while trying to implement encrypted passwords, I've stumbled again across the wrong escaping of config and language strings. I've reported this a while ago for the pluginloader, but this time I had similar problems in the core. cmsimple/adm.php line 327:
Code: Select all
$text .= '$' . $a . '[\'' . $k1 . '\'][\'' . $k2 . '\']="' . preg_replace("/\"/s", "", $GLOBALS[$a][$k1][$k2]) . '";' . "\n";
Why not simply use addcslashes()?
Code: Select all
addcslashes($GLOBALS[$a][$k1][$k2], "\0..\37\"\$\\")
IMO this should have been already fixed.
Christoph