/** * Process the response as JSON with some extra information about the * (success status of the form) so that jQuery knows what to do with the result. */ protected function process_ajax() { if ($this->request->method() == HTTP_Request::POST) { // Allow for override. Set the form saved true for ajax request, if no errors if (empty($this->_errors)) { $this->SetFormSaved(TRUE); } else { $this->SetFormSaved(FALSE); } if ($this->_response_format === 'application/json') { $this->SetJson('Body', FALSE); } } else { if ($this->_response_format === 'application/json') { $this->SetJson('Body', base64_encode($this->response->body())); } } if ($this->_response_format === 'application/json') { if ($this->request->query('draw') !== NULL) { return; } $scripts = Assets::js(FALSE, NULL, NULL, FALSE, NULL, Assets::FORMAT_AJAX); $styles = Assets::css(FALSE, NULL, NULL, FALSE, Assets::FORMAT_AJAX); $this->SetJson('FormSaved', $this->_formsaved); $this->SetJson('messages', Message::get(NULL, NULL, TRUE)); $this->SetJson('errors', $this->_errors); $this->SetJson('redirect', Request::$redirect_url); $this->SetJson('title', $this->title); $this->SetJson('subtitle', $this->subtitle); $this->SetJson('css', $styles); $this->SetJson('js', $scripts); if (!Valid::utf8($this->_json['Body'])) { $this->_json['Body'] = utf8_encode($this->_json['Body']); } $this->_json['Data'] = JSON::encode($this->_json); } }
/** * Generates a random string of a given type and length * * Example: * ~~~ * // 8 character random string * $str = Text::random(); * ~~~ * * The following types are supported: * * alnum: Upper and lower case a-z, 0-9 (default) * * alpha: Upper and lower case a-z * * hexdec: Hexadecimal characters a-f, 0-9 * * distinct: Uppercase characters and numbers that cannot be confused * * You can also create a custom type by providing the "pool" of characters * as the type. * * @param string $type A type of pool, or a string of characters to use as the pool [Optional] * @param integer $length Length of string to return [Optional] * * @return string * * @uses UTF8::split * @uses Valid::utf8 */ public static function random($type = NULL, $length = 8) { if ($type === NULL) { // Default is to generate an alphanumeric string $type = 'alnum'; } $utf8 = FALSE; switch ($type) { case 'alnum': $pool = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; break; case 'alpha': $pool = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; break; case 'hexdec': $pool = '0123456789abcdef'; break; case 'numeric': $pool = '0123456789'; break; case 'nozero': $pool = '123456789'; break; case 'distinct': $pool = '2345679ACDEFHJKLMNPRSTUVWXYZ'; break; default: $pool = (string) $type; $utf8 = Valid::utf8($pool); break; } // Split the pool into an array of characters $pool = $utf8 === TRUE ? UTF8::str_split($pool, 1) : str_split($pool, 1); // Largest pool key $max = count($pool) - 1; $str = ''; for ($i = 0; $i < $length; $i++) { // Select a random character from the pool and add it to the string $str .= $pool[mt_rand(0, $max)]; } // Make sure alnum strings contain at least one letter and one digit if ($type === 'alnum' and $length > 1) { if (ctype_alpha($str)) { // Add a random digit $str[mt_rand(0, $length - 1)] = chr(mt_rand(48, 57)); } elseif (ctype_digit($str)) { // Add a random letter $str[mt_rand(0, $length - 1)] = chr(mt_rand(65, 90)); } } return $str; }
/** * Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities * * Returns an XSS safe version of $string, or an empty string if $string is not valid UTF-8. * * This code does four things: * - Removes characters and constructs that can trick browsers * - Makes sure all HTML entities are well-formed * - Makes sure all HTML tags and attributes are well-formed * - Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:) * * Based on [kses](http://sourceforge.net/projects/kses) by Ulf Harnhammar. * For examples of various XSS attacks, see: http://ha.ckers.org/xss.html. * * @param string $string Input string * * @return string * * @uses Valid::utf8 */ public function filter_xss($string) { // Only operate on valid UTF-8 strings. This is necessary to prevent cross // site scripting issues on Internet Explorer 6. if (!Valid::utf8($string)) { return ''; } // Remove NULL characters (ignored by some browsers) $string = str_replace(chr(0), '', $string); // Remove Netscape 4 JS entities $string = preg_replace('%&\\s*\\{[^}]*(\\}\\s*;?|$)%', '', $string); // Defuse all HTML entities $string = str_replace('&', '&', $string); // Change back only well-formed entities in our whitelist // Decimal numeric entities $string = preg_replace('/&#([0-9]+;)/', '&#\\1', $string); // Hexadecimal numeric entities $string = preg_replace('/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\\1', $string); // Named entities $string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\\1', $string); return preg_replace_callback('%( <(?=[^a-zA-Z!/]) # a lone < | <!--.*?--> # a comment | <[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string | > # just a > )%x', array($this, 'xss_split'), $string); }