From: David Mudrak <david.mudrak@gmail.com>
Date: Thu, 26 Nov 2009 14:46:01 +0000 (+0000)
Subject: MDL-20981 admin/lang.php escapes all variables but $a placeholders
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=93e1207e9e61015ec5f3e3e377ebfb60d024d751;p=moodle.git

MDL-20981 admin/lang.php escapes all variables but $a placeholders
---

diff --git a/admin/lang.php b/admin/lang.php
index 25f6312c61..1bb3f04d92 100644
--- a/admin/lang.php
+++ b/admin/lang.php
@@ -1024,6 +1024,10 @@ function lang_fix_value_before_save($value='') {
     if (ini_get_bool('magic_quotes_sybase')) {          // Unescape escaped sybase quotes
         $value = str_replace("''", "'", $value);
     }
+    // escape all embedded variables
+    $value = str_replace('$', '\$', $value);            // Add slashes for $
+    // unescape placeholders: only $a and $a->something are allowed. All other $variables are left escaped
+    $value = preg_replace('/\\\\\$a($|[^_a-zA-Z0-9\-]|\->[a-zA-Z0-9_]+)/', '$a\\1', $value);
     $value = str_replace("'", "\\'", $value);           // Add slashes for '
     $value = str_replace('"', "\\\"", $value);          // Add slashes for "
     $value = str_replace("%","%%",$value);              // Escape % characters