# Fixed [artf4976] : htaccess file instructions confusing users

* A4 - Secured SEF from XSS vulnerability git-svn-id: http://joomlacode.org/svn/joomla/development/trunk@4096 6f6e1ebd-4c2b-0410-823f-f34bde69bce9
2024-06-28 16:13:42 +00:00 · 2006-06-21 18:35:46 +00:00 · 2006-06-21 18:35:46 +00:00 · 93179befa3
commit 93179befa3
parent d42e197b44
2 changed files with 9 additions and 14 deletions
--- a/htaccess.txt
+++ b/htaccess.txt
@ -62,7 +62,8 @@ RewriteEngine On
 # RewriteBase /


-########## Begin Standard SEF Section
+########## Begin - Joomla! core SEF Section
+############# Use this section if using ONLY Joomla! core SEF
 ## ALL (RewriteCond) lines in this section are only required if you actually
 ## have directories named 'content' or 'component' on your server
 ## If you do not have directories with these names, comment them out.
@ -73,10 +74,12 @@ RewriteCond %{REQUEST_FILENAME} !-d
 RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$  [NC]
 RewriteRule ^(content/|component/) index.php
 #
-########## End Standard SEF Section
+########## End - Joomla! core SEF Section


-########## Begin 3rd Party or Core SEF Section
+
+########## Begin - 3rd Party SEF Section
+############# Use this section if you are using a 3rd party (Non Joomla! core) SEF extension - e.g. OpenSEF, 404_SEF, 404SEFx, SEF Advance, etc
 #
 #RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] 		##optional - see notes##
 #RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$  [NC]
@ -84,14 +87,4 @@ RewriteRule ^(content/|component/) index.php
 #RewriteCond %{REQUEST_FILENAME} !-d
 #RewriteRule (.*) index.php
 #
-########## End 3rd Party or Core SEF Section
-
-########## Begin mbstring section
-## UNCOMMENT THE APPROPRIATE SETTING WHEN SETTINGS IN php.ini CAN'T BE CHANGED
-## THIS WILL PROVIDE LOCAL SETTINGS WITHOUT DISTURBING SITE DEFAULTS
-#
-# php_value mbstring.func_overload 0
-# php_value mbstring.language neutral
-#
-########## End mbstring section
-
+########## End - 3rd Party SEF Section
--- a/plugins/system/joomla.sefurlbot.php
+++ b/plugins/system/joomla.sefurlbot.php
@ -447,6 +447,8 @@ function sefRelToAbs( $string )
 		if ( isset($url['query']) ) {
 			// special handling for javascript
 			$url['query'] = stripslashes( str_replace( '+', '%2b', $url['query'] ) );
+			// clean possible xss attacks
+			$url['query'] = preg_replace( "'%3Cscript[^%3E]*%3E.*?%3C/script%3E'si", '', $url['query'] );

 			// Initialize variables
 			$parts = null;