function parseAndReplaceAll($text, $slotback = '')
{
global $directdump;
$directdump = false;
//[sql.s1.field1.type]
//[var.name.type]
//[para.name]
$newstring = "";
$oldpos = 0;
$pos = strpos($text, "[", $oldpos);
$ifs = array();
$cif = 0;
$ifs[$cif] = false;
while ($pos !== false) {
//search for close
$pos2 = strpos($text, "]", $pos);
if ($pos2 !== false) {
if ($ifs[$cif]) {
//ignore only for an [endif] [fi]
$token = substr($text, $pos + 1, $pos2 - $pos - 1);
$arr = explode(".", $token);
if ($arr[0] == 'if' || $arr[0] == '!if' || $arr[0] == 'nif') {
$cif++;
$ifs[$cif] = true;
}
if ($arr[0] == "endif" || $arr[0] == "fi") {
$ifs[$cif] = false;
$cif--;
}
$oldpos = $pos2 + 1;
} else {
if ($directdump) {
echo substr($text, $oldpos, $pos - $oldpos);
} else {
$newstring .= substr($text, $oldpos, $pos - $oldpos);
}
$oldpos = $pos;
//we have a token.. anallys
$token = substr($text, $pos + 1, $pos2 - $pos - 1);
if (strlen($token)) {
$displaytype = "";
$displaypara = "";
$displayvalue = "";
$arr = explode(".", $token);
$iftest = false;
$ifnegative = false;
if (isset($arr[0]) && ($arr[0] == 'if' || $arr[0] == '!if' || $arr[0] == 'nif')) {
$iftest = true;
if ($arr[0] == '!if' || $arr[0] == 'nif') {
$ifnegative = true;
}
$iftestvalue = "";
if (isset($arr[1])) {
$iftestvalue = $arr[1];
}
for ($i = 2; $i < count($arr); $i++) {
$arr[$i - 2] = $arr[$i];
}
if (count($arr)) {
unset($arr[count($arr) - 1]);
}
if (count($arr)) {
unset($arr[count($arr) - 1]);
}
}
if (isset($arr[1]) || $token == "fi" || $token == "endif") {
switch ($arr[0]) {
case 'endif':
case 'fi':
$oldpos = $pos2 + 1;
$ifs[$cif] = false;
$cif--;
break;
case 'sql':
//valid
$oldpos = $pos2 + 1;
if (isset($arr[3])) {
$displaytype = $arr[3];
}
if (isset($arr[4])) {
$displaypara = $arr[4];
}
//get value
if (isset($arr[1]) && isset($GLOBALS[$arr[1] . '_sql_conn'])) {
if (isset($arr[2])) {
$displayvalue = $GLOBALS[$arr[1] . '_sql_conn']->getvalue($arr[2]);
}
if ($displaytype == "fast" && isset($arr[2])) {
$displayvalue = $GLOBALS[$arr[1] . '_sql_conn']->getvaluefast($arr[2]);
if (isset($arr[4])) {
$displaytype = $arr[4];
}
if (isset($arr[5])) {
$displaypara = $arr[5];
}
}
if ($displaytype == "mins") {
$displaypara = $GLOBALS[$arr[1] . '_sql_conn']->getvalue($arr[2] . "_panala");
require_once "config/dateutils.php";
$diff = timediff($displayvalue, $displaypara, getLT("dateformat"));
$secs = intval(timediffsecs($diff) / 60);
$displayvalue = $secs;
$displaypara = $arr[5];
}
} else {
if ($arr[1] == "conn") {
if (isset($arr[2])) {
$displayvalue = $GLOBALS[$arr[1]]->getvalue($arr[2]);
}
if ($displaytype == "fast" && isset($arr[2])) {
$displayvalue = $GLOBALS[$arr[1]]->getvaluefast($arr[2]);
if (isset($arr[4])) {
$displaytype = $arr[4];
}
if (isset($arr[5])) {
$displaypara = $arr[5];
}
}
if ($displaytype == "mins") {
$displaypara = $GLOBALS[$arr[1]]->getvalue($arr[2] . "_panala");
require_once "config/dateutils.php";
$diff = timediff($displayvalue, $displaypara, getLT("dateformat"));
$secs = intval(timediffsecs($diff) / 60);
$displayvalue = $secs;
$displaypara = $arr[5];
}
}
}
break;
case 'var':
case 'g':
//valid
$oldpos = $pos2 + 1;
if (isset($arr[1])) {
$displayvalue = $GLOBALS[$arr[1]];
}
if (isset($arr[2])) {
$displaytype = $arr[2];
}
if (isset($arr[3])) {
$displaypara = $arr[3];
}
//get value
break;
case 'cache':
$oldpos = $pos2 + 1;
if (isset($arr[1])) {
$displayvalue = cache_getvalue($arr[1]);
}
if (isset($arr[2])) {
$displaytype = $arr[2];
}
if (isset($arr[3])) {
$displaypara = $arr[3];
}
//get value
break;
case 'para':
//valid
$oldpos = $pos2 + 1;
global $_control_replace_sql;
if (isset($arr[1])) {
$displayvalue = $_control_replace_sql('@' . $arr[1]);
}
if (isset($arr[2])) {
$displaytype = $arr[2];
}
if (isset($arr[3])) {
$displaypara = $arr[3];
}
break;
case 'post':
//valid
$oldpos = $pos2 + 1;
global $_POST;
if (isset($arr[1]) && $_POST[$arr[1]] != "") {
$displayvalue = '' . correctPostValue($_POST[$arr[1]]);
}
if (isset($arr[2])) {
$displaytype = $arr[2];
}
if (isset($arr[3])) {
$displaypara = $arr[3];
}
break;
case 'posttags':
//valid
$oldpos = $pos2 + 1;
global $_POST;
if (isset($arr[1]) && $_POST[$arr[1]] != "") {
$displayvalue = '' . correctPostValue(implode(",", $_POST[$arr[1]]));
}
if (isset($arr[2])) {
$displaytype = $arr[2];
}
if (isset($arr[3])) {
$displaypara = $arr[3];
}
break;
case 'get':
//valid
$oldpos = $pos2 + 1;
global $_GET;
if (isset($arr[1]) && $_GET[$arr[1]] != "") {
$displayvalue = '' . correctPostValue($_GET[$arr[1]]);
}
if (isset($arr[2])) {
$displaytype = $arr[2];
}
if (isset($arr[3])) {
$displaypara = $arr[3];
}
break;
case 'config':
case 'c':
//valid
$oldpos = $pos2 + 1;
if (isset($arr[1])) {
$displayvalue = getUserConfig($arr[1]);
}
if (isset($arr[2])) {
$displaytype = $arr[2];
}
if (isset($arr[3])) {
$displaypara = $arr[3];
}
break;
case 'cookie':
$oldpos = $pos2 + 1;
if (isset($arr[1]) && isset($arr[2])) {
$displayvalue = cookie_getvalue($arr[1], $arr[2]);
}
if (isset($arr[3])) {
$displaytype = $arr[3];
}
if (isset($arr[4])) {
$displaypara = $arr[4];
}
break;
case 'session':
case 's':
//valid
$oldpos = $pos2 + 1;
if (isset($arr[1])) {
$displayvalue = session_getvalue($arr[1]);
}
if (isset($arr[2])) {
$displaytype = $arr[2];
}
if (isset($arr[3])) {
$displaypara = $arr[3];
}
break;
case 'utils':
//valid
$oldpos = $pos2 + 1;
if (isset($arr[1])) {
$displayvalue = $arr[1];
}
if (isset($arr[2])) {
$displaytype = $arr[2];
}
if (isset($arr[3])) {
$displaypara = $arr[3];
}
break;
case 'slot':
//we have a callback
$oldpos = $pos2 + 1;
if (isset($arr[1])) {
$displayvalue = $arr[1];
}
if (isset($arr[2])) {
$displaytype = $arr[2];
}
if (isset($arr[3])) {
$displaypara = $arr[3];
}
if ($slotback != '') {
$displayvalue = $slotback($displayvalue, $displaytype, $displaypara);
$displaytype = '';
$displaypara = '';
}
break;
case 'call':
//we have a callback
$oldpos = $pos2 + 1;
if (isset($arr[1])) {
$displayvalue = $arr[1];
}
if (isset($arr[2])) {
$displaytype = $arr[2];
}
if (isset($arr[3])) {
$displaypara = $arr[3];
}
$fn = $displayvalue;
if (function_exists($fn)) {
$displayvalue = $fn($displaytype, $displaypara);
} else {
$displayvalue = '';
}
break;
}
}
$displaypara = str_replace('^', '.', $displaypara);
if ($iftest) {
//we have an ok
$cif++;
$iftestvalue = str_replace('^', '.', $iftestvalue);
if ($ifnegative) {
if ($displayvalue != $iftestvalue) {
$ifs[$cif] = false;
} else {
$ifs[$cif] = true;
}
} else {
if ($displayvalue == $iftestvalue) {
$ifs[$cif] = false;
} else {
$ifs[$cif] = true;
}
}
} else {
$oldnewstring = $newstring;
if ($directdump) {
$newstring = '';
}
switch ($displaytype) {
case 'lb':
$newstring .= '[';
break;
case 'rb':
$newstring .= ']';
break;
case 'now':
require_once "config/dateutils.php";
if ($displayvalue != "") {
$newstring .= date($displayvalue);
} else {
$newstring .= showDate(date("Y-m-d"), getLT("dateformat"));
}
break;
case 'date':
require_once "config/dateutils.php";
if ($displaypara != "") {
if ($displayvalue != "0000-00-00") {
$newstring .= date(str_replace("~", ".", $displaypara), showDate($displayvalue, "time"));
}
} else {
$newstring .= showDate($displayvalue, getLT("dateformat"));
}
break;
case 'sqldate':
require_once "config/dateutils.php";
$newstring .= getDateForMysql($displayvalue, getLT("dateformat"));
break;
case 'time':
require_once "config/dateutils.php";
$newstring .= showTime($displayvalue);
break;
case 'intval':
if ($displaypara != "") {
$newstring .= bcadd($displayvalue, '0');
} else {
$newstring .= intval($displayvalue);
}
break;
case 'number':
$newstring .= showNumber($displayvalue, $displaypara);
break;
case 'exnumber':
$newstring .= number_format(floatval($displayvalue), $displaypara, '.', '');
break;
case 'zeronumber':
if (abs(round($displayvalue) - $displayvalue) <= 0.01) {
$newstring .= showNumber(round($displayvalue), $displaypara);
} else {
$newstring .= showNumber($displayvalue, $displaypara);
}
break;
case 'zeros':
$newstring .= str_pad($displayvalue, $displaypara, "0", STR_PAD_LEFT);
break;
case 'spell':
require_once "extern/numberspell.php";
if (isset($GLOBALS[$displaypara])) {
$newstring .= spellNumber($displayvalue, $GLOBALS[$displaypara]);
} else {
$newstring .= spellNumber($displayvalue, getCurrentLang());
}
break;
case 'sqlescape':
global $conn;
if ($displaypara != "") {
$newstring .= $conn->escape(substr($displayvalue, 0, intval($displaypara)));
} else {
$newstring .= $conn->escape($displayvalue);
}
break;
case 'sqlvalues':
global $conn;
$myvalues = '';
$myarr = explode(",", $displayvalue);
foreach ($myarr as $kkmk => $kkmv) {
if ($myvalues != "") {
$myvalues .= ",";
}
$myvalues .= "'" . $conn->escape($kkmv) . "'";
}
if ($myvalues == "") {
$myvalues = "''";
}
$newstring .= $myvalues;
break;
case 'split':
$sparr = explode(".", trim($displayvalue));
$newstring .= $sparr[intval($displaypara)];
break;
case 'explode':
$sparr = explode(" ", trim($displayvalue));
$newstring .= $sparr[intval($displaypara)];
break;
case 'substr':
if (intval($displaypara) < 0) {
$newstring .= substr($displayvalue, intval($displaypara));
} else {
$newstring .= substr($displayvalue, 0, intval($displaypara));
}
break;
case 'trim':
$displayvalue = str_replace(" ", "", trim($displayvalue));
$displayvalue = str_replace(".", "", $displayvalue);
$displayvalue = str_replace("-", "", $displayvalue);
$displayvalue = str_replace("=", "", $displayvalue);
$newstring .= $displayvalue;
break;
case 'html':
$newstring .= str_replace("\n", "<br>", $displayvalue);
break;
case 'nohtml':
$newstring .= strip_tags(html_entity_decode2($displayvalue));
break;
case 'pin':
$newstring .= substr(md5($displayvalue), intval($displaypara));
break;
case 'lang':
$newstring .= getLT($displayvalue);
break;
case 'upper':
$newstring .= strtoupper($displayvalue);
break;
case 'caps':
$newstring .= strtoupper(substr(getLT($displayvalue), 0, 1)) . strtolower(substr(getLT($displayvalue), 1));
break;
case 'lower':
$newstring .= strtolower($displayvalue);
break;
case 'adresa':
$newstring .= strtoupper(str_ireplace("zip", "cod postal", $displayvalue));
break;
case 'full':
$newstring .= parseAndReplaceAll($displayvalue, $slotback);
break;
case 'easyread':
$newstring .= strrev(join(str_split(strrev($displayvalue), 3), "."));
break;
case 'phone':
$displayvalue = str_replace("-", "", $displayvalue);
$displayvalue = str_replace("/", "", $displayvalue);
$displayvalue = str_replace(" ", "", $displayvalue);
$displayvalue = str_replace(".", "", $displayvalue);
$displayvalue = str_replace(",", "", $displayvalue);
$displayvalue = str_replace(",", "", $displayvalue);
$displayvalue = substr($displayvalue, 0, 10);
$newstring .= $displayvalue;
break;
case 'seo':
$newstring .= buildSeoLink($displayvalue);
break;
default:
$newstring .= $displayvalue;
break;
}
if ($directdump) {
echo $newstring;
$newstring = $oldnewstring;
}
}
}
}
}
$pos = strpos($text, "[", $pos + 1);
}
$newstring .= substr($text, $oldpos);
return $newstring;
}
function xss_clean($str, $charset = 'ISO-8859-1')
{
/*
* Remove Null Characters
*
* This prevents sandwiching null characters
* between ascii characters, like Java\0script.
*
*/
$str = preg_replace('/\\0+/', '', $str);
$str = preg_replace('/(\\\\0)+/', '', $str);
/*
* Validate standard character entities
*
* Add a semicolon if missing. We do this to enable
* the conversion of entities to ASCII later.
*
*/
$str = preg_replace('#(&\\#*\\w+)[\\x00-\\x20]+;#u', "\\1;", $str);
/*
* Validate UTF16 two byte encoding (x00)
*
* Just as above, adds a semicolon if missing.
*
*/
$str = preg_replace('#(&\\#x*)([0-9A-F]+);*#iu', "\\1\\2;", $str);
/*
* URL Decode
*
* Just in case stuff like this is submitted:
*
* <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
*
* Note: Normally urldecode() would be easier but it removes plus signs
*
*/
$str = preg_replace("/%u0([a-z0-9]{3})/i", "&#x\\1;", $str);
$str = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $str);
/*
* Convert character entities to ASCII
*
* This permits our tests below to work reliably.
* We only convert entities that are within tags since
* these are the ones that will pose security problems.
*
*/
if (preg_match_all("/<(.+?)>/si", $str, $matches)) {
for ($i = 0; $i < count($matches['0']); $i++) {
$str = str_replace($matches['1'][$i], html_entity_decode2($matches['1'][$i], $charset), $str);
}
}
/*
* Not Allowed Under Any Conditions
*/
$bad = array('document.cookie' => '[removed]', 'document.write' => '[removed]', 'window.location' => '[removed]', "javascript\\s*:" => '[removed]', "Redirect\\s+302" => '[removed]', '<!--' => '<!--', '-->' => '-->');
foreach ($bad as $key => $val) {
$str = preg_replace("#" . $key . "#i", $val, $str);
}
/*
* Convert all tabs to spaces
*
* This prevents strings like this: ja vascript
* Note: we deal with spaces between characters later.
*
*/
$str = preg_replace("#\t+#", " ", $str);
/*
* Makes PHP tags safe
*
* Note: XML tags are inadvertently replaced too:
*
* <?xml
*
* But it doesn't seem to pose a problem.
*
*/
$str = str_replace(array('<?php', '<?PHP', '<?', '?>'), array('<?php', '<?PHP', '<?', '?>'), $str);
/*
* Compact any exploded words
*
* This corrects words like: j a v a s c r i p t
* These words are compacted back to their correct state.
*
*/
$words = array('javascript', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
foreach ($words as $word) {
$temp = '';
for ($i = 0; $i < strlen($word); $i++) {
$temp .= substr($word, $i, 1) . "\\s*";
}
$temp = substr($temp, 0, -3);
$str = preg_replace('#' . $temp . '#s', $word, $str);
$str = preg_replace('#' . ucfirst($temp) . '#s', ucfirst($word), $str);
}
/*
* Remove disallowed Javascript in links or img tags
*/
$str = preg_replace("#<a.+?href=.*?(alert\\(|alert&\\#40;|javascript\\:|window\\.|document\\.|\\.cookie|<script|<xss).*?\\>.*?</a>#si", "", $str);
$str = preg_replace("#<img.+?src=.*?(alert\\(|alert&\\#40;|javascript\\:|window\\.|document\\.|\\.cookie|<script|<xss).*?\\>#si", "", $str);
$str = preg_replace("#<(script|xss).*?\\>#si", "", $str);
/*
* Remove JavaScript Event Handlers
*
* Note: This code is a little blunt. It removes
* the event handler and anything up to the closing >,
* but it's unlikely to be a problem.
*
*/
$str = preg_replace('#(<[^>]+.*?)(onblur|onchange|onclick|onfocus|onload|onmouseover|onmouseup|onmousedown|onselect|onsubmit|onunload|onkeypress|onkeydown|onkeyup|onresize)[^>]*>#iU', "\\1>", $str);
/*
* Sanitize naughty HTML elements
*
* If a tag containing any of the words in the list
* below is found, the tag gets converted to entities.
*
* So this: <blink>
* Becomes: <blink>
*
*/
$str = preg_replace('#<(/*\\s*)(alert|applet|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|layer|link|meta|object|plaintext|style|script|textarea|title|xml|xss)([^>]*)>#is', "<\\1\\2\\3>", $str);
/*
* Sanitize naughty scripting elements
*
* Similar to above, only instead of looking for
* tags it looks for PHP and JavaScript commands
* that are disallowed. Rather than removing the
* code, it simply converts the parenthesis to entities
* rendering the code un-executable.
*
* For example: eval('some code')
* Becomes: eval('some code')
*
*/
$str = preg_replace('#(alert|cmd|passthru|eval|exec|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\\s*)\\((.*?)\\)#si', "\\1\\2(\\3)", $str);
/*
* Final clean up
*
* This adds a bit of extra precaution in case
* something got through the above filters
*
*/
$bad = array('document.cookie' => '[removed]', 'document.write' => '[removed]', 'window.location' => '[removed]', "javascript\\s*:" => '[removed]', "Redirect\\s+302" => '[removed]', '<!--' => '<!--', '-->' => '-->');
foreach ($bad as $key => $val) {
$str = preg_replace("#" . $key . "#i", $val, $str);
}
return $str;
}
