From 0c2562143c531ad7e58df62a617be05d33288ca3 Mon Sep 17 00:00:00 2001
From: Habu <habu@users.sourceforge.jp>
Date: Tue, 3 Apr 2018 23:18:35 +0900
Subject: [PATCH] =?utf8?q?[add]=E3=82=B9=E3=82=AF=E3=83=AA=E3=83=BC?=
 =?utf8?q?=E3=83=B3=E3=83=80=E3=83=B3=E3=83=97=E3=81=AE=E3=83=90=E3=83=AA?=
 =?utf8?q?=E3=83=87=E3=83=BC=E3=82=B7=E3=83=A7=E3=83=B3=E3=82=92=E8=BF=BD?=
 =?utf8?q?=E5=8A=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

---
 score/register_score.php | 39 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 38 insertions(+), 1 deletion(-)

diff --git a/score/register_score.php b/score/register_score.php
index f83cd35..fb8d898 100644
--- a/score/register_score.php
+++ b/score/register_score.php
@@ -146,6 +146,39 @@ function create_db_insert_score_data($info)
 }
 
 
+/**
+ * ã¹ã¯ãªã¼ã³ãã³ãã®ããªãã¼ã·ã§ã³ãè¡ã
+ *
+ * ã¹ã¯ãªããå®è¡ãªã©ã®æªæãæã£ãã¹ã¯ãªã¼ã³ãã³ããç»é²ã§ããªãããã
+ * ä½¿ç¨å¯è½ãªã¿ã°ãhtml,body,pre,fontã«å¶éãã
+ *
+ * @param array $screen_dump_lines ã¹ã¯ãªã¼ã³ãã³ãã®æå­åã®éå
+ * @return ããªãã¼ã·ã§ã³ã«æåãããTRUEãå¤±æãããFALSE
+ */
+function validate_screen_dump($screen_dump_lines)
+{
+    if ($screen_dump_lines === FALSE) {
+        return FALSE;
+    }
+
+    $allow_tags = ['html', 'body', 'pre', 'font'];
+
+    $is_valid = TRUE;
+    foreach ($screen_dump_lines as $line) {
+        if (preg_match_all("|</?([^>\s]+)(\s*[^>]+)?>|", $line, $matches, PREG_SET_ORDER) > 0) {
+            $invalid_tag_matches = array_filter($matches, function($m) use($allow_tags) {
+                return !in_array($m[1], $allow_tags);
+            });
+            if (count($invalid_tag_matches) > 0) {
+                $is_valid = FALSE;
+            }
+        }
+    }
+
+    return $is_valid;
+}
+
+
 $recv_encoding = get_mb_encoding();
 if ($recv_encoding === FALSE) {
     exit;
@@ -174,7 +207,11 @@ if ($score_id === FALSE) {
 
 $dumpfile = new DumpFile($score_id);
 $dumpfile->save('dumps', 'txt', $split_contents[1]);
-$dumpfile->save('screens', 'html', $split_contents[2]);
+if (validate_screen_dump($split_contents[2])) {
+    $dumpfile->save('screens', 'html', $split_contents[2]);
+} else {
+    $dumpfile->save('screens', 'html.bad', $split_contents[2]);
+}
 
 // ç»é²æåãHTTPã¬ã¹ãã³ã¹ã³ã¼ã 200 OK ãè¿ã
 http_response_code(200);
-- 
2.11.0