This is a temporary download location!
Security Release
This release is purely to fix an XSS (cross site scripting) vulnerability in post comments. There are several ways to fix this security problem:
Download release 0.71.1. — This release is exactly the
same as release 0.71 apart from this one change. You can download a zip version:
WordPress-Ver-0_7_1_1-20030624.zip or a tar ball:
WordPress-Ver-0_7_1_1-20030624.tar.gz
Download the fixed file. — You can download the new version of b2functions.php:
b2functions.php.txt
Note that you will want to save this file without the txt extension.
CVS —If you wish to get this release directly from CVS, it exists on the branch labelled WordPress-0_7_1-branch and has been tagged as WordPress-Ver-0_7_1_1-20030624
Disallow HTML in comments. — This can be achieved by simply setting the $comment_allowed_tags variable in b2config.php to an empty string.
$comment_allowed_tags = '';
Change b2functions.php. — You can make the change to b2-include/b2functions.php yourself. Look for the function balanceTags() which you chould find starting at line 1128. Insert the indicated code like this:
function balanceTags($text, $is_comment = 0) {
global $use_balanceTags;
if ($is_comment) {
// sanitise HTML attributes, remove frame/applet tags
$text = preg_replace('#( on[a-z]{1,}|style|class|id)="(.*?)"#i', '', $text);
$text = preg_replace('#( on[a-z]{1,}|style|class|id)=\'(.*?)\'#i', '', $text);
$text = preg_replace('#([a-z]{1,})="(( |\t)*?)(javascript|vbscript|about):(.*?)"#i', '$1=""', $text);
$text = preg_replace('#([a-z]{1,})=\'(( |\t)*?)(javascript|vbscript|about):(.*?)\'#i', '$1=""', $text);
$text = preg_replace('#\<(\/{0,1})([a-z]{0,2})(frame|applet)(.*?)\>#i', '', $text);
}
if ($use_balanceTags == 0) {
return $text;
}