/**
  * Filters public properties
  * @access protected
  * @param array List of fields to ignore
  */
 function filter($ignoreList = null)
 {
     $ignore = is_array($ignoreList);
     $iFilter = new InputFilter();
     foreach ($this->getPublicProperties() as $k) {
         if ($ignore && in_array($k, $ignoreList)) {
             continue;
         }
         $this->{$k} = $iFilter->process($this->{$k});
     }
 }
Beispiel #2
0
/**
* @package Mambo
* @author Mambo Foundation Inc see README.php
* @copyright Mambo Foundation Inc.
* See COPYRIGHT.php for copyright notices and details.
* @license GNU/GPL Version 2, see LICENSE.php
* Mambo is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; version 2 of the License.
*/
function externalCallCheck($path, $secret)
{
    if (isset($_COOKIE['mostlyce']['startup_key']) && isset($_COOKIE['mostlyce']['usertype'])) {
        require_once $path . '/includes/phpInputFilter/class.inputfilter.php';
        $iFilter = new InputFilter(null, null, 1, 1);
        $startupKey = trim($iFilter->process($_COOKIE['mostlyce']['startup_key']));
        //The MOStlyCE rebuild key should match this
        $usertype = strtolower(str_replace(' ', '', trim($iFilter->process($_COOKIE['mostlyce']['usertype']))));
    } else {
        return false;
    }
    $env = md5($_SERVER['HTTP_USER_AGENT']);
    $rebuildKey = md5($secret . $env . $_SERVER['REMOTE_ADDR']);
    if ($rebuildKey !== $startupKey) {
        return false;
    }
    //Valid user types
    $vUsers = array('author', 'editor', 'publisher', 'manager', 'administrator', 'superadministrator');
    if (!in_array($usertype, $vUsers)) {
        return false;
    }
    return true;
}
Beispiel #3
0
 function process()
 {
     $input_filter = new InputFilter();
     $input_filter->process($this);
     if (!is_null($this->request->get("method"))) {
         $basic = array('reqip' => $this->request->userip . ':' . $this->request->clientip, 'uri' => $this->request->url, 'method' => $this->request->get("method"), 'logid' => $this->requestId);
     } else {
         $basic = array('reqip' => $this->request->userip . ':' . $this->request->clientip, 'uri' => $this->request->url, 'logid' => $this->requestId);
     }
     kc_log_addbasic($basic);
     $dispatch = new Dispatch($this);
     App::getTimer()->set('framework prepare');
     $dispatch->dispatch_url($this->request->url);
     $this->response->send();
     KC_LOG_TRACE('[TIME COST STATISTIC] [ ' . App::getTimer()->getString() . ' ].');
 }
 /**
  * Updates a particular model.
  * @param integer $_GET['id'] the ID of the model to be updated
  * @return updated comment text
  */
 public function actionUpdate()
 {
     Yii::app()->end();
     //disalow updates
     // get Comments object from $id parameter
     $model = $this->loadModel($_GET['id']);
     // if Comments form exist and was called via ajax
     if (isset($_POST['Comments']) && isset($_POST['ajax'])) {
         // set form elements to Users model attributes
         $model->attributes = $_POST['Comments'];
         // clear tag from text
         Yii::import('application.extensions.InputFilter.InputFilter');
         $filter = new InputFilter(array('br', 'pre'));
         $model->comment_text = $filter->process($model->comment_text);
         // update comment
         $model->save(false);
         echo $model->comment_text;
     }
     Yii::app()->end();
 }
Beispiel #5
0
function shRedirect($url, $msg = '', $redirKind = '301', $msgType = 'message')
{
    global $mainframe;
    $sefConfig =& shRouter::shGetConfig();
    // specific filters
    if (class_exists('InputFilter')) {
        $iFilter = new InputFilter();
        $url = $iFilter->process($url);
        if (!empty($msg)) {
            $msg = $iFilter->process($msg);
        }
        if ($iFilter->badAttributeValue(array('href', $url))) {
            $url = $GLOBALS['shConfigLiveSite'];
        }
    }
    // If the message exists, enqueue it
    if (JString::trim($msg)) {
        $mainframe->enqueueMessage($msg, $msgType);
    }
    // Persist messages if they exist
    if (count($mainframe->_messageQueue)) {
        $session =& JFactory::getSession();
        $session->set('application.queue', $mainframe->_messageQueue);
    }
    if (headers_sent()) {
        echo "<script>document.location.href='{$url}';</script>\n";
    } else {
        @ob_end_clean();
        // clear output buffer
        switch ($redirKind) {
            case '302':
                $redirHeader = 'HTTP/1.1 302 Moved Temporarily';
                break;
            case '303':
                $redirHeader = 'HTTP/1.1 303 See Other';
                break;
            default:
                $redirHeader = 'HTTP/1.1 301 Moved Permanently';
                break;
        }
        header($redirHeader);
        header("Location: " . $url);
    }
    $mainframe->close();
}
Beispiel #6
0
     $surveyid = sRandomChars(5, '123456789');
     $isquery = "SELECT sid FROM " . db_table_name('surveys') . " WHERE sid={$surveyid}";
     $isresult = db_execute_assoc($isquery);
     // Checked
 } while ($isresult->RecordCount() > 0);
 if (!isset($_POST['template'])) {
     $_POST['template'] = 'default';
 }
 if ($_SESSION['USER_RIGHT_SUPERADMIN'] != 1 && $_SESSION['USER_RIGHT_MANAGE_TEMPLATE'] != 1 && !hasTemplateManageRights($_SESSION['loginID'], $_POST['template'])) {
     $_POST['template'] = "default";
 }
 // insert base language into surveys_language_settings
 if ($filterxsshtml) {
     require_once "../classes/inputfilter/class.inputfilter_clean.php";
     $myFilter = new InputFilter('', '', 1, 1, 1);
     $_POST['surveyls_title'] = $myFilter->process($_POST['surveyls_title']);
     $_POST['description'] = $myFilter->process($_POST['description']);
     $_POST['welcome'] = $myFilter->process($_POST['welcome']);
     $_POST['urldescrip'] = $myFilter->process($_POST['urldescrip']);
 } else {
     $_POST['surveyls_title'] = html_entity_decode($_POST['surveyls_title'], ENT_QUOTES, "UTF-8");
     $_POST['description'] = html_entity_decode($_POST['description'], ENT_QUOTES, "UTF-8");
     $_POST['welcome'] = html_entity_decode($_POST['welcome'], ENT_QUOTES, "UTF-8");
     $_POST['urldescrip'] = html_entity_decode($_POST['urldescrip'], ENT_QUOTES, "UTF-8");
 }
 //make sure only numbers are passed within the $_POST variable
 $_POST['dateformat'] = (int) $_POST['dateformat'];
 $_POST['tokenlength'] = (int) $_POST['tokenlength'];
 if (trim($_POST['expires']) == '') {
     $_POST['expires'] = null;
 } else {
//Preprocessing
if ($error == false) {
    $the_text = isset($_REQUEST['thetext']) ? $_REQUEST['thetext'] : '';
    $the_html = isset($_REQUEST['thehtml']) ? $_REQUEST['thehtml'] : '';
    if (isset($_REQUEST['toStep2'])) {
        $tplname = 'htmlprev_step2';
        $the_html = htmlspecialchars(mb_ereg_replace("\n", "<br />\n", stripslashes(htmlspecialchars($the_text, ENT_COMPAT, 'UTF-8'))), ENT_COMPAT, 'UTF-8');
    } else {
        if (isset($_REQUEST['toStep3'])) {
            global $rootpath, $stylepath;
            //check the html ...
            require_once $rootpath . 'lib/class.inputfilter.php';
            require_once $stylepath . '/htmlprev.inc.php';
            $myFilter = new InputFilter($allowedtags, $allowedattr, 0, 0, 1);
            $orghtml = $the_html;
            $the_html = $myFilter->process($the_html);
            $tplname = 'htmlprev_step3';
            tpl_set_var('orghtml', htmlspecialchars($orghtml, ENT_COMPAT, 'UTF-8'));
            tpl_set_var('thecode', $the_html);
            tpl_set_var('thehtmlcode', nl2br(stripslashes(htmlspecialchars($the_html, ENT_COMPAT, 'UTF-8'))));
        } else {
            if (isset($_REQUEST['backStep2'])) {
                $tplname = 'htmlprev_step2';
                $the_html = stripslashes(htmlspecialchars($the_html, ENT_COMPAT, 'UTF-8'));
            } else {
                //start
                $tplname = 'htmlprev';
            }
        }
    }
    tpl_set_var('thetext', stripslashes(htmlspecialchars($the_text, ENT_COMPAT, 'UTF-8')));
Beispiel #8
0
<?
	include("../ressources/.mysql_common.php");
	require_once("class.inputfilter_clean.php");
?>
<?php 
$tags = '';
$attr = '';
$tag_method = 0;
$attr_method = 0;
$xss_auto = 1;
$myFilter = new InputFilter($tags, $attr, $tag_method, $attr_method, $xss_auto);
// submitbutton=Udlever1
$divisionday = $myFilter->process($_GET["divisionday"]);
$uid = $myFilter->process($_GET["submitbutton"]);
$orderline_uid = str_replace('Udlever', '', $uid);
$query = 'SELECT 
		ff_orderlines.item as article, ff_pickupdates.pickupdate as pickupdate, ff_divisions.name as name, ff_items.units, ff_items.measure, ff_producttypes.explained as txt, ff_orderlines.quant,
		ff_persons.firstname, ff_persons.middlename, ff_persons.lastname, ff_persons.tel, ff_persons.email, ff_persons.uid as medlem, ff_orderlines.status2, ff_orderlines.uid
		FROM ff_orderlines, ff_orderhead, ff_items, ff_producttypes, ff_pickupdates, ff_divisions, ff_persons
		WHERE ff_orderlines.orderno = ff_orderhead.orderno 
		AND ((ff_orderhead.status1 = "kontant") or (ff_orderhead.status1 = "nets"))
		AND ff_orderlines.item = ff_items.id
		AND ff_items.producttype_id = ff_producttypes.id 	
		AND ff_orderlines.iteminfo = ff_pickupdates.uid
		AND ff_divisions.uid = ff_pickupdates.division
		AND ff_pickupdates.division = ff_items.division
		AND ff_orderlines.puid = ff_persons.uid
		AND ff_pickupdates.uid = ' . (int) $divisionday . '
		AND ff_orderlines.uid = ' . (int) $orderline_uid . '
		ORDER BY ff_pickupdates.pickupdate, ff_producttypes.explained ';
$result = doquery($query);
Beispiel #9
0
     tpl_set_var('GeoKretyApiConfigured', 'none');
     tpl_set_var('GeoKretApiSelector', '');
 }
 // descMode is depreciated. this was description type. Now all description are in html, then always use 3 for back compatibility
 $descMode = 3;
 // fuer alte Versionen von OCProp
 if (isset($_POST['submit']) && !isset($_POST['version2'])) {
     $descMode = 1;
     $_POST['submitform'] = $_POST['submit'];
     $log_text = iconv("ISO-8859-1", "UTF-8", $log_text);
 }
 if ($descMode != 1) {
     // check input
     require_once $rootpath . 'lib/class.inputfilter.php';
     $myFilter = new InputFilter($allowedtags, $allowedattr, 0, 0, 1);
     $log_text = $myFilter->process($log_text);
 } else {
     // escape text
     //if( $all_ok )
     $log_text = nl2br(htmlspecialchars($log_text, ENT_COMPAT, 'UTF-8'));
     //else
     //$log_text = strip_tags(htmlspecialchars($log_text, ENT_COMPAT, 'UTF-8'));
 }
 //setting tpl messages if they should be not visible.
 tpl_set_var('lat_message', '');
 tpl_set_var('lon_message', '');
 //validate data
 if (is_numeric($log_date_month) && is_numeric($log_date_day) && is_numeric($log_date_year) && is_numeric($log_date_hour) && is_numeric($log_date_min)) {
     $date_not_ok = checkdate($log_date_month, $log_date_day, $log_date_year) == false || $log_date_hour < 0 || $log_date_hour > 23 || $log_date_min < 0 || $log_date_min > 60;
     if ($date_not_ok == false) {
         if (isset($_POST['submitform'])) {
Beispiel #10
0
/**
* Utility function redirect the browser location to another url
*
* Can optionally provide a message.
* @param string The file system path
* @param string A filter for the names
*/
function extRedirect($url, $msg = '')
{
    global $mainframe;
    // specific filters
    $iFilter = new InputFilter();
    $url = $iFilter->process($url);
    if (!empty($msg)) {
        $msg = $iFilter->process($msg);
    }
    if ($iFilter->badAttributeValue(array('href', $url))) {
        $url = $GLOBALS['home_dir'];
    }
    if (trim($msg)) {
        if (strpos($url, '?')) {
            $url .= '&extmsg=' . urlencode($msg);
        } else {
            $url .= '?extmsg=' . urlencode($msg);
        }
    }
    if (headers_sent()) {
        echo "<script>document.location.href='{$url}';</script>\n";
    } else {
        @ob_end_clean();
        // clear output buffer
        header('HTTP/1.1 301 Moved Permanently');
        header("Location: " . $url);
    }
    exit;
}
function cleanHTML($text, $allowable_tags = null, $forbidden_attr = null)
{
    // INCLUDE FILTER CLASS
    if (!class_exists("InputFilter")) {
        require SE_ROOT . "/include/class_inputfilter.php";
    }
    // New method
    if (!method_exists('InputFilter', 'safeSQL')) {
        return InputFilter::process($text, array('allowedTags' => $allowable_tags, 'forbiddenAttributes' => $forbidden_attr));
    } else {
        // INSTANTIATE INPUT FILTER CLASS WITH APPROPRIATE TAGS
        $xssFilter = new InputFilter(explode(",", str_replace(" ", "", $allowable_tags)), "", 0, 1, 1);
        // ADD NECESSARY BLACKLIST ITEMS
        for ($i = 0; $i < count($forbidden_attr); $i++) {
            $xssFilter->attrBlacklist[] = $forbidden_attr[$i];
        }
        // RETURN PROCESSED TEXT
        return $xssFilter->process($text);
    }
}
Beispiel #12
0
         if ($first == true) {
             $first = false;
             $aid = $connect->Insert_ID(db_table_name_nq('assessments'), "id");
         }
     }
 } elseif ($action == "assessmentupdate") {
     if ($filterxsshtml) {
         require_once "../classes/inputfilter/class.inputfilter_clean.php";
         $myFilter = new InputFilter('', '', 1, 1, 1);
     }
     foreach ($assessmentlangs as $assessmentlang) {
         if (!isset($_POST['gid'])) {
             $_POST['gid'] = 0;
         }
         if ($filterxsshtml) {
             $_POST['name_' . $assessmentlang] = $myFilter->process($_POST['name_' . $assessmentlang]);
             $_POST['assessmentmessage_' . $assessmentlang] = $myFilter->process($_POST['assessmentmessage_' . $assessmentlang]);
         }
         $query = "UPDATE {$dbprefix}assessments\n\t\t\t          SET scope='" . db_quote($_POST['scope'], true) . "',\n\t\t\t          gid=" . sanitize_int($_POST['gid']) . ",\n\t\t\t          minimum='" . sanitize_signedint($_POST['minimum']) . "',\n\t\t\t          maximum='" . sanitize_signedint($_POST['maximum']) . "',\n\t\t\t          name='" . db_quote($_POST['name_' . $assessmentlang], true) . "',\n\t\t\t          message='" . db_quote($_POST['assessmentmessage_' . $assessmentlang], true) . "'\n\t\t\t          WHERE language='{$assessmentlang}' and id=" . sanitize_int($_POST['id']);
         $result = $connect->Execute($query) or safe_die("Error updating<br />{$query}<br />" . $connect->ErrorMsg());
     }
 } elseif ($action == "assessmentdelete") {
     $query = "DELETE FROM {$dbprefix}assessments\n\t\t\t\t  WHERE id=" . sanitize_int($_POST['id']);
     $result = $connect->Execute($query);
 }
 $assessmentsoutput = PrepareEditorScript();
 $assessmentsoutput .= "<script type=\"text/javascript\">\n                        <!-- \n                            var strnogroup='" . $clang->gT("There are no groups available.", "js") . "';\n                        --></script>\n";
 $assessmentsoutput .= "<div class='menubar'>\n" . "\t<div class='menubar-title'>\n" . "<strong>" . $clang->gT("Assessments") . "</strong>\n";
 $assessmentsoutput .= "\t</div>\n" . "\t<div class='menubar-main'>\n" . "<div class='menubar-left'>\n" . "\t<a href=\"#\" onclick=\"window.open('{$scriptname}?sid={$surveyid}', '_top')\" title='" . $clang->gTview("Return to survey administration") . "'>" . "<img name='Administration' src='{$imagefiles}/home.png' alt='" . $clang->gT("Return to survey administration") . "' /></a>\n" . "\t<img src='{$imagefiles}/blank.gif' alt='' width='11'  />\n" . "\t<img src='{$imagefiles}/seperator.gif' alt='' />\n";
 if ($surveyinfo['assessments'] != 'Y') {
     $assessmentsoutput .= '<span style="font-size:11px;">' . sprintf($clang->gT("Notice: Assessment mode for this survey is not activated. You can activate it in the %s survey settings %s (tab 'Notification & data management')."), '<a href="admin.php?action=editsurvey&amp;sid=' . $surveyid . '">', '</a>') . '</span>';
Beispiel #13
0
 if ($usr == false) {
     $target = urlencode(tpl_get_current_page());
     tpl_redirect('login.php?target=' . $target);
 } else {
     $tplname = 'myroutes';
     $user_id = $usr['userid'];
     $route_rs = XDb::xSql("SELECT `route_id` ,`description` `desc`, `name`,`radius`,`length`\n            FROM `routes`  WHERE `user_id`= ?\n            ORDER BY `route_id` DESC", $user_id);
     if ($routes_record = XDb::xFetchArray($route_rs)) {
         $routes .= '<div class="headitems">';
         $routes .= '<div style="width:80px;" class="myr">' . tr('route_name') . '</div><div class="ver">&nbsp;</div><div style="width:295px;" class="myr">&nbsp;' . tr('route_desc') . '</div><div class="ver">&nbsp;</div><div style="width:60px;" class="myr">&nbsp;' . tr('radius') . '</div><div class="ver">&nbsp;</div><div style="width:60px;" class="myr">&nbsp;' . tr('length') . '</div><div class="ver">&nbsp;</div><div style="width:70px;" class="myr">&nbsp;' . tr('caches') . '</div><div class="ver">&nbsp;</div><div style="width:50px;" class="myr">' . tr('edit') . '</div><div class="ver">&nbsp;</div><div style="width:20px;" class="myr">&nbsp;' . tr('delete') . '</div></div>';
         do {
             $desc = $routes_record['desc'];
             if ($desc != '') {
                 require_once $rootpath . 'lib/class.inputfilter.php';
                 $myFilter = new InputFilter($allowedtags, $allowedattr, 0, 0, 1);
                 $desc = $myFilter->process($desc);
             }
             $routes .= '<div class="listitems">';
             //                          $routes .= '<div style="margin-left:5px;width:75px;" class="myr">'.$routes_record['name']. '</div><div class="ver35">&nbsp;</div><div style="width:295px;" class="myr">'.nl2br($desc).'</div><div class="ver35">&nbsp;</div><div style="width:60px;text-align:center;" class="myr">'.$routes_record['radius']. ' km</div><div class="ver35">&nbsp;</div><div style="width:60px;text-align:center;" class="myr">'.round($routes_record['length'],0). ' km</div><div class="ver35">&nbsp;</div><div style="width:70px;float:left;text-align:center;"><a class="links" href="myroutes_search.php?routeid='.$routes_record['route_id'].'"><img src="tpl/stdstyle/images/action/16x16-search.png" alt="" title="Search caches along route" /></a></div><div class="ver35">&nbsp;</div><div style="width:50px;float:left;text-align:center;"><a class="links" href="myroutes_edit.php?routeid='.$routes_record['route_id'].'"><img src="images/actions/edit-16.png" alt="" title="Edit route" /></a></div><div class="ver35">&nbsp;</div><div style="width:20px;float:left;text-align:center;"><a class="links" href="myroutes_edit.php?routeid='.$routes_record['route_id'].'&delete" onclick="return confirm(\'Czy chcesz usunąć tę trase?\');"><img src="tpl/stdstyle/images/log/16x16-trash.png" alt="" title="Usuń" /></a></div></div>';
             $routes .= '<table border="0" class="myr"><tr><td style="margin-left:3px;width:75px;" class="myr">' . $routes_record['name'] . '</td><td width="2" style="border-right:solid thin #7fa2ca"></td>
                         <td style="width:297px;" class="myr">' . nl2br($desc) . '</td><td width="2" style="border-right:solid thin #7fa2ca"></td>
                         <td style="width:65px;" class="myr">' . $routes_record['radius'] . ' km</td><td width="2" style="border-right:solid thin #7fa2ca"></td>
                         <td style="width:62px;" class="myr">' . $routes_record['length'] . ' km</td><td width="2" style="border-right:solid thin #7fa2ca"></td>
                         <td style="width:73px;" class="myr"><a class="links" href="myroutes_search.php?routeid=' . $routes_record['route_id'] . '"><img src="tpl/stdstyle/images/action/16x16-search.png" alt="" title=' . tr("search_caches_along_route") . ' /></a></td><td width="2" style="border-right:solid thin #7fa2ca"></td>
                         <td style="width:53px;" class="myr"><a class="links" href="myroutes_edit.php?routeid=' . $routes_record['route_id'] . '"><img src="images/actions/edit-16.png" alt="" title=' . tr('edit_route') . ' /></a></td><td width="2" style="border-right:solid thin #7fa2ca"></td>
                         <td style="width:23px;" class="myr"><a class="links" href="myroutes_edit.php?routeid=' . $routes_record['route_id'] . '&delete" onclick="return confirm(\'' . tr("confirm_remove_route") . '\');"><img style="vertical-align: middle;" src="tpl/stdstyle/images/log/16x16-trash.png" alt="" title=' . tr('delete') . ' /></a></td></tr></table></div>';
         } while ($routes_record = XDb::xFetchArray($route_rs));
         $routes .= '';
         tpl_set_var('content', $routes);
     } else {
         tpl_set_var('content', "<div class=\"listitems\"><br/><center><span style=\"font-size:140%;font-weight:bold \">&nbsp;&nbsp;" . tr('no_routes') . "</span><br/><br/></center></div>");
Beispiel #14
0
        $importsurvey .= "<div class='errorheader'>" . $clang->gT("Error") . "</div>\n";
        $importsurvey .= $clang->gT("Import failed. You specified an invalid file type.") . "\n";
        $importerror = true;
    }
} elseif ($action == 'copysurvey') {
    $surveyid = sanitize_int($_POST['copysurveylist']);
    $exclude = array();
    if (get_magic_quotes_gpc()) {
        $sNewSurveyName = stripslashes($_POST['copysurveyname']);
    } else {
        $sNewSurveyName = $_POST['copysurveyname'];
    }
    require_once "../classes/inputfilter/class.inputfilter_clean.php";
    $myFilter = new InputFilter('', '', 1, 1, 1);
    if ($filterxsshtml) {
        $sNewSurveyName = $myFilter->process($sNewSurveyName);
    } else {
        $sNewSurveyName = html_entity_decode($sNewSurveyName, ENT_QUOTES, "UTF-8");
    }
    if (isset($_POST['copysurveyexcludequotas']) && $_POST['copysurveyexcludequotas'] == "on") {
        $exclude['quotas'] = true;
    }
    if (isset($_POST['copysurveyexcludeanswers']) && $_POST['copysurveyexcludeanswers'] == "on") {
        $exclude['answers'] = true;
    }
    if (isset($_POST['copysurveyresetconditions']) && $_POST['copysurveyresetconditions'] == "on") {
        $exclude['conditions'] = true;
    }
    include "export_structure_xml.php";
    $copysurveydata = getXMLData($exclude);
}
 /**
  * Removes illegal tags and attributes from html input
  */
 function inputFilter($html)
 {
     // Replaced code to fix issue with img tags
     jimport('phpinputfilter.inputfilter');
     $filter = new InputFilter(array(), array(), 1, 1);
     return $filter->process($html);
 }
Beispiel #16
0
             $_SESSION['adminlang'] = $browlang;
         } else {
             $_SESSION['adminlang'] = $fields['lang'];
         }
         $clang = new limesurvey_lang($_SESSION['adminlang']);
     }
     $login = true;
     $loginsummary .= "<div class='messagebox ui-corner-all'>\n";
     $loginsummary .= "<div class='header ui-widget-header'>" . $clang->gT("Logged in") . "</div>";
     $loginsummary .= "<br />" . sprintf($clang->gT("Welcome %s!"), $_SESSION['full_name']) . "<br />&nbsp;";
     $loginsummary .= "</div>\n";
     if (isset($_POST['refererargs']) && $_POST['refererargs'] && strpos($_POST['refererargs'], "action=logout") === FALSE) {
         require_once "../classes/inputfilter/class.inputfilter_clean.php";
         $myFilter = new InputFilter('', '', 1, 1, 1);
         // Prevent XSS attacks
         $sRefererArg = $myFilter->process($_POST['refererargs']);
         $_SESSION['metaHeader'] = "<meta http-equiv=\"refresh\"" . " content=\"1;URL={$scriptname}?" . $sRefererArg . "\" />";
         $loginsummary .= "<p><font size='1'><i>" . $clang->gT("Reloading screen. Please wait.") . "</i></font>\n";
     }
     $loginsummary .= "<br /><br />\n";
     GetSessionUserRights($_SESSION['loginID']);
 } else {
     $query = fGetLoginAttemptUpdateQry($bLoginAttempted, $sIp);
     $result = $connect->Execute($query) or safe_die($query . "<br />" . $connect->ErrorMsg());
     if ($result) {
         // wrong or unknown username
         $loginsummary .= "<p>" . $clang->gT("Incorrect username and/or password!") . "<br />";
         if ($intNthAttempt + 1 >= $maxLoginAttempt) {
             $loginsummary .= sprintf($clang->gT("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"), $timeOutTime / 60) . "<br />";
         }
         $loginsummary .= "<br /><a href='{$scriptname}'>" . $clang->gT("Continue") . "</a><br />&nbsp;\n";
Beispiel #17
0
function modlabelsetanswers($lid)
{
    global $dbprefix, $connect, $clang, $labelsoutput, $databasetype, $filterxsshtml, $postsortorder;
    $ajax = false;
    if (isset($_POST['ajax']) && $_POST['ajax'] == "1") {
        $ajax = true;
    }
    if (!isset($_POST['method'])) {
        $_POST['method'] = $clang->gT("Save");
    }
    $data = json_decode(html_entity_decode($_POST['dataToSend'], ENT_QUOTES, "UTF-8"));
    if ($ajax) {
        $lid = insertlabelset();
    }
    if (count(array_unique($data->{'codelist'})) == count($data->{'codelist'})) {
        if ($filterxsshtml) {
            require_once "../classes/inputfilter/class.inputfilter_clean.php";
            $myFilter = new InputFilter('', '', 1, 1, 1);
        }
        $query = "DELETE FROM " . db_table_name('labels') . "  WHERE lid = {$lid}";
        $result = db_execute_assoc($query) or safe_die($connect->ErrorMsg());
        foreach ($data->{'codelist'} as $index => $codeid) {
            $codeObj = $data->{$codeid};
            $actualcode = db_quoteall($codeObj->{'code'}, true);
            $codeid = db_quoteall($codeid, true);
            $assessmentvalue = (int) $codeObj->{'assessmentvalue'};
            foreach ($data->{'langs'} as $lang) {
                $strTemp = 'text_' . $lang;
                $title = $codeObj->{$strTemp};
                if ($filterxsshtml) {
                    $title = $myFilter->process($title);
                } else {
                    $title = html_entity_decode($title, ENT_QUOTES, "UTF-8");
                }
                // Fix bug with FCKEditor saving strange BR types
                $title = fix_FCKeditor_text($title);
                $title = db_quoteall($title, true);
                $sort_order = db_quoteall($index);
                $lang = db_quoteall($lang);
                $query = "INSERT INTO " . db_table_name('labels') . " (lid,code,title,sortorder, assessment_value, language)\n                    VALUES({$lid},{$actualcode},{$title},{$sort_order},{$assessmentvalue},{$lang})";
                $result = db_execute_assoc($query) or safe_die($connect->ErrorMsg());
            }
        }
        $_SESSION['flashmessage'] = $clang->gT("Labels sucessfully updated");
    } else {
        $labelsoutput .= "<script type=\"text/javascript\">\n<!--\n alert(\"" . $clang->gT("Can't update labels because you are using duplicated codes", "js") . "\")\n //-->\n</script>\n";
    }
    if ($ajax) {
        die;
    }
}
Beispiel #18
0
		</div>
		<hr />

		<tr><td align="center"><br /><span style="color:red;"><strong>
		</strong></span><br />
		</table>
		<form  onsubmit="self.close()">
			<input type="submit" value="' . $clang->gT("Close Editor") . '" />
			<input type="hidden" name="checksessionbypost" value="' . $_SESSION['checksessionpost'] . '" />
		</form>
	</body>
	</html>';
} else {
    require_once "../classes/inputfilter/class.inputfilter_clean.php";
    $oFilter = new InputFilter('', '', 1, 1, 1);
    $fieldname = $oFilter->process($_GET['fieldname']);
    $fieldtext = $oFilter->process($_GET['fieldtext']);
    if (get_magic_quotes_gpc()) {
        $fieldtext = stripslashes($fieldtext);
    }
    $controlidena = $_GET['fieldname'] . '_popupctrlena';
    $controliddis = $_GET['fieldname'] . '_popupctrldis';
    $sid = sanitize_int($_GET['sid']);
    $gid = sanitize_int($_GET['gid']);
    $qid = sanitize_int($_GET['qid']);
    $fieldtype = preg_replace("/[^_.a-zA-Z0-9-]/", "", $_GET['fieldtype']);
    $action = preg_replace("/[^_.a-zA-Z0-9-]/", "", $_GET['action']);
    $toolbarname = 'popup';
    $htmlformatoption = '';
    if ($fieldtype == 'email-inv' || $fieldtype == 'email-reg' || $fieldtype == 'email-conf' || $fieldtype == 'email-rem') {
        $htmlformatoption = ",fullPage:true";
Beispiel #19
0
function modlabelsetanswers($lid)
{
    global $dbprefix, $connect, $clang, $labelsoutput, $databasetype, $filterxsshtml,$postsortorder;

    $qulabelset = "SELECT * FROM ".db_table_name('labelsets')." WHERE lid='$lid'";
    $rslabelset = db_execute_assoc($qulabelset) or safe_die($connect->ErrorMsg());
    $rwlabelset=$rslabelset->FetchRow();
    $lslanguages=explode(" ", trim($rwlabelset['languages']));

    if (!isset($_POST['method'])) {
        $_POST['method'] = $clang->gT("Save");
    }
    switch($_POST['method'])
    {
        case $clang->gT("Add new label", "unescaped"):
            if (isset($_POST['insertcode']) && $_POST['insertcode']!='')
            {
                $_SESSION['nextlabelcode']=getNextCode($_POST['insertcode']);
                $_POST['insertcode'] = db_quoteall($_POST['insertcode'],true);
                // check that the code doesn't exist yet
                $query = "SELECT code FROM ".db_table_name('labels')." WHERE lid='$lid' AND code=".$_POST['insertcode'];
                $result = $connect->Execute($query);
                $codeoccurences=$result->RecordCount();
                if ($codeoccurences == 0)
                {
                    $query = "select max(sortorder) as maxorder from ".db_table_name('labels')." where lid='$lid'";
                    $result = $connect->Execute($query);
                    $newsortorder=sprintf("%05d", $result->fields['maxorder']+1);
                    if ($filterxsshtml)
                    {
                        require_once("../classes/inputfilter/class.inputfilter_clean.php");
                        $myFilter = new InputFilter('','',1,1,1);
                        $_POST['inserttitle']=$myFilter->process($_POST['inserttitle']);
                    }
                    else
                    {
                        $_POST['inserttitle'] = html_entity_decode($_POST['inserttitle'], ENT_QUOTES, "UTF-8");
                    }

                    // Fix bug with FCKEditor saving strange BR types
                    $_POST['inserttitle']=fix_FCKeditor_text($_POST['inserttitle']);
                     
                    $_POST['inserttitle'] = db_quoteall($_POST['inserttitle'],true);
                    $_POST['insertassessmentvalue']=(int)$_POST['insertassessmentvalue'];
                    foreach ($lslanguages as $lslanguage)
                    {
                        db_switchIDInsert('labels',true);
                        $query = "INSERT INTO ".db_table_name('labels')." (lid, code, title, sortorder,language, assessment_value) VALUES ($lid, {$_POST['insertcode']}, {$_POST['inserttitle']}, '$newsortorder','$lslanguage',{$_POST['insertassessmentvalue']})";
                        if (!$result = $connect->Execute($query))
                        {
                            $labelsoutput.= "<script type=\"text/javascript\">\n<!--\n alert(\"".$clang->gT("Failed to insert label", "js")." - ".$query." - ".$connect->ErrorMsg()."\")\n //-->\n</script>\n";
                        }
                        db_switchIDInsert('labels',false);
                    }
                }
                else
                {
                    $labelsoutput.= "<script type=\"text/javascript\">\n<!--\n alert(\"".$clang->gT("This label code is already used in this labelset. Please choose another code or rename the existing one.", "js")."\")\n //-->\n</script>\n";
                }
            }
            break;

            // Save all labels with one button
        case $clang->gT("Save Changes", "unescaped"):
            //Determine autoids by evaluating the hidden field
            $sortorderids=explode(' ', trim($_POST['sortorderids']));
            $codeids=explode(' ', trim($_POST['codeids']));
            $count=0;

            // Quote each code_codeid first
            foreach ($codeids as $codeid)
            {
                $_POST['code_'.$codeid] = db_quoteall($_POST['code_'.$codeid],true);
                if (isset($_POST['oldcode_'.$codeid])) $_POST['oldcode_'.$codeid] = db_quoteall($_POST['oldcode_'.$codeid],true);
                // Get the code values to check for duplicates
                $codevalues[] = $_POST['code_'.$codeid];
            }

            // Check that there is no code duplicate
            if (count(array_unique($codevalues)) == count($codevalues))
            {
                if ($filterxsshtml)
                {
                    require_once("../classes/inputfilter/class.inputfilter_clean.php");
                    $myFilter = new InputFilter('','',1,1,1);
                }

                foreach ($sortorderids as $sortorderid)
                {
                    $orderid=substr($sortorderid,strrpos($sortorderid,'_')+1,20);
                    foreach ($lslanguages as $langid)
                        {
                        $sortorderid = $langid . '_' . $orderid;
                        if ($filterxsshtml)
                        {
                            $_POST['title_'.$sortorderid]=$myFilter->process($_POST['title_'.$sortorderid]);
                        }
                        else
                        {
                            $_POST['title_'.$sortorderid] = html_entity_decode($_POST['title_'.$sortorderid], ENT_QUOTES, "UTF-8");
                        }


                        // Fix bug with FCKEditor saving strange BR types
                        $_POST['title_'.$sortorderid]=fix_FCKeditor_text($_POST['title_'.$sortorderid]);
                        $_POST['title_'.$sortorderid] = db_quoteall($_POST['title_'.$sortorderid],true);

                        $query = "UPDATE ".db_table_name('labels')." SET code=".$_POST['code_'.$codeids[$count]].", title={$_POST['title_'.$sortorderid]}, assessment_value={$_POST['assessmentvalue_'.$codeids[$count]]} WHERE lid=$lid AND sortorder=$orderid AND language='$langid'";

                        if (!$result = $connect->Execute($query))
                        // if update didn't work we assume the label does not exist and insert it
                        {

                            $query = "insert into ".db_table_name('labels')." (code,title,lid,sortorder,language) VALUES (".$_POST['code_'.$codeids[$count]].", {$_POST['title_'.$sortorderid]}, $lid , $orderid , '$langid')";
                            if (!$result = $connect->Execute($query))
                            {
                                $labelsoutput.= "<script type=\"text/javascript\">\n<!--\n alert(\"".$clang->gT("Failed to update label","js")." - ".$query." - ".$connect->ErrorMsg()."\")\n //-->\n</script>\n";
                            }
                        }
                    }
                    $count++;
                    if ($count>count($codeids)-1) {$count=0;}
                }
                fixorder($lid);
            }
            else
            {
                $labelsoutput.= "<script type=\"text/javascript\">\n<!--\n alert(\"".$clang->gT("Can't update labels because you are using duplicated codes","js")."\")\n //-->\n</script>\n";
            }

            break;

            // Pressing the Up button
        case $clang->gT("Up", "unescaped"):
            $newsortorder=$postsortorder-1;
            $oldsortorder=$postsortorder;
            $cdquery = "UPDATE ".db_table_name('labels')." SET sortorder=-1 WHERE lid=$lid AND sortorder=$newsortorder";
            $cdresult=$connect->Execute($cdquery) or safe_die($connect->ErrorMsg());
            $cdquery = "UPDATE ".db_table_name('labels')." SET sortorder=$newsortorder WHERE lid=$lid AND sortorder=$oldsortorder";
            $cdresult=$connect->Execute($cdquery) or safe_die($connect->ErrorMsg());
            $cdquery = "UPDATE ".db_table_name('labels')." SET sortorder='$oldsortorder' WHERE lid=$lid AND sortorder=-1";
            $cdresult=$connect->Execute($cdquery) or safe_die($connect->ErrorMsg());
            break;

            // Pressing the Down button
        case $clang->gT("Dn", "unescaped"):
            $newsortorder=$postsortorder+1;
            $oldsortorder=$postsortorder;
            $cdquery = "UPDATE ".db_table_name('labels')." SET sortorder=-1 WHERE lid=$lid AND sortorder='$newsortorder'";
            $cdresult=$connect->Execute($cdquery) or safe_die($connect->ErrorMsg());
            $cdquery = "UPDATE ".db_table_name('labels')." SET sortorder='$newsortorder' WHERE lid=$lid AND sortorder=$oldsortorder";
            $cdresult=$connect->Execute($cdquery) or safe_die($connect->ErrorMsg());
            $cdquery = "UPDATE ".db_table_name('labels')." SET sortorder=$oldsortorder WHERE lid=$lid AND sortorder=-1";
            $cdresult=$connect->Execute($cdquery) or safe_die($connect->ErrorMsg());
            break;

            // Delete Button
        case $clang->gT("Del", "unescaped"):
            $query = "DELETE FROM ".db_table_name('labels')." WHERE lid=$lid AND sortorder='{$postsortorder}'";
            if (!$result = $connect->Execute($query))
            {
                $labelsoutput.= "<script type=\"text/javascript\">\n<!--\n alert(\"".$clang->gT("Failed to delete label","js")." - ".$query." - ".$connect->ErrorMsg()."\")\n //-->\n</script>\n";
            }
            fixorder($lid);
            break;
    }
}
Beispiel #20
0
 /**
  * Constructor for inputFilter class. Only first parameter is required.
  * @access constructor
  * @data Mixed - input string/array-of-string to be 'cleaned'
  * @param Array $tagsArray - list of user-defined tags
  * @param Array $attrArray - list of user-defined attributes
  * @param int $tagsMethod - 0= allow just user-defined, 1= allow all but user-defined
  * @param int $attrMethod - 0= allow just user-defined, 1= allow all but user-defined
  * @param int $xssAuto - 0= only auto clean essentials, 1= allow clean blacklisted tags/attr
  */
 public function sanitizeInput($data, $tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1)
 {
     G::LoadSystem('inputfilter');
     $filtro = new InputFilter($tagsArray, $attrArray, $tagsMethod, $attrMethod, $xssAuto);
     return $filtro->process($data);
 }
Beispiel #21
0
function saveMessage($option)
{
    global $database, $mainframe, $my, $mosConfig_absolute_path;
    global $mosConfig_mailfrom, $mosConfig_fromname;
    require_once $mosConfig_absolute_path . "/includes/mambofunc.php";
    $row = new mosMessage($database);
    if (!$row->bind($_POST)) {
        echo "<script> alert('" . $row->getError() . "'); window.history.go(-1); </script>\n";
        exit;
    }
    require_once mamboCore::get('mosConfig_absolute_path') . '/includes/phpInputFilter/class.inputfilter.php';
    $iFilter = new InputFilter(null, null, 1, 1);
    $row->subject = trim($iFilter->process($row->subject));
    $row->message = trim($iFilter->process($row->message));
    if (!$row->send()) {
        mosRedirect("index2.php?option=com_messages&mosmsg=" . $row->getError());
    }
    $msg = $row->subject . ' - ' . $row->message;
    $sql = "SELECT a.id, a.name, a.email" . "\nFROM #__users AS a" . "\nWHERE a.sendEmail = '1'" . "\nAND a.id = '" . $row->user_id_to . "'";
    $database->setQuery($sql);
    $rows = $database->loadObjectList();
    if ($rows) {
        foreach ($rows as $row) {
            $recipient = $row->email;
            $subject = "New private message from " . $row->name;
            mosMail($mosConfig_mailfrom, $mosConfig_fromname, $recipient, $subject, $msg);
        }
    }
    mosRedirect("index2.php?option=com_messages");
}
<?php

$mongo = new MongoClient('mongodb://*****:*****@ds052827.mongolab.com:52827/miblog');
$db = $mongo->selectDB("miblog");
$c_favoritos = $mongo->selectCollection($db, "favorito");
/////////////////////////////////
require_once 'seguridad/class.inputfilter.php';
$filtro = new InputFilter();
$_POST = $filtro->process($_POST);
////////////////////////////////////////
$id = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST['id'])))));
$titulo = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST['titulo'])))));
$categoria = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST["categoria"])))));
$id = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST["id"])))));
$descripcion = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST['descripcion'])))));
$url = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST['url'])))));
////////////////////////////////////
$condicion = array("_id" => new MongoId($id));
$modFavorito = array("titulo" => $titulo, "categoria" => $categoria, "descripcion" => $descripcion, "url" => $url);
$c_favoritos->update($condicion, $modFavorito);
header("Refresh: 0;url=principal.php?mensaje=3");
Beispiel #23
0
//anti Cache pour HTTP/1.0
header("Pragma: no-cache");
if (isset($_POST['blabla']) && isset($_POST['cibl'])) {
    if (get_magic_quotes_gpc()) {
        require_once "/usr/share/lcs/Plugins/Cdt/Includes/class.inputfilter_clean.php";
    } else {
        require_once '../Includes/htmlpur/library/HTMLPurifier.auto.php';
    }
    // Connexion a la base de donnees
    require_once '../Includes/config.inc.php';
    //Creer la requete pour la mise a jour des donnees
    if (get_magic_quotes_gpc()) {
        $Contenu = htmlentities($_POST['blabla']);
        $Cib = htmlentities($_POST['cibl']);
        $oMyFilter = new InputFilter($aAllowedTags, $aAllowedAttr, 0, 0, 1);
        $cont = $oMyFilter->process($Contenu);
        $cible = $oMyFilter->process($Cib);
    } else {
        // htlmpurifier
        $Contenu = $_POST['blabla'];
        $Cib = addSlashes($_POST['cibl']);
        $config = HTMLPurifier_Config::createDefault();
        //$config->set('Core.Encoding', 'ISO-8859-15');
        $config->set('HTML.Doctype', 'XHTML 1.0 Strict');
        $purifier = new HTMLPurifier($config);
        $cont = $purifier->purify($Contenu);
        $cible = $purifier->purify($Cib);
        $cont = mysqli_real_escape_string($dbc, $cont);
    }
    $cible = $_POST['cibl'];
    $rq = "UPDATE  onglets SET postit='{$cont}' WHERE id_prof='{$cible}'";
function shRedirect( $url, $msg='', $redirKind = '301', $msgType='message' ) {

  $mainframe = JFactory::getApplication();
  $sefConfig = & Sh404sefFactory::getConfig();

  // specific filters
  if (class_exists('InputFilter')) {
    $iFilter = new InputFilter();
    $url = $iFilter->process( $url );
    if (!empty($msg)) {
      $msg = $iFilter->process( $msg );
    }

    if ($iFilter->badAttributeValue( array( 'href', $url ))) {
      $url = Sh404sefFactory::getPageInfo()->getDefaultLiveSite();
    }
  }

  // If the message exists, enqueue it
  if (JString::trim( $msg )) {
    $mainframe->enqueueMessage($msg, $msgType);
  }

  // Persist messages if they exist
  $queue = $mainframe->getMessageQueue();
  if (count($queue)) {
    $session = JFactory::getSession();
    $session->set('application.queue', $queue);
  }

  $document = JFactory::getDocument();
  @ob_end_clean(); // clear output buffer
  if (headers_sent()) {
    echo '<html><head><meta http-equiv="content-type" content="text/html; charset='.$document->getCharset().'" /><script>document.location.href=\''.$url.'\';</script></head><body></body></html>';
  } else {
    switch ($redirKind) {
      case '302':
        $redirHeader ='HTTP/1.1 302 Moved Temporarily';
        break;
      case '303':
        $redirHeader ='HTTP/1.1 303 See Other';
        break;
      default:
        $redirHeader = 'HTTP/1.1 301 Moved Permanently';
      break;
    }
    header( 'Cache-Control: no-cache');  // prevent Firefox5+ and IE9+ to consider this a cacheable redirect
    header( $redirHeader );
    header( 'Location: ' . $url );
    header( 'Content-Type: text/html; charset='.$document->getCharset());
  }
  $mainframe->close();
}
Beispiel #25
0
 //Iterate through each language, and make sure there is a quota message for it
 $errorstring = '';
 foreach ($langs as $lang) {
     if (!$_POST['quotals_message_' . $lang]) {
         $errorstring .= GetLanguageNameFromCode($lang, false) . "\\n";
     }
 }
 if ($errorstring != '') {
     $quotasoutput .= "<script type=\"text/javascript\">\n<!--\n alert(\"" . $clang->gT("Quota could not be added.\\n\\nIt is missing a quota message for the following languages", "js") . ":\\n" . $errorstring . "\")\n //-->\n</script>\n";
 } else {
     require_once "../classes/inputfilter/class.inputfilter_clean.php";
     $myFilter = new InputFilter('', '', 1, 1, 1);
     foreach ($langs as $lang) {
         //Clean XSS
         if ($filterxsshtml) {
             $_POST['quotals_message_' . $lang] = $myFilter->process($_POST['quotals_message_' . $lang]);
         } else {
             $_POST['quotals_message_' . $lang] = html_entity_decode($_POST['quotals_message_' . $lang], ENT_QUOTES, "UTF-8");
         }
         // Fix bug with FCKEditor saving strange BR types
         $_POST['quotals_message_' . $lang] = fix_FCKeditor_text($_POST['quotals_message_' . $lang]);
         //Check to see if a matching language exists, and if not, INSERT one (no update possible)
         $query = "SELECT * FROM " . db_table_name('quota_languagesettings') . "\n                    WHERE quotals_quota_id = " . db_quote($_POST['quota_id'], true) . "\n                    AND quotals_language = '{$lang}'";
         $result = db_execute_assoc($query) or safe_die($connect->ErrorMsg());
         if ($result->RecordCount() > 0) {
             //Now save the language to the database:
             $query = "UPDATE " . db_table_name('quota_languagesettings') . "\n                        SET quotals_name='" . db_quote($_POST['quota_name'], true) . "',\n                        quotals_message='" . db_quote($_POST['quotals_message_' . $lang], true) . "'\n                        WHERE quotals_quota_id =" . db_quote($_POST['quota_id'], true) . "\n                        AND quotals_language = '{$lang}'";
             $connect->Execute($query) or safe_die($connect->ErrorMsg());
         } else {
             /* If there is no matching record for this language, create one */
             $query = "INSERT INTO " . db_table_name('quota_languagesettings') . "\n                        (quotals_quota_id,quotals_language,quotals_name,quotals_message,quotals_url,quotals_urldescrip)\n                        VALUES ('" . db_quote($_POST['quota_id']) . "', '{$lang}', '" . db_quote($_POST['quota_name'], true) . "',\n                        '" . db_quote($_POST['quotals_message_' . $lang], true) . "', '" . QUEXS_URL . "rs_quota_end.php" . "',\n                        '" . QUEXS_URL . "rs_quota_end.php" . "')";
Beispiel #26
0
 /**
  * Sanitize $var for XSS, JS, and HTML.
  * 
  * @param Mixed $var - variable to sanitize  
  * @return a sanitized variable filtered for XSS and any blacklisted javascript/html tags
  */
 public static function Filter($var)
 {
     $filter = new InputFilter();
     return $filter->process(self::cleaned($var));
 }
 /**
  * Gets the value of a user state variable
  * @param string The name of the user state variable
  * @param string The name of the variable passed in a request
  * @param string The default value for the variable if not found
  */
 function getUserStateFromRequest($var_name, $req_name, $var_default = null)
 {
     if (is_array($this->_userstate)) {
         if (isset($_REQUEST[$req_name])) {
             $this->setUserState($var_name, $_REQUEST[$req_name]);
         } else {
             if (!isset($this->_userstate[$var_name])) {
                 $this->setUserState($var_name, $var_default);
             }
         }
         // filter input
         $iFilter = new InputFilter();
         $this->_userstate[$var_name] = $iFilter->process($this->_userstate[$var_name]);
         return $this->_userstate[$var_name];
     } else {
         return null;
     }
 }
Beispiel #28
0
//anti Cache pour HTTP/1.0
header("Pragma: no-cache");
if (isset($_POST['coursmod']) && isset($_POST['afmod']) && isset($_POST['cibl'])) {
    if (get_magic_quotes_gpc()) {
        require_once "/usr/share/lcs/Plugins/Cdt/Includes/class.inputfilter_clean.php";
    } else {
        require_once '../Includes/htmlpur/library/HTMLPurifier.auto.php';
    }
    // Connexion a la base de donnees
    require_once '../Includes/config.inc.php';
    if (get_magic_quotes_gpc()) {
        $Contenucours = htmlentities($_POST['coursmod']);
        $Contenuaf = htmlentities($_POST['afmod']);
        $Cib = htmlentities($_POST['cibl']);
        $oMyFilter = new InputFilter($aAllowedTags, $aAllowedAttr, 0, 0, 1);
        $cont1 = $oMyFilter->process($Contenucours);
        $cont2 = $oMyFilter->process($Contenuaf);
        $cible = $oMyFilter->process($Cib);
    } else {
        // htlmpurifier
        $Contenucours = $_POST['coursmod'];
        $Contenuaf = $_POST['afmod'];
        $Cib = addSlashes($_POST['cibl']);
        $config = HTMLPurifier_Config::createDefault();
        //$config->set('Core.Encoding', 'ISO-8859-15');
        $config->set('HTML.Doctype', 'XHTML 1.0 Strict');
        $purifier = new HTMLPurifier($config);
        //$Cours = addSlashes($Cours);
        $cont1 = $purifier->purify($Contenucours);
        $cont1 = utf8_decode(mysqli_real_escape_string($dbc, $cont1));
        $cont2 = $purifier->purify($Contenuaf);
Beispiel #29
0
 /**
  * Test the process() method
  */
 public function testProcess()
 {
     //  Trivial case, nothing to clean
     @new InputFilter();
     $this->assertEquals(InputFilter::process('foo'), 'foo');
     $this->assertEquals(InputFilter::process(array('foo', 'bar')), array('foo', 'bar'));
     //  Default constructor removes all tags
     $this->assertEquals(InputFilter::process('<ok>foobar</ok>'), 'foobar');
     //  Allow all but blacklisted tags and attributes
     @new InputFilter(array(), array(), 1, 1, 1);
     //  Irregular tag names are always filtered out
     $this->assertEquals(InputFilter::process('foo<#$>bar</#$>mumble'), 'foobarmumble');
     //  $xssAuto=1 filters blacklisted tags and attributes
     $this->assertEquals(InputFilter::process('<body>foobar</body>'), 'foobar');
     $this->assertEquals(InputFilter::process('<ok action="yes">foobar</ok>'), '<ok>foobar</ok>');
     //  With $xssAuto off, blacklisted tags and attributes are allowed
     @new InputFilter(array(), array(), 1, 1, 0);
     $this->assertEquals(InputFilter::process('<body>foobar</body>'), '<body>foobar</body>');
     $this->assertEquals(InputFilter::process('<ok action="yes">foobar</ok>'), '<ok action="yes">foobar</ok>');
     //  tagMethod=1 permits all but listed tags
     @new InputFilter(array('foo'), array(), 1, 1, 0);
     $this->assertEquals(InputFilter::process('<foo>mumble</foo><bar>grumble</bar>'), 'mumble<bar>grumble</bar>');
     //  tagMethod=0 permits only listed tags
     @new InputFilter(array('foo'), array(), 0, 1, 0);
     $this->assertEquals(InputFilter::process('<foo>mumble</foo><bar>grumble</bar>'), '<foo>mumble</foo>grumble');
     //  attrMethod=1 permits all but listed attributes
     @new InputFilter(array(), array('dangerous'), 1, 1, 0);
     $this->assertEquals(InputFilter::process('<foo safe="1" dangerous="1">mumble</foo>'), '<foo safe="1">mumble</foo>');
     //  attrMethod=0 permits only listed tags
     @new InputFilter(array(), array('dangerous'), 1, 0, 0);
     $this->assertEquals(InputFilter::process('<foo safe="1" dangerous="1">mumble</foo>'), '<foo dangerous="1">mumble</foo>');
     //  accept only know safe tags
     @new InputFilter(array('div', 'span', 'strong', 'em'), array('id', 'class'), 0, 0, 0);
     $this->assertEquals(InputFilter::process('<body class="full">mumble<span class="error" color="red">' . 'grumble</span>burfl</body>'), 'mumble<span class="error">grumble</span>burfl');
 }
 /**
  * Removes illegal tags and attributes from html input
  */
 function inputFilter($html)
 {
     $filter = new InputFilter(array(), array(), 1, 1);
     return $filter->process($html);
 }