Force string comparison for md5 checks (not used most of the cases)

Exclude other tags from xss detection

Author: cdujeu

core/src/core/classes/class.AJXP_Utils.php

@@ -160,7 +160,7 @@ public static function detectXSS($string) {
             '#(<[^>]+[\x00-\x20\"\'\/])style=[^>]*>?#iUu',
 
             // Match unneeded tags
-            '#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>?#i'
+            '#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base|svg)[^>]*>?#i'
         );
 
         foreach($patterns as $pattern) {

core/src/plugins/auth.cmsms/class.cmsmsAuthDriver.php

@@ -110,14 +110,14 @@ public function checkPassword($login, $pass, $seed)
     {
         $userStoredPass = $this->getUserPass($login);
         if(!$userStoredPass) return false;
-        if (md5($pass) == $userStoredPass) {
+        if (md5($pass) === $userStoredPass) {
         $loggedinData['sessionid']=session_id();
         $loggedinData['lastused']=time();
         $loggedinData['userid']=$this->getUserId($login);
         dibi::query('INSERT INTO ['.$this->prefix.'module_feusers_loggedin]', $loggedinData);
         }
 
-            return ($userStoredPass == md5($pass));
+            return ($userStoredPass === md5($pass));
     }
 
     public function usersEditable()

core/src/plugins/auth.custom_db/class.customDbAuthDriver.php

@@ -158,7 +158,7 @@ public function checkPassword($login, $pass, $seed)
         if($hashAlgo == "pbkdf2"){
             return AJXP_Utils::pbkdf2_validate_password($pass, $userStoredPass);
         }else if($hashAlgo == "md5"){
-            return md5($pass) == $userStoredPass;
+            return md5($pass) === $userStoredPass;
         }else if($hashAlgo == "clear"){
             return $pass == $userStoredPass;
         }

core/src/plugins/auth.remote/class.remoteAuthDriver.php

@@ -167,7 +167,7 @@ public function checkPassword($login, $pass, $seed)
             if ($seed == "-1") { // Seed = -1 means that password is not encoded.
                 return  AJXP_Utils::pbkdf2_validate_password($pass, $userStoredPass);// ($userStoredPass == md5($pass));
             } else {
-                return (md5($userStoredPass.$seed) == $pass);
+                return (md5($userStoredPass.$seed) === $pass);
             }
         } else {
             $crtSessionId = session_id();
@@ -218,7 +218,7 @@ public function checkPassword($login, $pass, $seed)
             if ($seed == "-1") { // Seed = -1 means that password is not encoded.
                 $res = AJXP_Utils::pbkdf2_validate_password($pass, $userStoredPass); //($userStoredPass == md5($pass));
             } else {
-                $res = (md5($userStoredPass.$seed) == $pass);
+                $res = (md5($userStoredPass.$seed) === $pass);
             }
             if ($res) {
                 session_id($crtSessionId);

core/src/plugins/auth.serial/class.serialAuthDriver.php

@@ -119,7 +119,7 @@ public function checkPassword($login, $pass, $seed)
         if ($seed == "-1") { // Seed = -1 means that password is not encoded.
             return AJXP_Utils::pbkdf2_validate_password($pass, $userStoredPass);//($userStoredPass == md5($pass));
         } else {
-            return (md5($userStoredPass.$seed) == $pass);
+            return (md5($userStoredPass.$seed) === $pass);
         }
     }
 

core/src/plugins/auth.sql/class.sqlAuthDriver.php

@@ -157,7 +157,7 @@ public function checkPassword($login, $pass, $seed)
         if ($this->getOptionAsBool("TRANSMIT_CLEAR_PASS")) { // Seed = -1 means that password is not encoded.
             return AJXP_Utils::pbkdf2_validate_password($pass, $userStoredPass); //($userStoredPass == md5($pass));
         } else {
-            return (md5($userStoredPass.$seed) == $pass);
+            return (md5($userStoredPass.$seed) === $pass);
         }
     }