By Orthogonal Space on

Hello:

Since I had been using Drupal for all of a couple days before I wrote this, I'm hoping that someone can tell me whether I'm using check_url properly (or need to use another function). Yes, I've read the docs, searched the forums, and it looks good. But, I'd still feel better if someone gave me a thumbs up before deploying it (or telling me what's wrong).

Since DruTex doesn't have mimeTex support yet (my provider doesn't have a LaTeX installation nor will they), I needed to write a simple filter so I can write math. At any rate, here's the code. It works, but I'm just wondering about check_url (i.e. security).

function mtex_filter($op, $delta = 0, $format = -1, $text = '') {
        switch ($op) {
                case 'list':
                        return array(0 => t('mTex'));

                case 'description':
                        return t("A simple module for rendering LaTeX equations using mimeTex");

                case 'prepare':
                        $text = preg_replace("/<tex>(.+)<\/tex>/", "\xFEtex\xFF$1\xFE/tex\xFF", $text);
                        return t($text);

                case 'process':
                        $text = preg_replace("/\xFEtex\xFF(.+)\xFE\/tex\xFF/", "<img src='/cgi-bin/mimetex.cgi\?".check_url("\\1")."'>", $text);
                        return t($text);

                default:
                        return $text;
        }
}

Any help is appreciated.

Categories: Drupal 5.x

Comments

Orthogonal Space’s picture

Orthogonal Space commented

No-one?

mooffie’s picture

mooffie commented

[...] here's the code. It works, but [...]

I was very surprised to read that it works, because arbitrary strings in URLs should be 'url-encoded'. I wrote a reply explaining this but then I decided to search the web for this 'mimetex.cgi' program. Well, it turns out that this specific program doesn't do much parsing on its query string, so somehow you can manage without encoding it. However, this is generally considered very wrong and I strongly suggest that you do wrap your \\1 in urlencode().

I'm just wondering about check_url

You have a problem here. If your math string is, e.g., symb : symb -> 0, check_url() would see some unrecognized 'symb' protocol, then delete it, and then you would end up with only symb -> 0. You can safely use check_plain() instead of check_url() here because you know this url, as a whole, doesn't use some nasty protocol (e.g. javascript). But don't do this, either. I suggest that you simply replace check_url() with urlencode().

Orthogonal Space’s picture

Orthogonal Space commented

Ah yes, you're right. Thanks :)