From 7ed34ac5bc4552277e445e537d6b560ec73dd05f Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Fri, 29 Dec 2017 13:31:46 +0100
Subject: [PATCH] - fixed regex for stripping <script> tags - no entities on
 wordbook entries

---
 interface/lib/classes/tform_base.inc.php | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/interface/lib/classes/tform_base.inc.php b/interface/lib/classes/tform_base.inc.php
index 2df1cd24bc..d06072e830 100644
--- a/interface/lib/classes/tform_base.inc.php
+++ b/interface/lib/classes/tform_base.inc.php
@@ -473,9 +473,8 @@ class tform_base {
 						if(is_array($field['value'])) {
 							foreach($field['value'] as $k => $v) {
 								$selected = ($k == $val)?' SELECTED':'';
-								if(isset($this->wordbook[$v]))
-									$v = $this->wordbook[$v];
-								$v = $app->functions->htmlentities($v);
+								if(isset($this->wordbook[$v])) $v = $this->wordbook[$v];
+								else $v = $app->functions->htmlentities($v);
 								$out .= "<option value='$k'$selected>".$this->lng($v)."</option>\r\n";
 							}
 						}
@@ -914,7 +913,7 @@ class tform_base {
 					$returnval = preg_replace('/\s+/', '', $returnval);
 					break;
 				case 'STRIPTAGS':
-					$returnval = strip_tags(preg_replace('/<script[^>]*>/is', '', $returnval));
+					$returnval = strip_tags(preg_replace('/<script[^>]*?>.*?<\/script>/is', '', $returnval));
 					break;
 				case 'STRIPNL':
 					$returnval = str_replace(array("\n","\r"),'', $returnval);
-- 
GitLab