function clean_source($src) { $host = str_replace('www.', '', $_SERVER['HTTP_HOST']); $regex = "/^((ht|f)tp(s|):\\/\\/)(www\\.|)" . $host . "/i"; $src = preg_replace($regex, '', $src); $src = strip_tags($src); $src = check_external($src); // remove slash from start of string if (strpos($src, '/') === 0) { $src = substr($src, -(strlen($src) - 1)); } // don't allow users the ability to use '../' // in order to gain access to files below document root $src = preg_replace("/\\.\\.+\\//", "", $src); // get path to image on file system $src = get_document_root($src) . '/' . $src; return $src; }
/** * tidy up the image source url * * @param <type> $src * @return string */ function clean_source($src) { $host = str_replace('www.', '', $_SERVER['HTTP_HOST']); $regex = "/^(http(s|):\\/\\/)(www\\.|)" . $host . "\\//i"; $src = preg_replace($regex, '', $src); $src = strip_tags($src); $src = str_replace(' ', '%20', $src); $src = check_external($src); // remove slash from start of string if (strpos($src, '/') === 0) { $src = substr($src, -(strlen($src) - 1)); } // don't allow users the ability to use '../' // in order to gain access to files below document root $src = preg_replace("/\\.\\.+\\//", "", $src); // get path to image on file system $src = get_document_root($src) . '/' . $src; if (!is_file($src)) { display_error('source is not a valid file'); } if (filesize($src) > MAX_FILE_SIZE) { display_error('source file is too big (filesize > MAX_FILE_SIZE)'); } if (filesize($src) <= 0) { display_error('source file <= 0 bytes. Possible external file download error (file is too large)'); } return realpath($src); }