/**
* Filters public properties
* @access protected
* @param array List of fields to ignore
*/
function filter($ignoreList = null)
{
$ignore = is_array($ignoreList);
$iFilter = new InputFilter();
foreach ($this->getPublicProperties() as $k) {
if ($ignore && in_array($k, $ignoreList)) {
continue;
}
$this->{$k} = $iFilter->process($this->{$k});
}
}
/**
* @package Mambo
* @author Mambo Foundation Inc see README.php
* @copyright Mambo Foundation Inc.
* See COPYRIGHT.php for copyright notices and details.
* @license GNU/GPL Version 2, see LICENSE.php
* Mambo is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; version 2 of the License.
*/
function externalCallCheck($path, $secret)
{
if (isset($_COOKIE['mostlyce']['startup_key']) && isset($_COOKIE['mostlyce']['usertype'])) {
require_once $path . '/includes/phpInputFilter/class.inputfilter.php';
$iFilter = new InputFilter(null, null, 1, 1);
$startupKey = trim($iFilter->process($_COOKIE['mostlyce']['startup_key']));
//The MOStlyCE rebuild key should match this
$usertype = strtolower(str_replace(' ', '', trim($iFilter->process($_COOKIE['mostlyce']['usertype']))));
} else {
return false;
}
$env = md5($_SERVER['HTTP_USER_AGENT']);
$rebuildKey = md5($secret . $env . $_SERVER['REMOTE_ADDR']);
if ($rebuildKey !== $startupKey) {
return false;
}
//Valid user types
$vUsers = array('author', 'editor', 'publisher', 'manager', 'administrator', 'superadministrator');
if (!in_array($usertype, $vUsers)) {
return false;
}
return true;
}
function process()
{
$input_filter = new InputFilter();
$input_filter->process($this);
if (!is_null($this->request->get("method"))) {
$basic = array('reqip' => $this->request->userip . ':' . $this->request->clientip, 'uri' => $this->request->url, 'method' => $this->request->get("method"), 'logid' => $this->requestId);
} else {
$basic = array('reqip' => $this->request->userip . ':' . $this->request->clientip, 'uri' => $this->request->url, 'logid' => $this->requestId);
}
kc_log_addbasic($basic);
$dispatch = new Dispatch($this);
App::getTimer()->set('framework prepare');
$dispatch->dispatch_url($this->request->url);
$this->response->send();
KC_LOG_TRACE('[TIME COST STATISTIC] [ ' . App::getTimer()->getString() . ' ].');
}
/**
* Updates a particular model.
* @param integer $_GET['id'] the ID of the model to be updated
* @return updated comment text
*/
public function actionUpdate()
{
Yii::app()->end();
//disalow updates
// get Comments object from $id parameter
$model = $this->loadModel($_GET['id']);
// if Comments form exist and was called via ajax
if (isset($_POST['Comments']) && isset($_POST['ajax'])) {
// set form elements to Users model attributes
$model->attributes = $_POST['Comments'];
// clear tag from text
Yii::import('application.extensions.InputFilter.InputFilter');
$filter = new InputFilter(array('br', 'pre'));
$model->comment_text = $filter->process($model->comment_text);
// update comment
$model->save(false);
echo $model->comment_text;
}
Yii::app()->end();
}
function shRedirect($url, $msg = '', $redirKind = '301', $msgType = 'message')
{
global $mainframe;
$sefConfig =& shRouter::shGetConfig();
// specific filters
if (class_exists('InputFilter')) {
$iFilter = new InputFilter();
$url = $iFilter->process($url);
if (!empty($msg)) {
$msg = $iFilter->process($msg);
}
if ($iFilter->badAttributeValue(array('href', $url))) {
$url = $GLOBALS['shConfigLiveSite'];
}
}
// If the message exists, enqueue it
if (JString::trim($msg)) {
$mainframe->enqueueMessage($msg, $msgType);
}
// Persist messages if they exist
if (count($mainframe->_messageQueue)) {
$session =& JFactory::getSession();
$session->set('application.queue', $mainframe->_messageQueue);
}
if (headers_sent()) {
echo "<script>document.location.href='{$url}';</script>\n";
} else {
@ob_end_clean();
// clear output buffer
switch ($redirKind) {
case '302':
$redirHeader = 'HTTP/1.1 302 Moved Temporarily';
break;
case '303':
$redirHeader = 'HTTP/1.1 303 See Other';
break;
default:
$redirHeader = 'HTTP/1.1 301 Moved Permanently';
break;
}
header($redirHeader);
header("Location: " . $url);
}
$mainframe->close();
}
$surveyid = sRandomChars(5, '123456789');
$isquery = "SELECT sid FROM " . db_table_name('surveys') . " WHERE sid={$surveyid}";
$isresult = db_execute_assoc($isquery);
// Checked
} while ($isresult->RecordCount() > 0);
if (!isset($_POST['template'])) {
$_POST['template'] = 'default';
}
if ($_SESSION['USER_RIGHT_SUPERADMIN'] != 1 && $_SESSION['USER_RIGHT_MANAGE_TEMPLATE'] != 1 && !hasTemplateManageRights($_SESSION['loginID'], $_POST['template'])) {
$_POST['template'] = "default";
}
// insert base language into surveys_language_settings
if ($filterxsshtml) {
require_once "../classes/inputfilter/class.inputfilter_clean.php";
$myFilter = new InputFilter('', '', 1, 1, 1);
$_POST['surveyls_title'] = $myFilter->process($_POST['surveyls_title']);
$_POST['description'] = $myFilter->process($_POST['description']);
$_POST['welcome'] = $myFilter->process($_POST['welcome']);
$_POST['urldescrip'] = $myFilter->process($_POST['urldescrip']);
} else {
$_POST['surveyls_title'] = html_entity_decode($_POST['surveyls_title'], ENT_QUOTES, "UTF-8");
$_POST['description'] = html_entity_decode($_POST['description'], ENT_QUOTES, "UTF-8");
$_POST['welcome'] = html_entity_decode($_POST['welcome'], ENT_QUOTES, "UTF-8");
$_POST['urldescrip'] = html_entity_decode($_POST['urldescrip'], ENT_QUOTES, "UTF-8");
}
//make sure only numbers are passed within the $_POST variable
$_POST['dateformat'] = (int) $_POST['dateformat'];
$_POST['tokenlength'] = (int) $_POST['tokenlength'];
if (trim($_POST['expires']) == '') {
$_POST['expires'] = null;
} else {
//Preprocessing
if ($error == false) {
$the_text = isset($_REQUEST['thetext']) ? $_REQUEST['thetext'] : '';
$the_html = isset($_REQUEST['thehtml']) ? $_REQUEST['thehtml'] : '';
if (isset($_REQUEST['toStep2'])) {
$tplname = 'htmlprev_step2';
$the_html = htmlspecialchars(mb_ereg_replace("\n", "<br />\n", stripslashes(htmlspecialchars($the_text, ENT_COMPAT, 'UTF-8'))), ENT_COMPAT, 'UTF-8');
} else {
if (isset($_REQUEST['toStep3'])) {
global $rootpath, $stylepath;
//check the html ...
require_once $rootpath . 'lib/class.inputfilter.php';
require_once $stylepath . '/htmlprev.inc.php';
$myFilter = new InputFilter($allowedtags, $allowedattr, 0, 0, 1);
$orghtml = $the_html;
$the_html = $myFilter->process($the_html);
$tplname = 'htmlprev_step3';
tpl_set_var('orghtml', htmlspecialchars($orghtml, ENT_COMPAT, 'UTF-8'));
tpl_set_var('thecode', $the_html);
tpl_set_var('thehtmlcode', nl2br(stripslashes(htmlspecialchars($the_html, ENT_COMPAT, 'UTF-8'))));
} else {
if (isset($_REQUEST['backStep2'])) {
$tplname = 'htmlprev_step2';
$the_html = stripslashes(htmlspecialchars($the_html, ENT_COMPAT, 'UTF-8'));
} else {
//start
$tplname = 'htmlprev';
}
}
}
tpl_set_var('thetext', stripslashes(htmlspecialchars($the_text, ENT_COMPAT, 'UTF-8')));
<?
include("../ressources/.mysql_common.php");
require_once("class.inputfilter_clean.php");
?>
<?php
$tags = '';
$attr = '';
$tag_method = 0;
$attr_method = 0;
$xss_auto = 1;
$myFilter = new InputFilter($tags, $attr, $tag_method, $attr_method, $xss_auto);
// submitbutton=Udlever1
$divisionday = $myFilter->process($_GET["divisionday"]);
$uid = $myFilter->process($_GET["submitbutton"]);
$orderline_uid = str_replace('Udlever', '', $uid);
$query = 'SELECT
ff_orderlines.item as article, ff_pickupdates.pickupdate as pickupdate, ff_divisions.name as name, ff_items.units, ff_items.measure, ff_producttypes.explained as txt, ff_orderlines.quant,
ff_persons.firstname, ff_persons.middlename, ff_persons.lastname, ff_persons.tel, ff_persons.email, ff_persons.uid as medlem, ff_orderlines.status2, ff_orderlines.uid
FROM ff_orderlines, ff_orderhead, ff_items, ff_producttypes, ff_pickupdates, ff_divisions, ff_persons
WHERE ff_orderlines.orderno = ff_orderhead.orderno
AND ((ff_orderhead.status1 = "kontant") or (ff_orderhead.status1 = "nets"))
AND ff_orderlines.item = ff_items.id
AND ff_items.producttype_id = ff_producttypes.id
AND ff_orderlines.iteminfo = ff_pickupdates.uid
AND ff_divisions.uid = ff_pickupdates.division
AND ff_pickupdates.division = ff_items.division
AND ff_orderlines.puid = ff_persons.uid
AND ff_pickupdates.uid = ' . (int) $divisionday . '
AND ff_orderlines.uid = ' . (int) $orderline_uid . '
ORDER BY ff_pickupdates.pickupdate, ff_producttypes.explained ';
$result = doquery($query);
tpl_set_var('GeoKretyApiConfigured', 'none');
tpl_set_var('GeoKretApiSelector', '');
}
// descMode is depreciated. this was description type. Now all description are in html, then always use 3 for back compatibility
$descMode = 3;
// fuer alte Versionen von OCProp
if (isset($_POST['submit']) && !isset($_POST['version2'])) {
$descMode = 1;
$_POST['submitform'] = $_POST['submit'];
$log_text = iconv("ISO-8859-1", "UTF-8", $log_text);
}
if ($descMode != 1) {
// check input
require_once $rootpath . 'lib/class.inputfilter.php';
$myFilter = new InputFilter($allowedtags, $allowedattr, 0, 0, 1);
$log_text = $myFilter->process($log_text);
} else {
// escape text
//if( $all_ok )
$log_text = nl2br(htmlspecialchars($log_text, ENT_COMPAT, 'UTF-8'));
//else
//$log_text = strip_tags(htmlspecialchars($log_text, ENT_COMPAT, 'UTF-8'));
}
//setting tpl messages if they should be not visible.
tpl_set_var('lat_message', '');
tpl_set_var('lon_message', '');
//validate data
if (is_numeric($log_date_month) && is_numeric($log_date_day) && is_numeric($log_date_year) && is_numeric($log_date_hour) && is_numeric($log_date_min)) {
$date_not_ok = checkdate($log_date_month, $log_date_day, $log_date_year) == false || $log_date_hour < 0 || $log_date_hour > 23 || $log_date_min < 0 || $log_date_min > 60;
if ($date_not_ok == false) {
if (isset($_POST['submitform'])) {
/**
* Utility function redirect the browser location to another url
*
* Can optionally provide a message.
* @param string The file system path
* @param string A filter for the names
*/
function extRedirect($url, $msg = '')
{
global $mainframe;
// specific filters
$iFilter = new InputFilter();
$url = $iFilter->process($url);
if (!empty($msg)) {
$msg = $iFilter->process($msg);
}
if ($iFilter->badAttributeValue(array('href', $url))) {
$url = $GLOBALS['home_dir'];
}
if (trim($msg)) {
if (strpos($url, '?')) {
$url .= '&extmsg=' . urlencode($msg);
} else {
$url .= '?extmsg=' . urlencode($msg);
}
}
if (headers_sent()) {
echo "<script>document.location.href='{$url}';</script>\n";
} else {
@ob_end_clean();
// clear output buffer
header('HTTP/1.1 301 Moved Permanently');
header("Location: " . $url);
}
exit;
}
function cleanHTML($text, $allowable_tags = null, $forbidden_attr = null)
{
// INCLUDE FILTER CLASS
if (!class_exists("InputFilter")) {
require SE_ROOT . "/include/class_inputfilter.php";
}
// New method
if (!method_exists('InputFilter', 'safeSQL')) {
return InputFilter::process($text, array('allowedTags' => $allowable_tags, 'forbiddenAttributes' => $forbidden_attr));
} else {
// INSTANTIATE INPUT FILTER CLASS WITH APPROPRIATE TAGS
$xssFilter = new InputFilter(explode(",", str_replace(" ", "", $allowable_tags)), "", 0, 1, 1);
// ADD NECESSARY BLACKLIST ITEMS
for ($i = 0; $i < count($forbidden_attr); $i++) {
$xssFilter->attrBlacklist[] = $forbidden_attr[$i];
}
// RETURN PROCESSED TEXT
return $xssFilter->process($text);
}
}
if ($first == true) {
$first = false;
$aid = $connect->Insert_ID(db_table_name_nq('assessments'), "id");
}
}
} elseif ($action == "assessmentupdate") {
if ($filterxsshtml) {
require_once "../classes/inputfilter/class.inputfilter_clean.php";
$myFilter = new InputFilter('', '', 1, 1, 1);
}
foreach ($assessmentlangs as $assessmentlang) {
if (!isset($_POST['gid'])) {
$_POST['gid'] = 0;
}
if ($filterxsshtml) {
$_POST['name_' . $assessmentlang] = $myFilter->process($_POST['name_' . $assessmentlang]);
$_POST['assessmentmessage_' . $assessmentlang] = $myFilter->process($_POST['assessmentmessage_' . $assessmentlang]);
}
$query = "UPDATE {$dbprefix}assessments\n\t\t\t SET scope='" . db_quote($_POST['scope'], true) . "',\n\t\t\t gid=" . sanitize_int($_POST['gid']) . ",\n\t\t\t minimum='" . sanitize_signedint($_POST['minimum']) . "',\n\t\t\t maximum='" . sanitize_signedint($_POST['maximum']) . "',\n\t\t\t name='" . db_quote($_POST['name_' . $assessmentlang], true) . "',\n\t\t\t message='" . db_quote($_POST['assessmentmessage_' . $assessmentlang], true) . "'\n\t\t\t WHERE language='{$assessmentlang}' and id=" . sanitize_int($_POST['id']);
$result = $connect->Execute($query) or safe_die("Error updating<br />{$query}<br />" . $connect->ErrorMsg());
}
} elseif ($action == "assessmentdelete") {
$query = "DELETE FROM {$dbprefix}assessments\n\t\t\t\t WHERE id=" . sanitize_int($_POST['id']);
$result = $connect->Execute($query);
}
$assessmentsoutput = PrepareEditorScript();
$assessmentsoutput .= "<script type=\"text/javascript\">\n <!-- \n var strnogroup='" . $clang->gT("There are no groups available.", "js") . "';\n --></script>\n";
$assessmentsoutput .= "<div class='menubar'>\n" . "\t<div class='menubar-title'>\n" . "<strong>" . $clang->gT("Assessments") . "</strong>\n";
$assessmentsoutput .= "\t</div>\n" . "\t<div class='menubar-main'>\n" . "<div class='menubar-left'>\n" . "\t<a href=\"#\" onclick=\"window.open('{$scriptname}?sid={$surveyid}', '_top')\" title='" . $clang->gTview("Return to survey administration") . "'>" . "<img name='Administration' src='{$imagefiles}/home.png' alt='" . $clang->gT("Return to survey administration") . "' /></a>\n" . "\t<img src='{$imagefiles}/blank.gif' alt='' width='11' />\n" . "\t<img src='{$imagefiles}/seperator.gif' alt='' />\n";
if ($surveyinfo['assessments'] != 'Y') {
$assessmentsoutput .= '<span style="font-size:11px;">' . sprintf($clang->gT("Notice: Assessment mode for this survey is not activated. You can activate it in the %s survey settings %s (tab 'Notification & data management')."), '<a href="admin.php?action=editsurvey&sid=' . $surveyid . '">', '</a>') . '</span>';
if ($usr == false) {
$target = urlencode(tpl_get_current_page());
tpl_redirect('login.php?target=' . $target);
} else {
$tplname = 'myroutes';
$user_id = $usr['userid'];
$route_rs = XDb::xSql("SELECT `route_id` ,`description` `desc`, `name`,`radius`,`length`\n FROM `routes` WHERE `user_id`= ?\n ORDER BY `route_id` DESC", $user_id);
if ($routes_record = XDb::xFetchArray($route_rs)) {
$routes .= '<div class="headitems">';
$routes .= '<div style="width:80px;" class="myr">' . tr('route_name') . '</div><div class="ver"> </div><div style="width:295px;" class="myr"> ' . tr('route_desc') . '</div><div class="ver"> </div><div style="width:60px;" class="myr"> ' . tr('radius') . '</div><div class="ver"> </div><div style="width:60px;" class="myr"> ' . tr('length') . '</div><div class="ver"> </div><div style="width:70px;" class="myr"> ' . tr('caches') . '</div><div class="ver"> </div><div style="width:50px;" class="myr">' . tr('edit') . '</div><div class="ver"> </div><div style="width:20px;" class="myr"> ' . tr('delete') . '</div></div>';
do {
$desc = $routes_record['desc'];
if ($desc != '') {
require_once $rootpath . 'lib/class.inputfilter.php';
$myFilter = new InputFilter($allowedtags, $allowedattr, 0, 0, 1);
$desc = $myFilter->process($desc);
}
$routes .= '<div class="listitems">';
// $routes .= '<div style="margin-left:5px;width:75px;" class="myr">'.$routes_record['name']. '</div><div class="ver35"> </div><div style="width:295px;" class="myr">'.nl2br($desc).'</div><div class="ver35"> </div><div style="width:60px;text-align:center;" class="myr">'.$routes_record['radius']. ' km</div><div class="ver35"> </div><div style="width:60px;text-align:center;" class="myr">'.round($routes_record['length'],0). ' km</div><div class="ver35"> </div><div style="width:70px;float:left;text-align:center;"><a class="links" href="myroutes_search.php?routeid='.$routes_record['route_id'].'"><img src="tpl/stdstyle/images/action/16x16-search.png" alt="" title="Search caches along route" /></a></div><div class="ver35"> </div><div style="width:50px;float:left;text-align:center;"><a class="links" href="myroutes_edit.php?routeid='.$routes_record['route_id'].'"><img src="images/actions/edit-16.png" alt="" title="Edit route" /></a></div><div class="ver35"> </div><div style="width:20px;float:left;text-align:center;"><a class="links" href="myroutes_edit.php?routeid='.$routes_record['route_id'].'&delete" onclick="return confirm(\'Czy chcesz usunąć tę trase?\');"><img src="tpl/stdstyle/images/log/16x16-trash.png" alt="" title="Usuń" /></a></div></div>';
$routes .= '<table border="0" class="myr"><tr><td style="margin-left:3px;width:75px;" class="myr">' . $routes_record['name'] . '</td><td width="2" style="border-right:solid thin #7fa2ca"></td>
<td style="width:297px;" class="myr">' . nl2br($desc) . '</td><td width="2" style="border-right:solid thin #7fa2ca"></td>
<td style="width:65px;" class="myr">' . $routes_record['radius'] . ' km</td><td width="2" style="border-right:solid thin #7fa2ca"></td>
<td style="width:62px;" class="myr">' . $routes_record['length'] . ' km</td><td width="2" style="border-right:solid thin #7fa2ca"></td>
<td style="width:73px;" class="myr"><a class="links" href="myroutes_search.php?routeid=' . $routes_record['route_id'] . '"><img src="tpl/stdstyle/images/action/16x16-search.png" alt="" title=' . tr("search_caches_along_route") . ' /></a></td><td width="2" style="border-right:solid thin #7fa2ca"></td>
<td style="width:53px;" class="myr"><a class="links" href="myroutes_edit.php?routeid=' . $routes_record['route_id'] . '"><img src="images/actions/edit-16.png" alt="" title=' . tr('edit_route') . ' /></a></td><td width="2" style="border-right:solid thin #7fa2ca"></td>
<td style="width:23px;" class="myr"><a class="links" href="myroutes_edit.php?routeid=' . $routes_record['route_id'] . '&delete" onclick="return confirm(\'' . tr("confirm_remove_route") . '\');"><img style="vertical-align: middle;" src="tpl/stdstyle/images/log/16x16-trash.png" alt="" title=' . tr('delete') . ' /></a></td></tr></table></div>';
} while ($routes_record = XDb::xFetchArray($route_rs));
$routes .= '';
tpl_set_var('content', $routes);
} else {
tpl_set_var('content', "<div class=\"listitems\"><br/><center><span style=\"font-size:140%;font-weight:bold \"> " . tr('no_routes') . "</span><br/><br/></center></div>");
$importsurvey .= "<div class='errorheader'>" . $clang->gT("Error") . "</div>\n";
$importsurvey .= $clang->gT("Import failed. You specified an invalid file type.") . "\n";
$importerror = true;
}
} elseif ($action == 'copysurvey') {
$surveyid = sanitize_int($_POST['copysurveylist']);
$exclude = array();
if (get_magic_quotes_gpc()) {
$sNewSurveyName = stripslashes($_POST['copysurveyname']);
} else {
$sNewSurveyName = $_POST['copysurveyname'];
}
require_once "../classes/inputfilter/class.inputfilter_clean.php";
$myFilter = new InputFilter('', '', 1, 1, 1);
if ($filterxsshtml) {
$sNewSurveyName = $myFilter->process($sNewSurveyName);
} else {
$sNewSurveyName = html_entity_decode($sNewSurveyName, ENT_QUOTES, "UTF-8");
}
if (isset($_POST['copysurveyexcludequotas']) && $_POST['copysurveyexcludequotas'] == "on") {
$exclude['quotas'] = true;
}
if (isset($_POST['copysurveyexcludeanswers']) && $_POST['copysurveyexcludeanswers'] == "on") {
$exclude['answers'] = true;
}
if (isset($_POST['copysurveyresetconditions']) && $_POST['copysurveyresetconditions'] == "on") {
$exclude['conditions'] = true;
}
include "export_structure_xml.php";
$copysurveydata = getXMLData($exclude);
}
/**
* Removes illegal tags and attributes from html input
*/
function inputFilter($html)
{
// Replaced code to fix issue with img tags
jimport('phpinputfilter.inputfilter');
$filter = new InputFilter(array(), array(), 1, 1);
return $filter->process($html);
}
$_SESSION['adminlang'] = $browlang;
} else {
$_SESSION['adminlang'] = $fields['lang'];
}
$clang = new limesurvey_lang($_SESSION['adminlang']);
}
$login = true;
$loginsummary .= "<div class='messagebox ui-corner-all'>\n";
$loginsummary .= "<div class='header ui-widget-header'>" . $clang->gT("Logged in") . "</div>";
$loginsummary .= "<br />" . sprintf($clang->gT("Welcome %s!"), $_SESSION['full_name']) . "<br /> ";
$loginsummary .= "</div>\n";
if (isset($_POST['refererargs']) && $_POST['refererargs'] && strpos($_POST['refererargs'], "action=logout") === FALSE) {
require_once "../classes/inputfilter/class.inputfilter_clean.php";
$myFilter = new InputFilter('', '', 1, 1, 1);
// Prevent XSS attacks
$sRefererArg = $myFilter->process($_POST['refererargs']);
$_SESSION['metaHeader'] = "<meta http-equiv=\"refresh\"" . " content=\"1;URL={$scriptname}?" . $sRefererArg . "\" />";
$loginsummary .= "<p><font size='1'><i>" . $clang->gT("Reloading screen. Please wait.") . "</i></font>\n";
}
$loginsummary .= "<br /><br />\n";
GetSessionUserRights($_SESSION['loginID']);
} else {
$query = fGetLoginAttemptUpdateQry($bLoginAttempted, $sIp);
$result = $connect->Execute($query) or safe_die($query . "<br />" . $connect->ErrorMsg());
if ($result) {
// wrong or unknown username
$loginsummary .= "<p>" . $clang->gT("Incorrect username and/or password!") . "<br />";
if ($intNthAttempt + 1 >= $maxLoginAttempt) {
$loginsummary .= sprintf($clang->gT("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"), $timeOutTime / 60) . "<br />";
}
$loginsummary .= "<br /><a href='{$scriptname}'>" . $clang->gT("Continue") . "</a><br /> \n";
function modlabelsetanswers($lid)
{
global $dbprefix, $connect, $clang, $labelsoutput, $databasetype, $filterxsshtml, $postsortorder;
$ajax = false;
if (isset($_POST['ajax']) && $_POST['ajax'] == "1") {
$ajax = true;
}
if (!isset($_POST['method'])) {
$_POST['method'] = $clang->gT("Save");
}
$data = json_decode(html_entity_decode($_POST['dataToSend'], ENT_QUOTES, "UTF-8"));
if ($ajax) {
$lid = insertlabelset();
}
if (count(array_unique($data->{'codelist'})) == count($data->{'codelist'})) {
if ($filterxsshtml) {
require_once "../classes/inputfilter/class.inputfilter_clean.php";
$myFilter = new InputFilter('', '', 1, 1, 1);
}
$query = "DELETE FROM " . db_table_name('labels') . " WHERE lid = {$lid}";
$result = db_execute_assoc($query) or safe_die($connect->ErrorMsg());
foreach ($data->{'codelist'} as $index => $codeid) {
$codeObj = $data->{$codeid};
$actualcode = db_quoteall($codeObj->{'code'}, true);
$codeid = db_quoteall($codeid, true);
$assessmentvalue = (int) $codeObj->{'assessmentvalue'};
foreach ($data->{'langs'} as $lang) {
$strTemp = 'text_' . $lang;
$title = $codeObj->{$strTemp};
if ($filterxsshtml) {
$title = $myFilter->process($title);
} else {
$title = html_entity_decode($title, ENT_QUOTES, "UTF-8");
}
// Fix bug with FCKEditor saving strange BR types
$title = fix_FCKeditor_text($title);
$title = db_quoteall($title, true);
$sort_order = db_quoteall($index);
$lang = db_quoteall($lang);
$query = "INSERT INTO " . db_table_name('labels') . " (lid,code,title,sortorder, assessment_value, language)\n VALUES({$lid},{$actualcode},{$title},{$sort_order},{$assessmentvalue},{$lang})";
$result = db_execute_assoc($query) or safe_die($connect->ErrorMsg());
}
}
$_SESSION['flashmessage'] = $clang->gT("Labels sucessfully updated");
} else {
$labelsoutput .= "<script type=\"text/javascript\">\n<!--\n alert(\"" . $clang->gT("Can't update labels because you are using duplicated codes", "js") . "\")\n //-->\n</script>\n";
}
if ($ajax) {
die;
}
}
</div>
<hr />
<tr><td align="center"><br /><span style="color:red;"><strong>
</strong></span><br />
</table>
<form onsubmit="self.close()">
<input type="submit" value="' . $clang->gT("Close Editor") . '" />
<input type="hidden" name="checksessionbypost" value="' . $_SESSION['checksessionpost'] . '" />
</form>
</body>
</html>';
} else {
require_once "../classes/inputfilter/class.inputfilter_clean.php";
$oFilter = new InputFilter('', '', 1, 1, 1);
$fieldname = $oFilter->process($_GET['fieldname']);
$fieldtext = $oFilter->process($_GET['fieldtext']);
if (get_magic_quotes_gpc()) {
$fieldtext = stripslashes($fieldtext);
}
$controlidena = $_GET['fieldname'] . '_popupctrlena';
$controliddis = $_GET['fieldname'] . '_popupctrldis';
$sid = sanitize_int($_GET['sid']);
$gid = sanitize_int($_GET['gid']);
$qid = sanitize_int($_GET['qid']);
$fieldtype = preg_replace("/[^_.a-zA-Z0-9-]/", "", $_GET['fieldtype']);
$action = preg_replace("/[^_.a-zA-Z0-9-]/", "", $_GET['action']);
$toolbarname = 'popup';
$htmlformatoption = '';
if ($fieldtype == 'email-inv' || $fieldtype == 'email-reg' || $fieldtype == 'email-conf' || $fieldtype == 'email-rem') {
$htmlformatoption = ",fullPage:true";
function modlabelsetanswers($lid)
{
global $dbprefix, $connect, $clang, $labelsoutput, $databasetype, $filterxsshtml,$postsortorder;
$qulabelset = "SELECT * FROM ".db_table_name('labelsets')." WHERE lid='$lid'";
$rslabelset = db_execute_assoc($qulabelset) or safe_die($connect->ErrorMsg());
$rwlabelset=$rslabelset->FetchRow();
$lslanguages=explode(" ", trim($rwlabelset['languages']));
if (!isset($_POST['method'])) {
$_POST['method'] = $clang->gT("Save");
}
switch($_POST['method'])
{
case $clang->gT("Add new label", "unescaped"):
if (isset($_POST['insertcode']) && $_POST['insertcode']!='')
{
$_SESSION['nextlabelcode']=getNextCode($_POST['insertcode']);
$_POST['insertcode'] = db_quoteall($_POST['insertcode'],true);
// check that the code doesn't exist yet
$query = "SELECT code FROM ".db_table_name('labels')." WHERE lid='$lid' AND code=".$_POST['insertcode'];
$result = $connect->Execute($query);
$codeoccurences=$result->RecordCount();
if ($codeoccurences == 0)
{
$query = "select max(sortorder) as maxorder from ".db_table_name('labels')." where lid='$lid'";
$result = $connect->Execute($query);
$newsortorder=sprintf("%05d", $result->fields['maxorder']+1);
if ($filterxsshtml)
{
require_once("../classes/inputfilter/class.inputfilter_clean.php");
$myFilter = new InputFilter('','',1,1,1);
$_POST['inserttitle']=$myFilter->process($_POST['inserttitle']);
}
else
{
$_POST['inserttitle'] = html_entity_decode($_POST['inserttitle'], ENT_QUOTES, "UTF-8");
}
// Fix bug with FCKEditor saving strange BR types
$_POST['inserttitle']=fix_FCKeditor_text($_POST['inserttitle']);
$_POST['inserttitle'] = db_quoteall($_POST['inserttitle'],true);
$_POST['insertassessmentvalue']=(int)$_POST['insertassessmentvalue'];
foreach ($lslanguages as $lslanguage)
{
db_switchIDInsert('labels',true);
$query = "INSERT INTO ".db_table_name('labels')." (lid, code, title, sortorder,language, assessment_value) VALUES ($lid, {$_POST['insertcode']}, {$_POST['inserttitle']}, '$newsortorder','$lslanguage',{$_POST['insertassessmentvalue']})";
if (!$result = $connect->Execute($query))
{
$labelsoutput.= "<script type=\"text/javascript\">\n<!--\n alert(\"".$clang->gT("Failed to insert label", "js")." - ".$query." - ".$connect->ErrorMsg()."\")\n //-->\n</script>\n";
}
db_switchIDInsert('labels',false);
}
}
else
{
$labelsoutput.= "<script type=\"text/javascript\">\n<!--\n alert(\"".$clang->gT("This label code is already used in this labelset. Please choose another code or rename the existing one.", "js")."\")\n //-->\n</script>\n";
}
}
break;
// Save all labels with one button
case $clang->gT("Save Changes", "unescaped"):
//Determine autoids by evaluating the hidden field
$sortorderids=explode(' ', trim($_POST['sortorderids']));
$codeids=explode(' ', trim($_POST['codeids']));
$count=0;
// Quote each code_codeid first
foreach ($codeids as $codeid)
{
$_POST['code_'.$codeid] = db_quoteall($_POST['code_'.$codeid],true);
if (isset($_POST['oldcode_'.$codeid])) $_POST['oldcode_'.$codeid] = db_quoteall($_POST['oldcode_'.$codeid],true);
// Get the code values to check for duplicates
$codevalues[] = $_POST['code_'.$codeid];
}
// Check that there is no code duplicate
if (count(array_unique($codevalues)) == count($codevalues))
{
if ($filterxsshtml)
{
require_once("../classes/inputfilter/class.inputfilter_clean.php");
$myFilter = new InputFilter('','',1,1,1);
}
foreach ($sortorderids as $sortorderid)
{
$orderid=substr($sortorderid,strrpos($sortorderid,'_')+1,20);
foreach ($lslanguages as $langid)
{
$sortorderid = $langid . '_' . $orderid;
if ($filterxsshtml)
{
$_POST['title_'.$sortorderid]=$myFilter->process($_POST['title_'.$sortorderid]);
}
else
{
$_POST['title_'.$sortorderid] = html_entity_decode($_POST['title_'.$sortorderid], ENT_QUOTES, "UTF-8");
}
// Fix bug with FCKEditor saving strange BR types
$_POST['title_'.$sortorderid]=fix_FCKeditor_text($_POST['title_'.$sortorderid]);
$_POST['title_'.$sortorderid] = db_quoteall($_POST['title_'.$sortorderid],true);
$query = "UPDATE ".db_table_name('labels')." SET code=".$_POST['code_'.$codeids[$count]].", title={$_POST['title_'.$sortorderid]}, assessment_value={$_POST['assessmentvalue_'.$codeids[$count]]} WHERE lid=$lid AND sortorder=$orderid AND language='$langid'";
if (!$result = $connect->Execute($query))
// if update didn't work we assume the label does not exist and insert it
{
$query = "insert into ".db_table_name('labels')." (code,title,lid,sortorder,language) VALUES (".$_POST['code_'.$codeids[$count]].", {$_POST['title_'.$sortorderid]}, $lid , $orderid , '$langid')";
if (!$result = $connect->Execute($query))
{
$labelsoutput.= "<script type=\"text/javascript\">\n<!--\n alert(\"".$clang->gT("Failed to update label","js")." - ".$query." - ".$connect->ErrorMsg()."\")\n //-->\n</script>\n";
}
}
}
$count++;
if ($count>count($codeids)-1) {$count=0;}
}
fixorder($lid);
}
else
{
$labelsoutput.= "<script type=\"text/javascript\">\n<!--\n alert(\"".$clang->gT("Can't update labels because you are using duplicated codes","js")."\")\n //-->\n</script>\n";
}
break;
// Pressing the Up button
case $clang->gT("Up", "unescaped"):
$newsortorder=$postsortorder-1;
$oldsortorder=$postsortorder;
$cdquery = "UPDATE ".db_table_name('labels')." SET sortorder=-1 WHERE lid=$lid AND sortorder=$newsortorder";
$cdresult=$connect->Execute($cdquery) or safe_die($connect->ErrorMsg());
$cdquery = "UPDATE ".db_table_name('labels')." SET sortorder=$newsortorder WHERE lid=$lid AND sortorder=$oldsortorder";
$cdresult=$connect->Execute($cdquery) or safe_die($connect->ErrorMsg());
$cdquery = "UPDATE ".db_table_name('labels')." SET sortorder='$oldsortorder' WHERE lid=$lid AND sortorder=-1";
$cdresult=$connect->Execute($cdquery) or safe_die($connect->ErrorMsg());
break;
// Pressing the Down button
case $clang->gT("Dn", "unescaped"):
$newsortorder=$postsortorder+1;
$oldsortorder=$postsortorder;
$cdquery = "UPDATE ".db_table_name('labels')." SET sortorder=-1 WHERE lid=$lid AND sortorder='$newsortorder'";
$cdresult=$connect->Execute($cdquery) or safe_die($connect->ErrorMsg());
$cdquery = "UPDATE ".db_table_name('labels')." SET sortorder='$newsortorder' WHERE lid=$lid AND sortorder=$oldsortorder";
$cdresult=$connect->Execute($cdquery) or safe_die($connect->ErrorMsg());
$cdquery = "UPDATE ".db_table_name('labels')." SET sortorder=$oldsortorder WHERE lid=$lid AND sortorder=-1";
$cdresult=$connect->Execute($cdquery) or safe_die($connect->ErrorMsg());
break;
// Delete Button
case $clang->gT("Del", "unescaped"):
$query = "DELETE FROM ".db_table_name('labels')." WHERE lid=$lid AND sortorder='{$postsortorder}'";
if (!$result = $connect->Execute($query))
{
$labelsoutput.= "<script type=\"text/javascript\">\n<!--\n alert(\"".$clang->gT("Failed to delete label","js")." - ".$query." - ".$connect->ErrorMsg()."\")\n //-->\n</script>\n";
}
fixorder($lid);
break;
}
}
/**
* Constructor for inputFilter class. Only first parameter is required.
* @access constructor
* @data Mixed - input string/array-of-string to be 'cleaned'
* @param Array $tagsArray - list of user-defined tags
* @param Array $attrArray - list of user-defined attributes
* @param int $tagsMethod - 0= allow just user-defined, 1= allow all but user-defined
* @param int $attrMethod - 0= allow just user-defined, 1= allow all but user-defined
* @param int $xssAuto - 0= only auto clean essentials, 1= allow clean blacklisted tags/attr
*/
public function sanitizeInput($data, $tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1)
{
G::LoadSystem('inputfilter');
$filtro = new InputFilter($tagsArray, $attrArray, $tagsMethod, $attrMethod, $xssAuto);
return $filtro->process($data);
}
function saveMessage($option)
{
global $database, $mainframe, $my, $mosConfig_absolute_path;
global $mosConfig_mailfrom, $mosConfig_fromname;
require_once $mosConfig_absolute_path . "/includes/mambofunc.php";
$row = new mosMessage($database);
if (!$row->bind($_POST)) {
echo "<script> alert('" . $row->getError() . "'); window.history.go(-1); </script>\n";
exit;
}
require_once mamboCore::get('mosConfig_absolute_path') . '/includes/phpInputFilter/class.inputfilter.php';
$iFilter = new InputFilter(null, null, 1, 1);
$row->subject = trim($iFilter->process($row->subject));
$row->message = trim($iFilter->process($row->message));
if (!$row->send()) {
mosRedirect("index2.php?option=com_messages&mosmsg=" . $row->getError());
}
$msg = $row->subject . ' - ' . $row->message;
$sql = "SELECT a.id, a.name, a.email" . "\nFROM #__users AS a" . "\nWHERE a.sendEmail = '1'" . "\nAND a.id = '" . $row->user_id_to . "'";
$database->setQuery($sql);
$rows = $database->loadObjectList();
if ($rows) {
foreach ($rows as $row) {
$recipient = $row->email;
$subject = "New private message from " . $row->name;
mosMail($mosConfig_mailfrom, $mosConfig_fromname, $recipient, $subject, $msg);
}
}
mosRedirect("index2.php?option=com_messages");
}
<?php
$mongo = new MongoClient('mongodb://*****:*****@ds052827.mongolab.com:52827/miblog');
$db = $mongo->selectDB("miblog");
$c_favoritos = $mongo->selectCollection($db, "favorito");
/////////////////////////////////
require_once 'seguridad/class.inputfilter.php';
$filtro = new InputFilter();
$_POST = $filtro->process($_POST);
////////////////////////////////////////
$id = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST['id'])))));
$titulo = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST['titulo'])))));
$categoria = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST["categoria"])))));
$id = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST["id"])))));
$descripcion = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST['descripcion'])))));
$url = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST['url'])))));
////////////////////////////////////
$condicion = array("_id" => new MongoId($id));
$modFavorito = array("titulo" => $titulo, "categoria" => $categoria, "descripcion" => $descripcion, "url" => $url);
$c_favoritos->update($condicion, $modFavorito);
header("Refresh: 0;url=principal.php?mensaje=3");
//anti Cache pour HTTP/1.0
header("Pragma: no-cache");
if (isset($_POST['blabla']) && isset($_POST['cibl'])) {
if (get_magic_quotes_gpc()) {
require_once "/usr/share/lcs/Plugins/Cdt/Includes/class.inputfilter_clean.php";
} else {
require_once '../Includes/htmlpur/library/HTMLPurifier.auto.php';
}
// Connexion a la base de donnees
require_once '../Includes/config.inc.php';
//Creer la requete pour la mise a jour des donnees
if (get_magic_quotes_gpc()) {
$Contenu = htmlentities($_POST['blabla']);
$Cib = htmlentities($_POST['cibl']);
$oMyFilter = new InputFilter($aAllowedTags, $aAllowedAttr, 0, 0, 1);
$cont = $oMyFilter->process($Contenu);
$cible = $oMyFilter->process($Cib);
} else {
// htlmpurifier
$Contenu = $_POST['blabla'];
$Cib = addSlashes($_POST['cibl']);
$config = HTMLPurifier_Config::createDefault();
//$config->set('Core.Encoding', 'ISO-8859-15');
$config->set('HTML.Doctype', 'XHTML 1.0 Strict');
$purifier = new HTMLPurifier($config);
$cont = $purifier->purify($Contenu);
$cible = $purifier->purify($Cib);
$cont = mysqli_real_escape_string($dbc, $cont);
}
$cible = $_POST['cibl'];
$rq = "UPDATE onglets SET postit='{$cont}' WHERE id_prof='{$cible}'";
function shRedirect( $url, $msg='', $redirKind = '301', $msgType='message' ) {
$mainframe = JFactory::getApplication();
$sefConfig = & Sh404sefFactory::getConfig();
// specific filters
if (class_exists('InputFilter')) {
$iFilter = new InputFilter();
$url = $iFilter->process( $url );
if (!empty($msg)) {
$msg = $iFilter->process( $msg );
}
if ($iFilter->badAttributeValue( array( 'href', $url ))) {
$url = Sh404sefFactory::getPageInfo()->getDefaultLiveSite();
}
}
// If the message exists, enqueue it
if (JString::trim( $msg )) {
$mainframe->enqueueMessage($msg, $msgType);
}
// Persist messages if they exist
$queue = $mainframe->getMessageQueue();
if (count($queue)) {
$session = JFactory::getSession();
$session->set('application.queue', $queue);
}
$document = JFactory::getDocument();
@ob_end_clean(); // clear output buffer
if (headers_sent()) {
echo '<html><head><meta http-equiv="content-type" content="text/html; charset='.$document->getCharset().'" /><script>document.location.href=\''.$url.'\';</script></head><body></body></html>';
} else {
switch ($redirKind) {
case '302':
$redirHeader ='HTTP/1.1 302 Moved Temporarily';
break;
case '303':
$redirHeader ='HTTP/1.1 303 See Other';
break;
default:
$redirHeader = 'HTTP/1.1 301 Moved Permanently';
break;
}
header( 'Cache-Control: no-cache'); // prevent Firefox5+ and IE9+ to consider this a cacheable redirect
header( $redirHeader );
header( 'Location: ' . $url );
header( 'Content-Type: text/html; charset='.$document->getCharset());
}
$mainframe->close();
}
//Iterate through each language, and make sure there is a quota message for it
$errorstring = '';
foreach ($langs as $lang) {
if (!$_POST['quotals_message_' . $lang]) {
$errorstring .= GetLanguageNameFromCode($lang, false) . "\\n";
}
}
if ($errorstring != '') {
$quotasoutput .= "<script type=\"text/javascript\">\n<!--\n alert(\"" . $clang->gT("Quota could not be added.\\n\\nIt is missing a quota message for the following languages", "js") . ":\\n" . $errorstring . "\")\n //-->\n</script>\n";
} else {
require_once "../classes/inputfilter/class.inputfilter_clean.php";
$myFilter = new InputFilter('', '', 1, 1, 1);
foreach ($langs as $lang) {
//Clean XSS
if ($filterxsshtml) {
$_POST['quotals_message_' . $lang] = $myFilter->process($_POST['quotals_message_' . $lang]);
} else {
$_POST['quotals_message_' . $lang] = html_entity_decode($_POST['quotals_message_' . $lang], ENT_QUOTES, "UTF-8");
}
// Fix bug with FCKEditor saving strange BR types
$_POST['quotals_message_' . $lang] = fix_FCKeditor_text($_POST['quotals_message_' . $lang]);
//Check to see if a matching language exists, and if not, INSERT one (no update possible)
$query = "SELECT * FROM " . db_table_name('quota_languagesettings') . "\n WHERE quotals_quota_id = " . db_quote($_POST['quota_id'], true) . "\n AND quotals_language = '{$lang}'";
$result = db_execute_assoc($query) or safe_die($connect->ErrorMsg());
if ($result->RecordCount() > 0) {
//Now save the language to the database:
$query = "UPDATE " . db_table_name('quota_languagesettings') . "\n SET quotals_name='" . db_quote($_POST['quota_name'], true) . "',\n quotals_message='" . db_quote($_POST['quotals_message_' . $lang], true) . "'\n WHERE quotals_quota_id =" . db_quote($_POST['quota_id'], true) . "\n AND quotals_language = '{$lang}'";
$connect->Execute($query) or safe_die($connect->ErrorMsg());
} else {
/* If there is no matching record for this language, create one */
$query = "INSERT INTO " . db_table_name('quota_languagesettings') . "\n (quotals_quota_id,quotals_language,quotals_name,quotals_message,quotals_url,quotals_urldescrip)\n VALUES ('" . db_quote($_POST['quota_id']) . "', '{$lang}', '" . db_quote($_POST['quota_name'], true) . "',\n '" . db_quote($_POST['quotals_message_' . $lang], true) . "', '" . QUEXS_URL . "rs_quota_end.php" . "',\n '" . QUEXS_URL . "rs_quota_end.php" . "')";
/**
* Sanitize $var for XSS, JS, and HTML.
*
* @param Mixed $var - variable to sanitize
* @return a sanitized variable filtered for XSS and any blacklisted javascript/html tags
*/
public static function Filter($var)
{
$filter = new InputFilter();
return $filter->process(self::cleaned($var));
}
/**
* Gets the value of a user state variable
* @param string The name of the user state variable
* @param string The name of the variable passed in a request
* @param string The default value for the variable if not found
*/
function getUserStateFromRequest($var_name, $req_name, $var_default = null)
{
if (is_array($this->_userstate)) {
if (isset($_REQUEST[$req_name])) {
$this->setUserState($var_name, $_REQUEST[$req_name]);
} else {
if (!isset($this->_userstate[$var_name])) {
$this->setUserState($var_name, $var_default);
}
}
// filter input
$iFilter = new InputFilter();
$this->_userstate[$var_name] = $iFilter->process($this->_userstate[$var_name]);
return $this->_userstate[$var_name];
} else {
return null;
}
}
//anti Cache pour HTTP/1.0
header("Pragma: no-cache");
if (isset($_POST['coursmod']) && isset($_POST['afmod']) && isset($_POST['cibl'])) {
if (get_magic_quotes_gpc()) {
require_once "/usr/share/lcs/Plugins/Cdt/Includes/class.inputfilter_clean.php";
} else {
require_once '../Includes/htmlpur/library/HTMLPurifier.auto.php';
}
// Connexion a la base de donnees
require_once '../Includes/config.inc.php';
if (get_magic_quotes_gpc()) {
$Contenucours = htmlentities($_POST['coursmod']);
$Contenuaf = htmlentities($_POST['afmod']);
$Cib = htmlentities($_POST['cibl']);
$oMyFilter = new InputFilter($aAllowedTags, $aAllowedAttr, 0, 0, 1);
$cont1 = $oMyFilter->process($Contenucours);
$cont2 = $oMyFilter->process($Contenuaf);
$cible = $oMyFilter->process($Cib);
} else {
// htlmpurifier
$Contenucours = $_POST['coursmod'];
$Contenuaf = $_POST['afmod'];
$Cib = addSlashes($_POST['cibl']);
$config = HTMLPurifier_Config::createDefault();
//$config->set('Core.Encoding', 'ISO-8859-15');
$config->set('HTML.Doctype', 'XHTML 1.0 Strict');
$purifier = new HTMLPurifier($config);
//$Cours = addSlashes($Cours);
$cont1 = $purifier->purify($Contenucours);
$cont1 = utf8_decode(mysqli_real_escape_string($dbc, $cont1));
$cont2 = $purifier->purify($Contenuaf);
/**
* Test the process() method
*/
public function testProcess()
{
// Trivial case, nothing to clean
@new InputFilter();
$this->assertEquals(InputFilter::process('foo'), 'foo');
$this->assertEquals(InputFilter::process(array('foo', 'bar')), array('foo', 'bar'));
// Default constructor removes all tags
$this->assertEquals(InputFilter::process('<ok>foobar</ok>'), 'foobar');
// Allow all but blacklisted tags and attributes
@new InputFilter(array(), array(), 1, 1, 1);
// Irregular tag names are always filtered out
$this->assertEquals(InputFilter::process('foo<#$>bar</#$>mumble'), 'foobarmumble');
// $xssAuto=1 filters blacklisted tags and attributes
$this->assertEquals(InputFilter::process('<body>foobar</body>'), 'foobar');
$this->assertEquals(InputFilter::process('<ok action="yes">foobar</ok>'), '<ok>foobar</ok>');
// With $xssAuto off, blacklisted tags and attributes are allowed
@new InputFilter(array(), array(), 1, 1, 0);
$this->assertEquals(InputFilter::process('<body>foobar</body>'), '<body>foobar</body>');
$this->assertEquals(InputFilter::process('<ok action="yes">foobar</ok>'), '<ok action="yes">foobar</ok>');
// tagMethod=1 permits all but listed tags
@new InputFilter(array('foo'), array(), 1, 1, 0);
$this->assertEquals(InputFilter::process('<foo>mumble</foo><bar>grumble</bar>'), 'mumble<bar>grumble</bar>');
// tagMethod=0 permits only listed tags
@new InputFilter(array('foo'), array(), 0, 1, 0);
$this->assertEquals(InputFilter::process('<foo>mumble</foo><bar>grumble</bar>'), '<foo>mumble</foo>grumble');
// attrMethod=1 permits all but listed attributes
@new InputFilter(array(), array('dangerous'), 1, 1, 0);
$this->assertEquals(InputFilter::process('<foo safe="1" dangerous="1">mumble</foo>'), '<foo safe="1">mumble</foo>');
// attrMethod=0 permits only listed tags
@new InputFilter(array(), array('dangerous'), 1, 0, 0);
$this->assertEquals(InputFilter::process('<foo safe="1" dangerous="1">mumble</foo>'), '<foo dangerous="1">mumble</foo>');
// accept only know safe tags
@new InputFilter(array('div', 'span', 'strong', 'em'), array('id', 'class'), 0, 0, 0);
$this->assertEquals(InputFilter::process('<body class="full">mumble<span class="error" color="red">' . 'grumble</span>burfl</body>'), 'mumble<span class="error">grumble</span>burfl');
}
/**
* Removes illegal tags and attributes from html input
*/
function inputFilter($html)
{
$filter = new InputFilter(array(), array(), 1, 1);
return $filter->process($html);
}
