function paw_xss_cleaner($data, $eschtml = false)
{
if (is_array($data)) {
foreach ($data as $key => $value) {
$data[$key] = paw_xss_cleaner($value, $eschtml);
}
} else {
if (is_string($data)) {
// THE WOLF XSS CLEANER
//$data = remove_xss($data);
// ESCAPE HTML STUFF
if ($eschtml === true) {
$data = htmlspecialchars(trim($data), ENT_QUOTES, "UTF-8");
$data = preg_replace("#<(script|style)[^>]*?>.*?</\\1>#si", "", $data);
$data = trim(strip_tags($data));
$data = htmlspecialchars(trim($data), ENT_QUOTES, "UTF-8");
}
// @source https://gist.github.com/mbijon/1098477
$data = str_replace(array('&', '<', '>'), array('&amp;', '&lt;', '&gt;'), $data);
$data = preg_replace('/(&#*\\w+)[\\x00-\\x20]+;/u', '$1;', $data);
$data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
$data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');
$data = preg_replace('#(<[^>]+?[\\x00-\\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);
$data = preg_replace('#([a-z]*)[\\x00-\\x20]*=[\\x00-\\x20]*([`\'"]*)[\\x00-\\x20]*j[\\x00-\\x20]*a[\\x00-\\x20]*v[\\x00-\\x20]*a[\\x00-\\x20]*s[\\x00-\\x20]*c[\\x00-\\x20]*r[\\x00-\\x20]*i[\\x00-\\x20]*p[\\x00-\\x20]*t[\\x00-\\x20]*:#iu', '$1=$2nojavascript...', $data);
$data = preg_replace('#([a-z]*)[\\x00-\\x20]*=([\'"]*)[\\x00-\\x20]*v[\\x00-\\x20]*b[\\x00-\\x20]*s[\\x00-\\x20]*c[\\x00-\\x20]*r[\\x00-\\x20]*i[\\x00-\\x20]*p[\\x00-\\x20]*t[\\x00-\\x20]*:#iu', '$1=$2novbscript...', $data);
$data = preg_replace('#([a-z]*)[\\x00-\\x20]*=([\'"]*)[\\x00-\\x20]*-moz-binding[\\x00-\\x20]*:#u', '$1=$2nomozbinding...', $data);
$data = preg_replace('#(<[^>]+?)style[\\x00-\\x20]*=[\\x00-\\x20]*[`\'"]*.*?expression[\\x00-\\x20]*\\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\\x00-\\x20]*=[\\x00-\\x20]*[`\'"]*.*?behaviour[\\x00-\\x20]*\\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\\x00-\\x20]*=[\\x00-\\x20]*[`\'"]*.*?s[\\x00-\\x20]*c[\\x00-\\x20]*r[\\x00-\\x20]*i[\\x00-\\x20]*p[\\x00-\\x20]*t[\\x00-\\x20]*:*[^>]*+>#iu', '$1>', $data);
$data = preg_replace('#</*\\w+:\\w[^>]*+>#i', '', $data);
$old_data = $data;
while ($old_data !== $data) {
$data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
}
}
}
return $data;
}
public function getUserFields($data)
{
global $pawUsers;
// VALIDATE
$data = paw_xss_cleaner($data);
if (($user = $pawUsers->getUser($data)) === false) {
return false;
}
$fields = $this->getFields();
$return = array();
foreach ($fields as $field) {
$return[$field["name"]] = $this->getMeta($user->id, $field["name"], true, NULL);
if ($return[$field["name"]] === NULL) {
if (isset($field["attributes"]["value"])) {
$return[$field["name"]] = $field["attributes"]["value"];
} else {
if (isset($field["attributes"]["checked"])) {
$return[$field["name"]] = $field["attributes"]["checked"];
} else {
if (isset($field["attributes"]["selected"])) {
$return[$field["name"]] = $field["attributes"]["selected"];
}
}
}
}
}
return $return;
}
public function index($action = "", $param = "")
{
global $pawUsers;
$request = $this->_check("user_view");
// GET FILTER AND SEARCH
$filter = $this->_filter("users", $_GET);
if ($request === "POST" && isset($_POST["user-filter"])) {
$filter = $this->_filter("users", $_POST);
}
unset($filter["filter"]);
if ($request === "POST" && isset($_POST["search"])) {
$filter["users"] = array(paw_xss_cleaner($_POST["search"], true));
}
// GET SUCCESS
if (isset($_GET["success"])) {
$this->success = $this->_success($_GET["success"], __("User"));
}
// GET ORDER
switch (isset($_GET["orderby"]) ? $_GET["orderby"] : "") {
case "email":
$order["orderby"] = "user.email";
break;
default:
$order["orderby"] = "user.username";
break;
}
switch (isset($_GET["order"]) ? $_GET["order"] : "") {
case "DESC":
$order["order"] = "DESC";
break;
default:
$order["order"] = "ASC";
break;
}
// GET LIMIT AND OFFSET
$limit = $pawUsers->config["show_users_num"];
$offset = 0;
if (isset($_GET["page"]) && is_numeric($_GET["page"]) && $_GET["page"] > 1) {
$offset = ($_GET["page"] - 1) * $limit;
}
// DISPLAY PAGE
$items = $pawUsers->findUsers($filter, implode(" ", $order), $limit, $offset);
$this->_display("users", "", array_merge($filter, $order), $items);
}
public function getBlacklist($type = NULL, $status = NULL)
{
global $pawUsers;
// VALIDATE
$type = paw_xss_cleaner($type);
$where = "";
if ($type !== NULL && is_string($type)) {
$where[] = "type=:type";
}
if (is_bool($status) || is_numeric($status)) {
$where[] = "status=" . (int) $status;
}
if (!empty($where)) {
$where = "WHERE " . implode(" AND ", $where);
}
// SELECT AND RETURN
$query = "SELECT * FROM " . TABLE_PREFIX . "blacklist " . $where . " ORDER BY type";
$query = Record::query($query, array(":type" => $type));
if (!empty($query)) {
$return = array();
foreach ($query as $q) {
$user = $pawUsers->getUser($q->author, "id");
$q->author = $user->name;
$q->settings = paw_unserializer($q->settings);
$return[] = (array) $q;
}
return (array) $return;
}
return array();
}
public function hasPermission($permission, $data = NULL)
{
global $pawUsers;
// CHECK IF PERMISSION EXIST
if (empty($permission) || !is_string($permission)) {
return false;
}
$permission = paw_xss_cleaner($permission);
$query = "SELECT * FROM " . TABLE_PREFIX . "permission WHERE name=:name";
$query = Record::query($query, array(":name" => $permission));
if (empty($query)) {
return false;
}
if ($data === false) {
return true;
}
$permission = $query[0]->id;
// GET USER
if ($data === NULL) {
$data = $pawUsers->getCurrentUserID();
}
$user = $pawUsers->getUser($data);
if ($user === false) {
return false;
}
// CHECK IF THE USER HAS THE PERMISSION
$query = "SELECT ur.user_id AS id FROM " . TABLE_PREFIX . "user_role AS ur\n\t\t\t\tLEFT JOIN " . TABLE_PREFIX . "role_permission AS rp ON (ur.role_id = rp.role_id) \n\t\t\t\tWHERE ur.user_id=:user AND rp.permission_id=:perm;";
$query = Record::query($query, array(":user" => $user->id, ":perm" => $permission));
if (!empty($query) && isset($query[0])) {
return true;
}
return false;
}
public function delete()
{
global $pawUsers;
// CHECK IF USER IS LOGGED IN
if (!$pawUsers->isLoggedIn()) {
$this->_redirect(get_url("login"));
}
// GET PARAMETER
$input = func_get_args();
$input = array_slice(array_pad($input, 1, NULL), 0, 1);
$input = array_combine(array("user"), $input);
// GET USER
if (is_numeric($input["user"]) && ($user = $pawUsers->getUser($input["user"], "id") !== false)) {
$input["user"] = $user->username;
}
// GET POST
$delete = false;
if (get_request_method() === "POST" && isset($_POST["account"])) {
$post = $_POST["account"];
if (isset($post["action"]) && $post["action"] == "delete") {
$delete = $this->_action("delete", $post);
$input["user"] = isset($post["user"]) ? $post["user"] : $input["user"];
}
}
// DISPLAY PAGE
if ($delete === true) {
$redirect = $pawUsers->config["redirect_pages"]["delete"];
if (defined("CMS_BACKEND") && CMS_BACKEND == true && startsWith($redirect, ADMIN_DIR . "/")) {
$redirect = str_replace(ADMIN_DIR . "/", "", $redirect);
}
if (!startsWith($redirect, "http") && !startsWith($redirect, "www")) {
$redirect = get_url($redirect);
}
$this->_redirect($redirect . "?success=delete");
} else {
$this->display("../../plugins/paw_users/admin/account", array("action" => "delete", "input" => paw_xss_cleaner($input), "redirect" => $this->_redirect(false), "errors" => $this->errors, "success" => $this->success));
}
}
private function _getUser($data, $type = NULL)
{
$data = paw_xss_cleaner($data);
if (in_array($type, array("id", "email", "username"))) {
$type = $type;
} else {
if (is_numeric($data)) {
$type = "id";
} else {
if (filter_var($data, FILTER_VALIDATE_EMAIL)) {
$type = "email";
} else {
$type = "username";
}
}
}
$user = false;
$query = "SELECT * FROM " . TABLE_PREFIX . "user WHERE " . $type . "=:data LIMIT 1";
$temp = Record::query($query, array(":data" => $data));
if ($temp !== false && isset($temp[0])) {
$user = $temp[0];
}
return $user;
}
