/**
 * parses the allowed HTML tags for use by htmLawed
 *
 *@param string &$source by name, contains the string with the tag options
 *@return array the allowed_tags array.
 *@since 1.1.3
 **/
function parseAllowedTags(&$source)
{
    $source = trim($source);
    if (substr($source, 0, 1) != "(") {
        return false;
    }
    $source = substr($source, 1);
    //strip off the open paren
    $a = array();
    while (strlen($source) > 1 && substr($source, 0, 1) != ")") {
        $i = strpos($source, '=>');
        if ($i === false) {
            return false;
        }
        $tag = trim(substr($source, 0, $i));
        $source = trim(substr($source, $i + 2));
        if (substr($source, 0, 1) != "(") {
            return false;
        }
        $x = parseAllowedTags($source);
        if ($x === false) {
            return false;
        }
        $a[$tag] = $x;
    }
    if (substr($source, 0, 1) != ')') {
        return false;
    }
    $source = trim(substr($source, 1));
    //strip the close paren
    return $a;
}
/* handle posts */
if (isset($_GET['action'])) {
    $action = sanitize($_GET['action']);
    $themeswitch = false;
    if ($action == 'saveoptions') {
        XSRFdefender('saveoptions');
        $table = NULL;
        $notify = '';
        $returntab = '';
        $themealbum = $themename = NULL;
        /*		 * * General options ** */
        if (isset($_POST['savegeneraloptions'])) {
            $returntab = "&tab=general";
            $tags = strtolower(sanitize($_POST['allowed_tags'], 0));
            $test = "(" . $tags . ")";
            $a = parseAllowedTags($test);
            if ($a) {
                setOption('allowed_tags', $tags);
                $notify = '';
            } else {
                $notify = '?tag_parse_error=' . $a;
            }
            $oldloc = SITE_LOCALE;
            // get the option as stored in the database, not what might have been set by a cookie
            $newloc = sanitize($_POST['locale'], 3);
            $languages = generateLanguageList(true);
            $languages[''] = '';
            foreach ($languages as $text => $lang) {
                if ($lang == $newloc || isset($_POST['language_allow_' . $lang])) {
                    setOption('disallow_' . $lang, 0);
                } else {
Beispiel #3
0
/**
 *
 * Returns an array of html tags allowed
 * @param string $which either 'allowed_tags' or 'style_tags' depending on which is wanted.
 */
function getAllowedTags($which)
{
    global $_user_tags, $_style_tags, $_default_tags;
    switch ($which) {
        case 'allowed_tags':
            if (is_null($_user_tags)) {
                $user_tags = "(" . getOption('allowed_tags') . ")";
                $allowed_tags = parseAllowedTags($user_tags);
                if ($allowed_tags === false) {
                    // someone has screwed with the 'allowed_tags' option row in the database, but better safe than sorry
                    $allowed_tags = array();
                }
                $_user_tags = $allowed_tags;
            }
            return $_user_tags;
            break;
        case 'style_tags':
            if (is_null($_style_tags)) {
                $style_tags = "(" . getOption('style_tags') . ")";
                $allowed_tags = parseAllowedTags($style_tags);
                if ($allowed_tags === false) {
                    // someone has screwed with the 'style_tags' option row in the database, but better safe than sorry
                    $allowed_tags = array();
                }
                $_style_tags = $allowed_tags;
            }
            return $_style_tags;
            break;
        case 'allowed_tags_default':
            if (is_null($_default_tags)) {
                $default_tags = "(" . getOption('allowed_tags_default') . ")";
                $allowed_tags = parseAllowedTags($default_tags);
                if ($allowed_tags === false) {
                    // someone has screwed with the 'allowed_tags' option row in the database, but better safe than sorry
                    $allowed_tags = array();
                }
                $_default_tags = $allowed_tags;
            }
            return $_default_tags;
            break;
    }
    return array();
}
function sanitize_string($input_string, $sanitize_level)
{
    require_once dirname(__FILE__) . '/lib-htmlawed.php';
    if (get_magic_quotes_gpc()) {
        $input_string = stripslashes($input_string);
    }
    if ($sanitize_level === 0) {
        $input_string = str_replace(chr(0), " ", $input_string);
    } else {
        if ($sanitize_level === 1) {
            $allowed_tags = "(" . getOption('allowed_tags') . ")";
            $allowed = parseAllowedTags($allowed_tags);
            if ($allowed === false) {
                $allowed = array();
            }
            $input_string = kses($input_string, $allowed);
        } else {
            if ($sanitize_level === 2) {
                $allowed = array();
                $input_string = kses($input_string, $allowed);
            }
        }
    }
    return $input_string;
}
function sanitize_string($input_string, $sanitize_level)
{
    if (get_magic_quotes_gpc()) {
        $input_string = stripslashes($input_string);
    }
    if ($sanitize_level === 0) {
        $input_string = str_replace(chr(0), " ", $input_string);
    } else {
        if ($sanitize_level === 1) {
            $allowed_tags = "(" . getOption('allowed_tags') . ")";
            $allowed = parseAllowedTags($allowed_tags);
            if ($allowed === false) {
                $allowed = array();
            }
            $input_string = kses($input_string, $allowed);
        } else {
            if ($sanitize_level === 2) {
                $allowed = array();
                $input_string = kses($input_string, $allowed);
                // Full sanitation.  Strips all code.
            } else {
                if ($sanitize_level === 3) {
                    $allowed_tags = array();
                    $input_string = kses($input_string, $allowed_tags);
                }
            }
        }
    }
    return $input_string;
}
/** returns a sanitized string for the sanitize function
 * @param string $input_string
 * @param string $sanitize_level
 * @return string the sanitized string.
 */
function sanitize_string($input_string, $sanitize_level)
{
    // Strip slashes if get_magic_quotes_gpc is enabled.
    if (get_magic_quotes_gpc()) {
        $input_string = stripslashes($input_string);
    }
    // Basic sanitation.
    if ($sanitize_level === 0) {
        return str_replace(chr(0), " ", $input_string);
    }
    // User specified sanititation.
    require_once dirname(__FILE__) . '/lib-htmlawed.php';
    if ($sanitize_level === 1) {
        $user_tags = "(" . getOption('allowed_tags') . ")";
        $allowed_tags = parseAllowedTags($user_tags);
        if ($allowed_tags === false) {
            $allowed_tags = array();
        }
        // someone has screwed with the 'allowed_tags' option row in the database, but better safe than sorry
        $input_string = kses($input_string, $allowed_tags);
        // Text formatting sanititation.
    } else {
        if ($sanitize_level === 2) {
            $style_tags = "(" . getOption('style_tags') . ")";
            $allowed_tags = parseAllowedTags($style_tags);
            if ($allowed_tags === false) {
                $allowed_tags = array();
            }
            // someone has screwed with the 'style_tags' option row in the database, but better safe than sorry
            $input_string = kses($input_string, $allowed_tags);
            // Full sanitation.  Strips all code.
        } else {
            if ($sanitize_level === 3) {
                $allowed_tags = array();
                $input_string = kses($input_string, $allowed_tags);
            }
        }
    }
    return $input_string;
}
/**
 *
 * Returns an array of html tags allowed
 * @param string $which either 'allowed_tags' or 'style_tags' depending on which is wanted.
 */
function getAllowedTags($which)
{
    global $_user_tags, $_style_tags;
    if ($which == 'allowed_tags') {
        if (is_null($_user_tags)) {
            $user_tags = "(" . getOption('allowed_tags') . ")";
            $allowed_tags = parseAllowedTags($user_tags);
            if ($allowed_tags === false) {
                // someone has screwed with the 'allowed_tags' option row in the database, but better safe than sorry
                $allowed_tags = array();
            }
            $_user_tags = $allowed_tags;
        }
        return $_user_tags;
    } else {
        if (is_null($_style_tags)) {
            $style_tags = "(" . getOption('style_tags') . ")";
            $allowed_tags = parseAllowedTags($style_tags);
            if ($allowed_tags === false) {
                // someone has screwed with the 'style_tags' option row in the database, but better safe than sorry
                $allowed_tags = array();
            }
            $_style_tags = $allowed_tags;
        }
        return $_style_tags;
    }
}