Патч ядра 6

1. --- C:/wamp/www/drupal.pure/www/includes/common.inc.bak Ср май 25 23:43:56 2011
2. +++ C:/wamp/www/drupal.pure/www/includes/common.inc Пт май 27 12:15:19 2011
3. @@ -2497,9 +2497,64 @@
4.        return $var;
5.      case 'resource':
6.      case 'string':
7. -      return '"'. str_replace(array("\r", "\n", "<", ">", "&"),
8. -                              array('\r', '\n', '\x3c', '\x3e', '\x26'),
9. -                              addslashes($var)) .'"';
10. +    
11. +      static $replace_pairs;
12. +
13. +      if (!isset($replace_pairs)) {
14. +        // Always use Unicode escape sequences (\u0022) over JSON escape
15. +        // sequences (\") to prevent browsers interpreting these as
16. +        // special characters.
17. +        $replace_pairs = array(
18. +          // ", \ and U+0000 - U+001F must be escaped according to RFC 4627.
19. +          '\\' => '\u005c',
20. +          '"' => '\u0022',
21. +          "\x00" => '\u0000',
22. +          "\x01" => '\u0001',
23. +          "\x02" => '\u0002',
24. +          "\x03" => '\u0003',
25. +          "\x04" => '\u0004',
26. +          "\x05" => '\u0005',
27. +          "\x06" => '\u0006',
28. +          "\x07" => '\u0007',
29. +          "\x08" => '\u0008',
30. +          "\x09" => '\u0009',
31. +          "\x0a" => '\u000a',
32. +          "\x0b" => '\u000b',
33. +          "\x0c" => '\u000c',
34. +          "\x0d" => '\u000d',
35. +          "\x0e" => '\u000e',
36. +          "\x0f" => '\u000f',
37. +          "\x10" => '\u0010',
38. +          "\x11" => '\u0011',
39. +          "\x12" => '\u0012',
40. +          "\x13" => '\u0013',
41. +          "\x14" => '\u0014',
42. +          "\x15" => '\u0015',
43. +          "\x16" => '\u0016',
44. +          "\x17" => '\u0017',
45. +          "\x18" => '\u0018',
46. +          "\x19" => '\u0019',
47. +          "\x1a" => '\u001a',
48. +          "\x1b" => '\u001b',
49. +          "\x1c" => '\u001c',
50. +          "\x1d" => '\u001d',
51. +          "\x1e" => '\u001e',
52. +          "\x1f" => '\u001f',
53. +         // Prevent browsers from interpreting these as as special.
54. +          "'" => '\u0027',
55. +          '<' => '\u003c',
56. +          '>' => '\u003e',
57. +          '&' => '\u0026',
58. +          // Prevent browsers from interpreting the solidus as special and
59. +          // non-compliant JSON parsers from interpreting // as a comment.
60. +          '/' => '\u002f',
61. +          // While these are allowed unescaped according to ECMA-262, section
62. +          // 15.12.2, this causes problems in the core jQuery JSON parser.
63. +          "\xe2\x80\xa8" => '\u2028', // U+2028, Line Separator.
64. +          "\xe2\x80\xa9" => '\u2029', // U+2029, Paragraph Separator.
65. +        );
66. +      }
67. +      return '"'. strtr($var, $replace_pairs) .'"';
68.      case 'array':
69.        // Arrays in JSON can't be associative. If the array is empty or if it
70.        // has sequential whole number keys starting with 0, it's not associative
71.  
72.