Beispiel #1
0
 protected function clean($str)
 {
     $potentials = clean_xss($str, false);
     if (is_array($potentials) && !empty($potentials)) {
         foreach ($potentials as $bad) {
             $str = str_replace($bad, "", $str);
         }
     }
     return $str;
 }
 /**
  * 快速注册
  */
 public function reg()
 {
     if (IS_POST) {
         $postData = I('post.');
         $postData = clean_xss($postData);
         if (!(!empty($postData['username']) && !empty($postData['mobile']) && preg_match('/^1\\d{10}$/', $postData['mobile']))) {
             $this->error('请按规定填写姓名与手机号');
         }
         if (!empty($postData['referer_mobile']) && !preg_match('/^1\\d{10}$/', $postData['referer_mobile'])) {
             $this->error('推荐人手机号格式错误');
         }
         $userOpenid = think_decrypt(cookie(md5('user_openid')));
         $data = M('User')->create($postData);
         $data['openid'] = $userOpenid;
         $data['reg_time'] = NOW_TIME;
         $data['last_login_time'] = NOW_TIME;
         $data['status'] = 0;
         $res = M('User')->add($data);
         if ($res !== false) {
             session('user_id', $res);
             session('username', $postData['username']);
             session('mobile', $postData['mobile']);
             $this->success('注册成功', U('Home/User/showUser'), 3);
         } else {
             $this->error("注册失败", '', 3);
         }
         exit;
     }
     //获取绑定的威信openid
     $code = I('get.code');
     //线上
     if (empty($code)) {
         $url = SITE_URL . U('Home/User/reg');
         $this->getToken($url);
         //线上
         return;
     }
     $userOpenid = $this->getOpenid();
     //线上
     cookie(md5('user_openid'), think_encrypt($userOpenid));
     $this->assign('title', '快速注册');
     $this->display('reg');
 }
Beispiel #3
0
/**
 * @blog http://www.phpddt.com
 * @param $string
 * @param $low 安全别级低
 */
function clean_xss(&$string, $low = False)
{
    if (!is_array($string)) {
        $string = trim($string);
        $string = strip_tags($string);
        $string = htmlspecialchars($string);
        if ($low) {
            return True;
        }
        $string = str_replace(array('"', "\\", "'", "/", "..", "../", "./", "//"), '', $string);
        $no = '/%0[0-8bcef]/';
        $string = preg_replace($no, '', $string);
        $no = '/%1[0-9a-f]/';
        $string = preg_replace($no, '', $string);
        $no = '/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F]+/S';
        $string = preg_replace($no, '', $string);
        return True;
    }
    $keys = array_keys($string);
    foreach ($keys as $key) {
        clean_xss($string[$key]);
    }
}
Beispiel #4
0
/**
 * @blog http://www.phpddt.com
 * @param $param
 * @param $low 安全别级低
 */
function clean_xss($param, $low = false)
{
    if (is_array($param)) {
        foreach ($param as $k => $v) {
            $param[$k] = clean_xss($v);
        }
        return $param;
    } else {
        $param = trim($param);
        $param = strip_tags($param);
        $param = htmlspecialchars($param);
        if ($low) {
            return $param;
        }
        $param = str_replace(array('"', "\\", "'", "/", "..", "../", "./", "//"), '', $param);
        $no = '/%0[0-8bcef]/';
        $param = preg_replace($no, '', $param);
        $no = '/%1[0-9a-f]/';
        $param = preg_replace($no, '', $param);
        $no = '/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F]+/S';
        $param = preg_replace($no, '', $param);
        return $param;
    }
}
Beispiel #5
0
/**
 * Remove potential xss vectors from strings
 * @param string str String to search for XSS attack vectors
 * @param bool cleanImg Flag to allow <img> tags to survive - only used by InboundEmail for inline images.
 * @return string
 */
function remove_xss($str, $cleanImg = true)
{
    $potentials = clean_xss($str, $cleanImg);
    if (is_array($potentials) && !empty($potentials)) {
        foreach ($potentials as $bad) {
            $str = str_replace($bad, "", $str);
        }
    }
    return $str;
}
Beispiel #6
0
 /**
  * Cleans char, varchar, text, etc. fields of XSS type materials
  */
 function cleanBean()
 {
     foreach ($this->field_defs as $key => $def) {
         if (isset($def['type'])) {
             $type = $def['type'];
         }
         if (isset($def['dbType'])) {
             $type .= $def['dbType'];
         }
         if ((strpos($type, 'char') !== false || strpos($type, 'text') !== false || $type == 'enum') && !empty($this->{$key})) {
             $str = from_html($this->{$key});
             // Julian's XSS cleaner
             $potentials = clean_xss($str, false);
             if (is_array($potentials) && !empty($potentials)) {
                 foreach ($potentials as $bad) {
                     $str = str_replace($bad, "", $str);
                 }
                 $this->{$key} = to_html($str);
             }
         }
     }
 }
Beispiel #7
0
 /**
  * Safes description text (both HTML and Plain Text) for display
  * @param string str The text to safe
  * @return string Safed text
  */
 function safeText($str)
 {
     // Safe_HTML
     $this->safe->clear();
     $ret = $this->safe->parse($str);
     // Julian's XSS cleaner
     $potentials = clean_xss($str, false);
     if (is_array($potentials) && !empty($potentials)) {
         //_ppl($potentials);
         foreach ($potentials as $bad) {
             $ret = str_replace($bad, "", $ret);
         }
     }
     // clean <HTML> and <BODY> tags
     $html = '#<\\\\\\?HTML[\\w =\'\\"\\&]*>#sim';
     $body = '#<\\\\\\?BODY[\\w =\'\\"\\&]*>#sim';
     $ret = preg_replace($html, "", $ret);
     $ret = preg_replace($body, "", $ret);
     return $ret;
 }
Beispiel #8
0
 /**
  * Get Email messages IDs from server which aren't in database
  * @return array Ids of messages, which aren't still in database
  */
 public function getNewEmailsForSyncedMailbox()
 {
     // ids's count limit for batch processing
     $limit = 20;
     $msgIds = imap_search($this->conn, 'ALL UNDELETED');
     $result = array();
     try {
         if (count($msgIds) > 0) {
             /*
              * @var collect results of queries and message headers
              */
             $tmpMsgs = array();
             $repeats = 0;
             $counter = 0;
             // sort IDs to get lastest on top
             arsort($msgIds);
             $GLOBALS['log']->debug('-----> getNewEmailsForSyncedMailbox() got ' . count($msgIds) . ' Messages');
             foreach ($msgIds as $k => &$msgNo) {
                 $uid = imap_uid($this->conn, $msgNo);
                 $header = imap_headerinfo($this->conn, $msgNo);
                 $fullHeader = imap_fetchheader($this->conn, $msgNo);
                 $message_id = $header->message_id;
                 $deliveredTo = $this->id;
                 $matches = array();
                 preg_match('/(delivered-to:|x-real-to:){1}\\s*(\\S+)\\s*\\n{1}/im', $fullHeader, $matches);
                 if (count($matches)) {
                     $deliveredTo = $matches[2];
                 }
                 if (empty($message_id) || !isset($message_id)) {
                     $GLOBALS['log']->debug('*********** NO MESSAGE_ID.');
                     $message_id = $this->getMessageId($header);
                 }
                 // generate compound messageId
                 $this->compoundMessageId = trim($message_id) . trim($deliveredTo);
                 // if the length > 255 then md5 it so that the data will be of smaller length
                 if (strlen($this->compoundMessageId) > 255) {
                     $this->compoundMessageId = md5($this->compoundMessageId);
                 }
                 // if
                 if (empty($this->compoundMessageId)) {
                     break;
                 }
                 // if
                 $counter++;
                 $potentials = clean_xss($this->compoundMessageId, false);
                 if (is_array($potentials) && !empty($potentials)) {
                     foreach ($potentials as $bad) {
                         $this->compoundMessageId = str_replace($bad, "", $this->compoundMessageId);
                     }
                 }
                 array_push($tmpMsgs, array('msgNo' => $msgNo, 'msgId' => $this->compoundMessageId, 'exists' => 0));
                 if ($counter == $limit) {
                     $counter = 0;
                     $query = array();
                     foreach (array_slice($tmpMsgs, -$limit, $limit) as $k1 => $v1) {
                         $query[] = $v1['msgId'];
                     }
                     $query = 'SELECT count(emails.message_id) as cnt, emails.message_id AS mid FROM emails WHERE emails.message_id IN ("' . implode('","', $query) . '") and emails.deleted = 0 group by emails.message_id';
                     $r = $this->db->query($query);
                     $tmp = array();
                     while ($a = $this->db->fetchByAssoc($r)) {
                         $tmp[html_entity_decode($a['mid'])] = $a['cnt'];
                     }
                     foreach ($tmpMsgs as $k1 => $v1) {
                         if (isset($tmp[$v1['msgId']]) && $tmp[$v1['msgId']] > 0) {
                             $tmpMsgs[$k1]['exists'] = 1;
                         }
                     }
                     foreach ($tmpMsgs as $k1 => $v1) {
                         if ($v1['exists'] == 0) {
                             $repeats = 0;
                             array_push($result, $v1['msgNo']);
                         } else {
                             $repeats++;
                         }
                     }
                     if ($repeats > 0) {
                         if ($repeats >= $limit) {
                             break;
                         } else {
                             $tmpMsgs = array_splice($tmpMsgs, -$repeats, $repeats);
                         }
                     } else {
                         $tmpMsgs = array();
                     }
                 }
             }
             unset($msgNo);
         }
     } catch (Exception $ex) {
         $GLOBALS['log']->fatal($ex->getMessage());
     }
     $GLOBALS['log']->debug('-----> getNewEmailsForSyncedMailbox() got ' . count($result) . ' unsynced messages');
     return $result;
 }
Beispiel #9
0
 /**
  * Used to save text on textarea blur. Accessed via Home/CallMethodDashlet.php
  * This is an example of how to to call a custom method via ajax
  */
 function saveText()
 {
     $json = getJSONobj();
     if (isset($_REQUEST['savedText'])) {
         $optionsArray = $this->loadOptions();
         //            _pp($_REQUEST['savedText']);
         $optionsArray['savedText'] = $json->decode(html_entity_decode($_REQUEST['savedText']));
         $optionsArray['savedText'] = nl2br($optionsArray['savedText']);
         $xss = clean_xss($optionsArray['savedText'], false);
         if (!empty($xss)) {
             $optionsArray['savedText'] = str_replace($xss, "", $optionsArray['savedText']);
         }
         $this->storeOptions($optionsArray);
     } else {
         $optionsArray['savedText'] = '';
     }
     echo 'result = ' . $json->encode(array('id' => $_REQUEST['id'], 'savedText' => $optionsArray['savedText']));
 }
 /**
  * Cleans content for XSS and other types of attack vectors
  * @param string str String to clean
  * @return string
  */
 function cleanContent($str)
 {
     // Safe_HTML
     $this->safe->clear();
     $str = $this->safe->parse($str);
     // Julian's XSS cleaner
     $potentials = clean_xss($str, false);
     if (is_array($potentials) && !empty($potentials)) {
         foreach ($potentials as $bad) {
             $str = str_replace($bad, "", $str);
         }
     }
     return $str;
 }
Beispiel #11
0
}
$seedFeed = new Feed();
require_once 'modules/MySettings/StoreQuery.php';
$storeQuery = new StoreQuery();
if (!isset($_REQUEST['query'])) {
    $storeQuery->loadQuery($currentModule);
    $storeQuery->populateRequest();
} else {
    $storeQuery->saveFromGet($currentModule);
}
if (isset($_REQUEST['current_user_only']) && $_REQUEST['current_user_only'] != "") {
    $seedFeed->my_favorites = true;
}
// we have a query
if (isset($_REQUEST['title'])) {
    $test = clean_xss($_REQUEST['title']);
    if (!empty($test)) {
        die("XSS attack detected in title.");
    } else {
        $title = $_REQUEST['title'];
    }
}
$where_clauses = array();
if (isset($_REQUEST['title']) && $_REQUEST['title'] != "") {
    $where_clauses[] = "feeds.title like '%" . $GLOBALS['db']->quote($_REQUEST['title']) . "%'";
}
if (isset($_REQUEST['current_user_only']) && $_REQUEST['current_user_only'] != "") {
    $where_clauses[] = " users_feeds.user_id='{$current_user->id}' ";
}
$where = "";
foreach ($where_clauses as $clause) {
 /**
  * Gets the text at the specified index
  * @param mixed The index or name of the requested element
  * @param array The indexing array from which to extract data
  * @return string The element text, or an empty string
  */
 function _getElementText($index, &$myArray)
 {
     if (isset($myArray[$index])) {
         $element = $myArray[$index];
         $result = '';
         if (is_array($element)) {
             //do nothing; data for domit_rss_channels, domit_rss_items,
             //and domit_rss_categories should be extracted with their own methods
         } else {
             switch (strtolower(get_class($element))) {
                 case 'xml_domit_rss_simpleelement':
                     $result = $element->getElementText();
                     break;
                 case 'xml_domit_rss_collection':
                     $result = $element->getElementText();
                     break;
                 case 'domit_element':
                     $total = $element->childCount;
                     for ($i = 0; $i < $total; $i++) {
                         $currNode = $element->childNodes[$i];
                         if ($currNode->nodeType == DOMIT_CDATA_SECTION_NODE) {
                             $result .= $currNode->nodeValue;
                         } else {
                             $result .= $currNode->toString();
                         }
                     }
                     break;
             }
         }
         // cn: bug 12273 - kill XSS before it can be rendered
         $xss = clean_xss($result, false);
         if (!empty($xss)) {
             $result = str_replace($xss, "", $result);
         }
         return $result;
     }
     return '';
 }
Beispiel #13
0
 /**
  * @see SugarBean::cleanBean
  */
 function cleanBean()
 {
     foreach ($this->field_defs as $key => $def) {
         if (isset($def['type'])) {
             $type = $def['type'];
         }
         if (isset($def['dbType'])) {
             $type .= $def['dbType'];
         }
         if ((strpos($type, 'char') !== false || strpos($type, 'text') !== false || $type == 'enum') && !empty($this->{$key})) {
             // Bug51621: the report contents JSON string getting converted to html as a whole
             //    breaks reports that get cleaned
             if ($key !== "content") {
                 $str = from_html($this->{$key});
             } else {
                 $str = $this->{$key};
             }
             // Julian's XSS cleaner
             $potentials = clean_xss($str, false);
             if (is_array($potentials) && !empty($potentials)) {
                 foreach ($potentials as $bad) {
                     $str = str_replace($bad, "", $str);
                 }
                 if ($key !== "content") {
                     $this->{$key} = to_html($str);
                 } else {
                     $this->{$key} = $str;
                 }
             }
         }
     }
 }