function inc_safehtml_dist($t) {
static $process, $test;
if (!$test) {
$process = false;
if ($f = find_in_path('lib/safehtml/classes')) {
define('XML_HTMLSAX3', $f.'/');
require_once XML_HTMLSAX3.'safehtml.php';
$process = new safehtml();
$process->deleteTags[] = 'param'; // sinon bug Firefox
}
if ($process)
$test = 1; # ok
else
$test = -1; # se rabattre sur une fonction de securite basique
}
if ($test > 0) {
# autoriser des trucs
# ex: l'embed de youtube
if (
false !== strpos($t, 'iframe')) {
foreach (extraire_balises($t, 'iframe') as $iframe) {
if (preg_match(',^http://(www\.)?(youtube\.com|(player\.)?vimeo\.com)/.*,', extraire_attribut($iframe, 'src'))) {
$re = '___IFRAME___'.md5($iframe);
$ok[$re] = $iframe;
$t = str_replace($iframe, $re, $t);
}
}
}
# reset ($process->clear() ne vide que _xhtml...),
# on doit pouvoir programmer ca plus propremement
$process->_counter = array();
$process->_stack = array();
$process->_dcCounter = array();
$process->_dcStack = array();
$process->_listScope = 0;
$process->_liStack = array();
# $process->parse(''); # cas particulier ?
$process->clear();
$t = $process->parse($t);
# reinserer les trucs autorises
if ($ok)
foreach ($ok as $re => $v)
$t = str_replace($re, $v, $t);
}
else
$t = entites_html($t); // tres laid, en cas d'erreur
return $t;
}
function inc_safehtml_dist($t)
{
static $process, $test;
if (!$test) {
$process = false;
if ($f = find_in_path('lib/safehtml/classes')) {
define('XML_HTMLSAX3', $f . '/');
require_once XML_HTMLSAX3 . 'safehtml.php';
$process = new safehtml();
$process->deleteTags[] = 'param';
// sinon bug Firefox
}
if ($process) {
$test = 1;
} else {
$test = -1;
}
# se rabattre sur une fonction de securite basique
}
if ($test > 0) {
# reset ($process->clear() ne vide que _xhtml...),
# on doit pouvoir programmer ca plus propremement
$process->_counter = array();
$process->_stack = array();
$process->_dcCounter = array();
$process->_dcStack = array();
$process->_listScope = 0;
$process->_liStack = array();
# $process->parse(''); # cas particulier ?
$process->clear();
$t = $process->parse($t);
} else {
$t = entites_html($t);
}
// tres laid, en cas d'erreur
// supprimer un <li></li> provenant d'un <li> ouvrant seul+safehtml
// cf http://core.spip.org/issues/2201
$t = str_replace("<li></li>", "", $t);
return $t;
}
/**
* This function returns true if the variable value is a safe html (do not contain possible XSS html code).
*
* @param $val The value to test.
* @param $opts No options.
* @param $formelement (not required)
*/
function safe($val, $opts = array(), $formelement = null)
{
require_once YD_DIR_HOME . '/3rdparty/safehtml/classes/safehtml.php';
$_safehtml = new safehtml();
return $_safehtml->parse($val) === $val;
}
/**
* Sanitize the given HTML using safeHTML library. It is better than PHP function
* strip_tags(), who does not modify any attributes on the tags that you allow.
*
* The parser strips down all potentially dangerous content within HTML:
*
* * opening tag without its closing tag
* * closing tag without its opening tag
* * any of these tags: “base”, “basefont”, “head”, “html”, “body”, “applet”, “object”,
* “iframe”, “frame”, “frameset”, “script”, “layer”, “ilayer”, “embed”, “bgsound”,
* “link”, “meta”, “style”, “title”, “blink”, “xml” etc.
* * any of these attributes: on*, data*, dynsrc
* * javascript:/vbscript:/about: etc. protocols
* * expression/behavior etc. in styles
* * any other active content
*/
function sanitize($html)
{
$safehtml = new safehtml();
return $safehtml->parse($html);
}
/**
* Use the HTML checker to remove any possible XSS attacks (eg, <script> tags)
*
* @param array $data
* @return array
*/
function purify($data)
{
require_once DIR_FS_PRONTO . DS . 'extlib' . DS . 'safehtml' . DS . 'safehtml.php';
foreach ($data as $k => $v) {
if (is_array($v)) {
// PHP4 doesn't like self::purify()
$data[$k] = Model::purify($v);
} else {
if (class_exists('safehtml')) {
$purifier = new safehtml();
$data[$k] = $purifier->parse($v);
}
}
}
return $data;
}
