protected function clean($str)
{
$potentials = clean_xss($str, false);
if (is_array($potentials) && !empty($potentials)) {
foreach ($potentials as $bad) {
$str = str_replace($bad, "", $str);
}
}
return $str;
}
/**
* 快速注册
*/
public function reg()
{
if (IS_POST) {
$postData = I('post.');
$postData = clean_xss($postData);
if (!(!empty($postData['username']) && !empty($postData['mobile']) && preg_match('/^1\\d{10}$/', $postData['mobile']))) {
$this->error('请按规定填写姓名与手机号');
}
if (!empty($postData['referer_mobile']) && !preg_match('/^1\\d{10}$/', $postData['referer_mobile'])) {
$this->error('推荐人手机号格式错误');
}
$userOpenid = think_decrypt(cookie(md5('user_openid')));
$data = M('User')->create($postData);
$data['openid'] = $userOpenid;
$data['reg_time'] = NOW_TIME;
$data['last_login_time'] = NOW_TIME;
$data['status'] = 0;
$res = M('User')->add($data);
if ($res !== false) {
session('user_id', $res);
session('username', $postData['username']);
session('mobile', $postData['mobile']);
$this->success('注册成功', U('Home/User/showUser'), 3);
} else {
$this->error("注册失败", '', 3);
}
exit;
}
//获取绑定的威信openid
$code = I('get.code');
//线上
if (empty($code)) {
$url = SITE_URL . U('Home/User/reg');
$this->getToken($url);
//线上
return;
}
$userOpenid = $this->getOpenid();
//线上
cookie(md5('user_openid'), think_encrypt($userOpenid));
$this->assign('title', '快速注册');
$this->display('reg');
}
/**
* @blog http://www.phpddt.com
* @param $string
* @param $low 安全别级低
*/
function clean_xss(&$string, $low = False)
{
if (!is_array($string)) {
$string = trim($string);
$string = strip_tags($string);
$string = htmlspecialchars($string);
if ($low) {
return True;
}
$string = str_replace(array('"', "\\", "'", "/", "..", "../", "./", "//"), '', $string);
$no = '/%0[0-8bcef]/';
$string = preg_replace($no, '', $string);
$no = '/%1[0-9a-f]/';
$string = preg_replace($no, '', $string);
$no = '/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F]+/S';
$string = preg_replace($no, '', $string);
return True;
}
$keys = array_keys($string);
foreach ($keys as $key) {
clean_xss($string[$key]);
}
}
/**
* @blog http://www.phpddt.com
* @param $param
* @param $low 安全别级低
*/
function clean_xss($param, $low = false)
{
if (is_array($param)) {
foreach ($param as $k => $v) {
$param[$k] = clean_xss($v);
}
return $param;
} else {
$param = trim($param);
$param = strip_tags($param);
$param = htmlspecialchars($param);
if ($low) {
return $param;
}
$param = str_replace(array('"', "\\", "'", "/", "..", "../", "./", "//"), '', $param);
$no = '/%0[0-8bcef]/';
$param = preg_replace($no, '', $param);
$no = '/%1[0-9a-f]/';
$param = preg_replace($no, '', $param);
$no = '/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F]+/S';
$param = preg_replace($no, '', $param);
return $param;
}
}
/**
* Remove potential xss vectors from strings
* @param string str String to search for XSS attack vectors
* @param bool cleanImg Flag to allow <img> tags to survive - only used by InboundEmail for inline images.
* @return string
*/
function remove_xss($str, $cleanImg = true)
{
$potentials = clean_xss($str, $cleanImg);
if (is_array($potentials) && !empty($potentials)) {
foreach ($potentials as $bad) {
$str = str_replace($bad, "", $str);
}
}
return $str;
}
/**
* Cleans char, varchar, text, etc. fields of XSS type materials
*/
function cleanBean()
{
foreach ($this->field_defs as $key => $def) {
if (isset($def['type'])) {
$type = $def['type'];
}
if (isset($def['dbType'])) {
$type .= $def['dbType'];
}
if ((strpos($type, 'char') !== false || strpos($type, 'text') !== false || $type == 'enum') && !empty($this->{$key})) {
$str = from_html($this->{$key});
// Julian's XSS cleaner
$potentials = clean_xss($str, false);
if (is_array($potentials) && !empty($potentials)) {
foreach ($potentials as $bad) {
$str = str_replace($bad, "", $str);
}
$this->{$key} = to_html($str);
}
}
}
}
/**
* Safes description text (both HTML and Plain Text) for display
* @param string str The text to safe
* @return string Safed text
*/
function safeText($str)
{
// Safe_HTML
$this->safe->clear();
$ret = $this->safe->parse($str);
// Julian's XSS cleaner
$potentials = clean_xss($str, false);
if (is_array($potentials) && !empty($potentials)) {
//_ppl($potentials);
foreach ($potentials as $bad) {
$ret = str_replace($bad, "", $ret);
}
}
// clean <HTML> and <BODY> tags
$html = '#<\\\\\\?HTML[\\w =\'\\"\\&]*>#sim';
$body = '#<\\\\\\?BODY[\\w =\'\\"\\&]*>#sim';
$ret = preg_replace($html, "", $ret);
$ret = preg_replace($body, "", $ret);
return $ret;
}
/**
* Get Email messages IDs from server which aren't in database
* @return array Ids of messages, which aren't still in database
*/
public function getNewEmailsForSyncedMailbox()
{
// ids's count limit for batch processing
$limit = 20;
$msgIds = imap_search($this->conn, 'ALL UNDELETED');
$result = array();
try {
if (count($msgIds) > 0) {
/*
* @var collect results of queries and message headers
*/
$tmpMsgs = array();
$repeats = 0;
$counter = 0;
// sort IDs to get lastest on top
arsort($msgIds);
$GLOBALS['log']->debug('-----> getNewEmailsForSyncedMailbox() got ' . count($msgIds) . ' Messages');
foreach ($msgIds as $k => &$msgNo) {
$uid = imap_uid($this->conn, $msgNo);
$header = imap_headerinfo($this->conn, $msgNo);
$fullHeader = imap_fetchheader($this->conn, $msgNo);
$message_id = $header->message_id;
$deliveredTo = $this->id;
$matches = array();
preg_match('/(delivered-to:|x-real-to:){1}\\s*(\\S+)\\s*\\n{1}/im', $fullHeader, $matches);
if (count($matches)) {
$deliveredTo = $matches[2];
}
if (empty($message_id) || !isset($message_id)) {
$GLOBALS['log']->debug('*********** NO MESSAGE_ID.');
$message_id = $this->getMessageId($header);
}
// generate compound messageId
$this->compoundMessageId = trim($message_id) . trim($deliveredTo);
// if the length > 255 then md5 it so that the data will be of smaller length
if (strlen($this->compoundMessageId) > 255) {
$this->compoundMessageId = md5($this->compoundMessageId);
}
// if
if (empty($this->compoundMessageId)) {
break;
}
// if
$counter++;
$potentials = clean_xss($this->compoundMessageId, false);
if (is_array($potentials) && !empty($potentials)) {
foreach ($potentials as $bad) {
$this->compoundMessageId = str_replace($bad, "", $this->compoundMessageId);
}
}
array_push($tmpMsgs, array('msgNo' => $msgNo, 'msgId' => $this->compoundMessageId, 'exists' => 0));
if ($counter == $limit) {
$counter = 0;
$query = array();
foreach (array_slice($tmpMsgs, -$limit, $limit) as $k1 => $v1) {
$query[] = $v1['msgId'];
}
$query = 'SELECT count(emails.message_id) as cnt, emails.message_id AS mid FROM emails WHERE emails.message_id IN ("' . implode('","', $query) . '") and emails.deleted = 0 group by emails.message_id';
$r = $this->db->query($query);
$tmp = array();
while ($a = $this->db->fetchByAssoc($r)) {
$tmp[html_entity_decode($a['mid'])] = $a['cnt'];
}
foreach ($tmpMsgs as $k1 => $v1) {
if (isset($tmp[$v1['msgId']]) && $tmp[$v1['msgId']] > 0) {
$tmpMsgs[$k1]['exists'] = 1;
}
}
foreach ($tmpMsgs as $k1 => $v1) {
if ($v1['exists'] == 0) {
$repeats = 0;
array_push($result, $v1['msgNo']);
} else {
$repeats++;
}
}
if ($repeats > 0) {
if ($repeats >= $limit) {
break;
} else {
$tmpMsgs = array_splice($tmpMsgs, -$repeats, $repeats);
}
} else {
$tmpMsgs = array();
}
}
}
unset($msgNo);
}
} catch (Exception $ex) {
$GLOBALS['log']->fatal($ex->getMessage());
}
$GLOBALS['log']->debug('-----> getNewEmailsForSyncedMailbox() got ' . count($result) . ' unsynced messages');
return $result;
}
/**
* Used to save text on textarea blur. Accessed via Home/CallMethodDashlet.php
* This is an example of how to to call a custom method via ajax
*/
function saveText()
{
$json = getJSONobj();
if (isset($_REQUEST['savedText'])) {
$optionsArray = $this->loadOptions();
// _pp($_REQUEST['savedText']);
$optionsArray['savedText'] = $json->decode(html_entity_decode($_REQUEST['savedText']));
$optionsArray['savedText'] = nl2br($optionsArray['savedText']);
$xss = clean_xss($optionsArray['savedText'], false);
if (!empty($xss)) {
$optionsArray['savedText'] = str_replace($xss, "", $optionsArray['savedText']);
}
$this->storeOptions($optionsArray);
} else {
$optionsArray['savedText'] = '';
}
echo 'result = ' . $json->encode(array('id' => $_REQUEST['id'], 'savedText' => $optionsArray['savedText']));
}
/**
* Cleans content for XSS and other types of attack vectors
* @param string str String to clean
* @return string
*/
function cleanContent($str)
{
// Safe_HTML
$this->safe->clear();
$str = $this->safe->parse($str);
// Julian's XSS cleaner
$potentials = clean_xss($str, false);
if (is_array($potentials) && !empty($potentials)) {
foreach ($potentials as $bad) {
$str = str_replace($bad, "", $str);
}
}
return $str;
}
}
$seedFeed = new Feed();
require_once 'modules/MySettings/StoreQuery.php';
$storeQuery = new StoreQuery();
if (!isset($_REQUEST['query'])) {
$storeQuery->loadQuery($currentModule);
$storeQuery->populateRequest();
} else {
$storeQuery->saveFromGet($currentModule);
}
if (isset($_REQUEST['current_user_only']) && $_REQUEST['current_user_only'] != "") {
$seedFeed->my_favorites = true;
}
// we have a query
if (isset($_REQUEST['title'])) {
$test = clean_xss($_REQUEST['title']);
if (!empty($test)) {
die("XSS attack detected in title.");
} else {
$title = $_REQUEST['title'];
}
}
$where_clauses = array();
if (isset($_REQUEST['title']) && $_REQUEST['title'] != "") {
$where_clauses[] = "feeds.title like '%" . $GLOBALS['db']->quote($_REQUEST['title']) . "%'";
}
if (isset($_REQUEST['current_user_only']) && $_REQUEST['current_user_only'] != "") {
$where_clauses[] = " users_feeds.user_id='{$current_user->id}' ";
}
$where = "";
foreach ($where_clauses as $clause) {
/**
* Gets the text at the specified index
* @param mixed The index or name of the requested element
* @param array The indexing array from which to extract data
* @return string The element text, or an empty string
*/
function _getElementText($index, &$myArray)
{
if (isset($myArray[$index])) {
$element = $myArray[$index];
$result = '';
if (is_array($element)) {
//do nothing; data for domit_rss_channels, domit_rss_items,
//and domit_rss_categories should be extracted with their own methods
} else {
switch (strtolower(get_class($element))) {
case 'xml_domit_rss_simpleelement':
$result = $element->getElementText();
break;
case 'xml_domit_rss_collection':
$result = $element->getElementText();
break;
case 'domit_element':
$total = $element->childCount;
for ($i = 0; $i < $total; $i++) {
$currNode = $element->childNodes[$i];
if ($currNode->nodeType == DOMIT_CDATA_SECTION_NODE) {
$result .= $currNode->nodeValue;
} else {
$result .= $currNode->toString();
}
}
break;
}
}
// cn: bug 12273 - kill XSS before it can be rendered
$xss = clean_xss($result, false);
if (!empty($xss)) {
$result = str_replace($xss, "", $result);
}
return $result;
}
return '';
}
/**
* @see SugarBean::cleanBean
*/
function cleanBean()
{
foreach ($this->field_defs as $key => $def) {
if (isset($def['type'])) {
$type = $def['type'];
}
if (isset($def['dbType'])) {
$type .= $def['dbType'];
}
if ((strpos($type, 'char') !== false || strpos($type, 'text') !== false || $type == 'enum') && !empty($this->{$key})) {
// Bug51621: the report contents JSON string getting converted to html as a whole
// breaks reports that get cleaned
if ($key !== "content") {
$str = from_html($this->{$key});
} else {
$str = $this->{$key};
}
// Julian's XSS cleaner
$potentials = clean_xss($str, false);
if (is_array($potentials) && !empty($potentials)) {
foreach ($potentials as $bad) {
$str = str_replace($bad, "", $str);
}
if ($key !== "content") {
$this->{$key} = to_html($str);
} else {
$this->{$key} = $str;
}
}
}
}
}