optval);
} else {
$optval = valid_request($_POST[$opt->name], 0);
}
This function is in
functions.php on the line 94:
PHP Code:
function valid_request($str, $numeric = false)
{
global $db;
if(is_array($str))
return "";
$search_pattern = array("/[^A-Za-z\x{0410}-\x{044F}0-9Ёё\[\]*\.,=()!\"$%&^`':;#+~_\-|<>\/\\@{}]/u");
$replace_pattern = array('');
$str = preg_replace($search_pattern, $replace_pattern, $str);
if ( $numeric == false )
{
return $db->escape($str);
}
else
{
if ( is_numeric($str) )
return intval($str);
else
return -1;
}
}
If I add a whitespace '\s' to the search pattern won't it lead to any vulnerabilities?