function parseAndReplaceAll($text, $slotback = '') { global $directdump; $directdump = false; //[sql.s1.field1.type] //[var.name.type] //[para.name] $newstring = ""; $oldpos = 0; $pos = strpos($text, "[", $oldpos); $ifs = array(); $cif = 0; $ifs[$cif] = false; while ($pos !== false) { //search for close $pos2 = strpos($text, "]", $pos); if ($pos2 !== false) { if ($ifs[$cif]) { //ignore only for an [endif] [fi] $token = substr($text, $pos + 1, $pos2 - $pos - 1); $arr = explode(".", $token); if ($arr[0] == 'if' || $arr[0] == '!if' || $arr[0] == 'nif') { $cif++; $ifs[$cif] = true; } if ($arr[0] == "endif" || $arr[0] == "fi") { $ifs[$cif] = false; $cif--; } $oldpos = $pos2 + 1; } else { if ($directdump) { echo substr($text, $oldpos, $pos - $oldpos); } else { $newstring .= substr($text, $oldpos, $pos - $oldpos); } $oldpos = $pos; //we have a token.. anallys $token = substr($text, $pos + 1, $pos2 - $pos - 1); if (strlen($token)) { $displaytype = ""; $displaypara = ""; $displayvalue = ""; $arr = explode(".", $token); $iftest = false; $ifnegative = false; if (isset($arr[0]) && ($arr[0] == 'if' || $arr[0] == '!if' || $arr[0] == 'nif')) { $iftest = true; if ($arr[0] == '!if' || $arr[0] == 'nif') { $ifnegative = true; } $iftestvalue = ""; if (isset($arr[1])) { $iftestvalue = $arr[1]; } for ($i = 2; $i < count($arr); $i++) { $arr[$i - 2] = $arr[$i]; } if (count($arr)) { unset($arr[count($arr) - 1]); } if (count($arr)) { unset($arr[count($arr) - 1]); } } if (isset($arr[1]) || $token == "fi" || $token == "endif") { switch ($arr[0]) { case 'endif': case 'fi': $oldpos = $pos2 + 1; $ifs[$cif] = false; $cif--; break; case 'sql': //valid $oldpos = $pos2 + 1; if (isset($arr[3])) { $displaytype = $arr[3]; } if (isset($arr[4])) { $displaypara = $arr[4]; } //get value if (isset($arr[1]) && isset($GLOBALS[$arr[1] . '_sql_conn'])) { if (isset($arr[2])) { $displayvalue = $GLOBALS[$arr[1] . '_sql_conn']->getvalue($arr[2]); } if ($displaytype == "fast" && isset($arr[2])) { $displayvalue = $GLOBALS[$arr[1] . '_sql_conn']->getvaluefast($arr[2]); if (isset($arr[4])) { $displaytype = $arr[4]; } if (isset($arr[5])) { $displaypara = $arr[5]; } } if ($displaytype == "mins") { $displaypara = $GLOBALS[$arr[1] . '_sql_conn']->getvalue($arr[2] . "_panala"); require_once "config/dateutils.php"; $diff = timediff($displayvalue, $displaypara, getLT("dateformat")); $secs = intval(timediffsecs($diff) / 60); $displayvalue = $secs; $displaypara = $arr[5]; } } else { if ($arr[1] == "conn") { if (isset($arr[2])) { $displayvalue = $GLOBALS[$arr[1]]->getvalue($arr[2]); } if ($displaytype == "fast" && isset($arr[2])) { $displayvalue = $GLOBALS[$arr[1]]->getvaluefast($arr[2]); if (isset($arr[4])) { $displaytype = $arr[4]; } if (isset($arr[5])) { $displaypara = $arr[5]; } } if ($displaytype == "mins") { $displaypara = $GLOBALS[$arr[1]]->getvalue($arr[2] . "_panala"); require_once "config/dateutils.php"; $diff = timediff($displayvalue, $displaypara, getLT("dateformat")); $secs = intval(timediffsecs($diff) / 60); $displayvalue = $secs; $displaypara = $arr[5]; } } } break; case 'var': case 'g': //valid $oldpos = $pos2 + 1; if (isset($arr[1])) { $displayvalue = $GLOBALS[$arr[1]]; } if (isset($arr[2])) { $displaytype = $arr[2]; } if (isset($arr[3])) { $displaypara = $arr[3]; } //get value break; case 'cache': $oldpos = $pos2 + 1; if (isset($arr[1])) { $displayvalue = cache_getvalue($arr[1]); } if (isset($arr[2])) { $displaytype = $arr[2]; } if (isset($arr[3])) { $displaypara = $arr[3]; } //get value break; case 'para': //valid $oldpos = $pos2 + 1; global $_control_replace_sql; if (isset($arr[1])) { $displayvalue = $_control_replace_sql('@' . $arr[1]); } if (isset($arr[2])) { $displaytype = $arr[2]; } if (isset($arr[3])) { $displaypara = $arr[3]; } break; case 'post': //valid $oldpos = $pos2 + 1; global $_POST; if (isset($arr[1]) && $_POST[$arr[1]] != "") { $displayvalue = '' . correctPostValue($_POST[$arr[1]]); } if (isset($arr[2])) { $displaytype = $arr[2]; } if (isset($arr[3])) { $displaypara = $arr[3]; } break; case 'posttags': //valid $oldpos = $pos2 + 1; global $_POST; if (isset($arr[1]) && $_POST[$arr[1]] != "") { $displayvalue = '' . correctPostValue(implode(",", $_POST[$arr[1]])); } if (isset($arr[2])) { $displaytype = $arr[2]; } if (isset($arr[3])) { $displaypara = $arr[3]; } break; case 'get': //valid $oldpos = $pos2 + 1; global $_GET; if (isset($arr[1]) && $_GET[$arr[1]] != "") { $displayvalue = '' . correctPostValue($_GET[$arr[1]]); } if (isset($arr[2])) { $displaytype = $arr[2]; } if (isset($arr[3])) { $displaypara = $arr[3]; } break; case 'config': case 'c': //valid $oldpos = $pos2 + 1; if (isset($arr[1])) { $displayvalue = getUserConfig($arr[1]); } if (isset($arr[2])) { $displaytype = $arr[2]; } if (isset($arr[3])) { $displaypara = $arr[3]; } break; case 'cookie': $oldpos = $pos2 + 1; if (isset($arr[1]) && isset($arr[2])) { $displayvalue = cookie_getvalue($arr[1], $arr[2]); } if (isset($arr[3])) { $displaytype = $arr[3]; } if (isset($arr[4])) { $displaypara = $arr[4]; } break; case 'session': case 's': //valid $oldpos = $pos2 + 1; if (isset($arr[1])) { $displayvalue = session_getvalue($arr[1]); } if (isset($arr[2])) { $displaytype = $arr[2]; } if (isset($arr[3])) { $displaypara = $arr[3]; } break; case 'utils': //valid $oldpos = $pos2 + 1; if (isset($arr[1])) { $displayvalue = $arr[1]; } if (isset($arr[2])) { $displaytype = $arr[2]; } if (isset($arr[3])) { $displaypara = $arr[3]; } break; case 'slot': //we have a callback $oldpos = $pos2 + 1; if (isset($arr[1])) { $displayvalue = $arr[1]; } if (isset($arr[2])) { $displaytype = $arr[2]; } if (isset($arr[3])) { $displaypara = $arr[3]; } if ($slotback != '') { $displayvalue = $slotback($displayvalue, $displaytype, $displaypara); $displaytype = ''; $displaypara = ''; } break; case 'call': //we have a callback $oldpos = $pos2 + 1; if (isset($arr[1])) { $displayvalue = $arr[1]; } if (isset($arr[2])) { $displaytype = $arr[2]; } if (isset($arr[3])) { $displaypara = $arr[3]; } $fn = $displayvalue; if (function_exists($fn)) { $displayvalue = $fn($displaytype, $displaypara); } else { $displayvalue = ''; } break; } } $displaypara = str_replace('^', '.', $displaypara); if ($iftest) { //we have an ok $cif++; $iftestvalue = str_replace('^', '.', $iftestvalue); if ($ifnegative) { if ($displayvalue != $iftestvalue) { $ifs[$cif] = false; } else { $ifs[$cif] = true; } } else { if ($displayvalue == $iftestvalue) { $ifs[$cif] = false; } else { $ifs[$cif] = true; } } } else { $oldnewstring = $newstring; if ($directdump) { $newstring = ''; } switch ($displaytype) { case 'lb': $newstring .= '['; break; case 'rb': $newstring .= ']'; break; case 'now': require_once "config/dateutils.php"; if ($displayvalue != "") { $newstring .= date($displayvalue); } else { $newstring .= showDate(date("Y-m-d"), getLT("dateformat")); } break; case 'date': require_once "config/dateutils.php"; if ($displaypara != "") { if ($displayvalue != "0000-00-00") { $newstring .= date(str_replace("~", ".", $displaypara), showDate($displayvalue, "time")); } } else { $newstring .= showDate($displayvalue, getLT("dateformat")); } break; case 'sqldate': require_once "config/dateutils.php"; $newstring .= getDateForMysql($displayvalue, getLT("dateformat")); break; case 'time': require_once "config/dateutils.php"; $newstring .= showTime($displayvalue); break; case 'intval': if ($displaypara != "") { $newstring .= bcadd($displayvalue, '0'); } else { $newstring .= intval($displayvalue); } break; case 'number': $newstring .= showNumber($displayvalue, $displaypara); break; case 'exnumber': $newstring .= number_format(floatval($displayvalue), $displaypara, '.', ''); break; case 'zeronumber': if (abs(round($displayvalue) - $displayvalue) <= 0.01) { $newstring .= showNumber(round($displayvalue), $displaypara); } else { $newstring .= showNumber($displayvalue, $displaypara); } break; case 'zeros': $newstring .= str_pad($displayvalue, $displaypara, "0", STR_PAD_LEFT); break; case 'spell': require_once "extern/numberspell.php"; if (isset($GLOBALS[$displaypara])) { $newstring .= spellNumber($displayvalue, $GLOBALS[$displaypara]); } else { $newstring .= spellNumber($displayvalue, getCurrentLang()); } break; case 'sqlescape': global $conn; if ($displaypara != "") { $newstring .= $conn->escape(substr($displayvalue, 0, intval($displaypara))); } else { $newstring .= $conn->escape($displayvalue); } break; case 'sqlvalues': global $conn; $myvalues = ''; $myarr = explode(",", $displayvalue); foreach ($myarr as $kkmk => $kkmv) { if ($myvalues != "") { $myvalues .= ","; } $myvalues .= "'" . $conn->escape($kkmv) . "'"; } if ($myvalues == "") { $myvalues = "''"; } $newstring .= $myvalues; break; case 'split': $sparr = explode(".", trim($displayvalue)); $newstring .= $sparr[intval($displaypara)]; break; case 'explode': $sparr = explode(" ", trim($displayvalue)); $newstring .= $sparr[intval($displaypara)]; break; case 'substr': if (intval($displaypara) < 0) { $newstring .= substr($displayvalue, intval($displaypara)); } else { $newstring .= substr($displayvalue, 0, intval($displaypara)); } break; case 'trim': $displayvalue = str_replace(" ", "", trim($displayvalue)); $displayvalue = str_replace(".", "", $displayvalue); $displayvalue = str_replace("-", "", $displayvalue); $displayvalue = str_replace("=", "", $displayvalue); $newstring .= $displayvalue; break; case 'html': $newstring .= str_replace("\n", "<br>", $displayvalue); break; case 'nohtml': $newstring .= strip_tags(html_entity_decode2($displayvalue)); break; case 'pin': $newstring .= substr(md5($displayvalue), intval($displaypara)); break; case 'lang': $newstring .= getLT($displayvalue); break; case 'upper': $newstring .= strtoupper($displayvalue); break; case 'caps': $newstring .= strtoupper(substr(getLT($displayvalue), 0, 1)) . strtolower(substr(getLT($displayvalue), 1)); break; case 'lower': $newstring .= strtolower($displayvalue); break; case 'adresa': $newstring .= strtoupper(str_ireplace("zip", "cod postal", $displayvalue)); break; case 'full': $newstring .= parseAndReplaceAll($displayvalue, $slotback); break; case 'easyread': $newstring .= strrev(join(str_split(strrev($displayvalue), 3), ".")); break; case 'phone': $displayvalue = str_replace("-", "", $displayvalue); $displayvalue = str_replace("/", "", $displayvalue); $displayvalue = str_replace(" ", "", $displayvalue); $displayvalue = str_replace(".", "", $displayvalue); $displayvalue = str_replace(",", "", $displayvalue); $displayvalue = str_replace(",", "", $displayvalue); $displayvalue = substr($displayvalue, 0, 10); $newstring .= $displayvalue; break; case 'seo': $newstring .= buildSeoLink($displayvalue); break; default: $newstring .= $displayvalue; break; } if ($directdump) { echo $newstring; $newstring = $oldnewstring; } } } } } $pos = strpos($text, "[", $pos + 1); } $newstring .= substr($text, $oldpos); return $newstring; }
function xss_clean($str, $charset = 'ISO-8859-1') { /* * Remove Null Characters * * This prevents sandwiching null characters * between ascii characters, like Java\0script. * */ $str = preg_replace('/\\0+/', '', $str); $str = preg_replace('/(\\\\0)+/', '', $str); /* * Validate standard character entities * * Add a semicolon if missing. We do this to enable * the conversion of entities to ASCII later. * */ $str = preg_replace('#(&\\#*\\w+)[\\x00-\\x20]+;#u', "\\1;", $str); /* * Validate UTF16 two byte encoding (x00) * * Just as above, adds a semicolon if missing. * */ $str = preg_replace('#(&\\#x*)([0-9A-F]+);*#iu', "\\1\\2;", $str); /* * URL Decode * * Just in case stuff like this is submitted: * * <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a> * * Note: Normally urldecode() would be easier but it removes plus signs * */ $str = preg_replace("/%u0([a-z0-9]{3})/i", "&#x\\1;", $str); $str = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $str); /* * Convert character entities to ASCII * * This permits our tests below to work reliably. * We only convert entities that are within tags since * these are the ones that will pose security problems. * */ if (preg_match_all("/<(.+?)>/si", $str, $matches)) { for ($i = 0; $i < count($matches['0']); $i++) { $str = str_replace($matches['1'][$i], html_entity_decode2($matches['1'][$i], $charset), $str); } } /* * Not Allowed Under Any Conditions */ $bad = array('document.cookie' => '[removed]', 'document.write' => '[removed]', 'window.location' => '[removed]', "javascript\\s*:" => '[removed]', "Redirect\\s+302" => '[removed]', '<!--' => '<!--', '-->' => '-->'); foreach ($bad as $key => $val) { $str = preg_replace("#" . $key . "#i", $val, $str); } /* * Convert all tabs to spaces * * This prevents strings like this: ja vascript * Note: we deal with spaces between characters later. * */ $str = preg_replace("#\t+#", " ", $str); /* * Makes PHP tags safe * * Note: XML tags are inadvertently replaced too: * * <?xml * * But it doesn't seem to pose a problem. * */ $str = str_replace(array('<?php', '<?PHP', '<?', '?>'), array('<?php', '<?PHP', '<?', '?>'), $str); /* * Compact any exploded words * * This corrects words like: j a v a s c r i p t * These words are compacted back to their correct state. * */ $words = array('javascript', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window'); foreach ($words as $word) { $temp = ''; for ($i = 0; $i < strlen($word); $i++) { $temp .= substr($word, $i, 1) . "\\s*"; } $temp = substr($temp, 0, -3); $str = preg_replace('#' . $temp . '#s', $word, $str); $str = preg_replace('#' . ucfirst($temp) . '#s', ucfirst($word), $str); } /* * Remove disallowed Javascript in links or img tags */ $str = preg_replace("#<a.+?href=.*?(alert\\(|alert&\\#40;|javascript\\:|window\\.|document\\.|\\.cookie|<script|<xss).*?\\>.*?</a>#si", "", $str); $str = preg_replace("#<img.+?src=.*?(alert\\(|alert&\\#40;|javascript\\:|window\\.|document\\.|\\.cookie|<script|<xss).*?\\>#si", "", $str); $str = preg_replace("#<(script|xss).*?\\>#si", "", $str); /* * Remove JavaScript Event Handlers * * Note: This code is a little blunt. It removes * the event handler and anything up to the closing >, * but it's unlikely to be a problem. * */ $str = preg_replace('#(<[^>]+.*?)(onblur|onchange|onclick|onfocus|onload|onmouseover|onmouseup|onmousedown|onselect|onsubmit|onunload|onkeypress|onkeydown|onkeyup|onresize)[^>]*>#iU', "\\1>", $str); /* * Sanitize naughty HTML elements * * If a tag containing any of the words in the list * below is found, the tag gets converted to entities. * * So this: <blink> * Becomes: <blink> * */ $str = preg_replace('#<(/*\\s*)(alert|applet|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|layer|link|meta|object|plaintext|style|script|textarea|title|xml|xss)([^>]*)>#is', "<\\1\\2\\3>", $str); /* * Sanitize naughty scripting elements * * Similar to above, only instead of looking for * tags it looks for PHP and JavaScript commands * that are disallowed. Rather than removing the * code, it simply converts the parenthesis to entities * rendering the code un-executable. * * For example: eval('some code') * Becomes: eval('some code') * */ $str = preg_replace('#(alert|cmd|passthru|eval|exec|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\\s*)\\((.*?)\\)#si', "\\1\\2(\\3)", $str); /* * Final clean up * * This adds a bit of extra precaution in case * something got through the above filters * */ $bad = array('document.cookie' => '[removed]', 'document.write' => '[removed]', 'window.location' => '[removed]', "javascript\\s*:" => '[removed]', "Redirect\\s+302" => '[removed]', '<!--' => '<!--', '-->' => '-->'); foreach ($bad as $key => $val) { $str = preg_replace("#" . $key . "#i", $val, $str); } return $str; }