/**
* Set the URI String
*
* @access private
* @param string
* @return string
*/
private function _set_uri_string($str)
{
// Filter out control characters
$str = remove_invisible_characters($str, FALSE);
// If the URI contains only a slash we'll kill it
$this->uri_string = $str == '/' ? '' : $str;
}
/**
* Filename Security
*
* @param string
* @return string
*/
public function sanitize_filename($str, $relative_path = FALSE)
{
$bad = array("../", "<!--", "-->", "<", ">", "'", '"', '&', '$', '#', '{', '}', '[', ']', '=', ';', '?', "%20", "%22", "%3c", "%253c", "%3e", "%0e", "%28", "%29", "%2528", "%26", "%24", "%3f", "%3b", "%3d");
if (!$relative_path) {
$bad[] = './';
$bad[] = '/';
}
$str = remove_invisible_characters($str, FALSE);
return stripslashes(str_replace($bad, '', $str));
}
public function common_functions()
{
echo is_php('5.3');
echo is_really_writable('file.php');
echo config_item('key');
echo set_status_header('200', 'text');
echo remove_invisible_characters('Java\\0script');
echo html_escape(array());
echo get_mimes();
echo is_https();
echo is_cli();
echo function_usable('eval');
}
/**
* Escape String
*
* @access public
* @param string
* @param bool whether or not the string will be used in a LIKE condition
* @return string
*/
function escape_str($str, $like = FALSE)
{
if (is_array($str)) {
foreach ($str as $key => $val) {
$str[$key] = $this->escape_str($val, $like);
}
return $str;
}
// Escape single quotes
$str = str_replace("'", "''", remove_invisible_characters($str));
// escape LIKE condition wildcards
if ($like === TRUE) {
$str = str_replace(array($this->_like_escape_chr, '%', '_'), array($this->_like_escape_chr . $this->_like_escape_chr, $this->_like_escape_chr . '%', $this->_like_escape_chr . '_'), $str);
}
return $str;
}
/**
* Clean Input Data
*
* Internal method that aids in escaping data and
* standardizing newline characters to PHP_EOL.
*
* @param string|string[] $str Input string(s)
* @return string
*/
protected function _clean_input_data($str)
{
if (is_array($str)) {
$new_array = array();
foreach (array_keys($str) as $key) {
$new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($str[$key]);
}
return $new_array;
}
/* We strip slashes if magic quotes is on to keep things consistent
NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and
it will probably not exist in future versions at all.
*/
if (!is_php('5.4') && get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
// Clean UTF-8 if supported
if (UTF8_ENABLED === TRUE) {
$str = $this->uni->clean_string($str);
}
// Remove control characters
$str = remove_invisible_characters($str, FALSE);
// Standardize newlines if needed
if ($this->_standardize_newlines === TRUE) {
return preg_replace('/(?:\\r\\n|[\\r\\n])/', PHP_EOL, $str);
}
return $str;
}
/**
* Set URI String
*
* @param string $str
* @return void
*/
protected function _set_uri_string($str)
{
// Filter out control characters and trim slashes
$this->uri_string = trim(remove_invisible_characters($str, FALSE), '/');
if ($this->uri_string !== '') {
// Remove the URL suffix, if present
if (($suffix = (string) $this->config->item('url_suffix')) !== '') {
$slen = strlen($suffix);
if (substr($this->uri_string, -$slen) === $suffix) {
$this->uri_string = substr($this->uri_string, 0, -$slen);
}
}
$this->segments[0] = NULL;
// Populate the segments array
foreach (explode('/', trim($this->uri_string, '/')) as $val) {
$val = trim($val);
// Filter segments for security
$this->filter_uri($val);
if ($val !== '') {
$this->segments[] = $val;
}
}
unset($this->segments[0]);
}
}
/**
* Sanitize Filename
*
* @param string $str Input file name
* @param bool $relative_path Whether to preserve paths
* @return string
*/
public function sanitize_filename($str, $relative_path = FALSE)
{
$bad = $this->filename_bad_chars;
if (!$relative_path) {
$bad[] = './';
$bad[] = '/';
}
$str = remove_invisible_characters($str, FALSE);
do {
$old = $str;
$str = str_replace($bad, '', $str);
} while ($old !== $str);
return stripslashes($str);
}
/**
* Remove ASCII control characters
*
* Removes all ASCII control characters except horizontal tabs,
* line feeds, and carriage returns, as all others can cause
* problems in XML
*
* @access public
* @param string
* @return string
*/
function safe_ascii_for_xml($str)
{
return remove_invisible_characters($str, FALSE);
}
/**
* 处理输入的值
* sanitizeGlobals() 方法调用
* @access private
* @param string
* @return string
*/
private function cleanInputData($str)
{
if (is_array($str)) {
$new_array = array();
foreach ($str as $key => $val) {
$new_array[$this->cleanInputKeys($key)] = $this->cleanInputData($val);
}
return $new_array;
}
if (!is_php_version('5.4') && get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
// 移除不可见字符
$str = remove_invisible_characters($str);
// 移除xss字符
if ($this->enableXss === TRUE) {
$str = Secure::xssClean($str);
}
// 替换换行符为当前系统换行符
if ($this->standardizeNewlines == TRUE) {
if (strpos($str, "\r") !== FALSE) {
$str = str_replace(array("\r\n", "\r", "\r\n\n"), PHP_EOL, $str);
}
}
return $str;
}
public function xss_clean($str, $is_image = FALSE)
{
/*
* Is the string an array?
*
*/
if (is_array($str)) {
while (list($key) = each($str)) {
$str[$key] = $this->xss_clean($str[$key]);
}
return $str;
}
/*
* Remove Invisible Characters
*/
$str = remove_invisible_characters($str);
// Validate Entities in URLs
$str = $this->_validate_entities($str);
/*
* URL Decode
*
* Just in case stuff like this is submitted:
*
* <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
*
* Note: Use rawurldecode() so it does not remove plus signs
*
*/
$str = rawurldecode($str);
/*
* Convert character entities to ASCII
*
* This permits our tests below to work reliably.
* We only convert entities that are within tags since
* these are the ones that will pose security problems.
*
*/
$str = preg_replace_callback("/[a-z]+=([\\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str);
$str = preg_replace_callback("/<\\w+.*?(?=>|<|\$)/si", array($this, '_decode_entity'), $str);
/*
* Remove Invisible Characters Again!
*/
$str = remove_invisible_characters($str);
/*
* Convert all tabs to spaces
*
* This prevents strings like this: ja vascript
* NOTE: we deal with spaces between characters later.
* NOTE: preg_replace was found to be amazingly slow here on
* large blocks of data, so we use str_replace.
*/
if (strpos($str, "\t") !== FALSE) {
$str = str_replace("\t", ' ', $str);
}
/*
* Capture converted string for later comparison
*/
$converted_string = $str;
// Remove Strings that are never allowed
$str = $this->_do_never_allowed($str);
/*
* Makes PHP tags safe
*
* Note: XML tags are inadvertently replaced too:
*
* <?xml
*
* But it doesn't seem to pose a problem.
*/
if ($is_image === TRUE) {
// Images have a tendency to have the PHP short opening and
// closing tags every so often so we skip those and only
// do the long opening tags.
$str = preg_replace('/<\\?(php)/i', "<?\\1", $str);
} else {
$str = str_replace(array('<?', '?' . '>'), array('<?', '?>'), $str);
}
/*
* Compact any exploded words
*
* This corrects words like: j a v a s c r i p t
* These words are compacted back to their correct state.
*/
$words = array('javascript', 'expression', 'vbscript', 'script', 'base64', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
foreach ($words as $word) {
$temp = '';
for ($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++) {
$temp .= substr($word, $i, 1) . "\\s*";
}
// We only want to do this when it is followed by a non-word character
// That way valid stuff like "dealer to" does not become "dealerto"
$str = preg_replace_callback('#(' . substr($temp, 0, -3) . ')(\\W)#is', array($this, '_compact_exploded_words'), $str);
}
/*
* Remove disallowed Javascript in links or img tags
* We used to do some version comparisons and use of stripos for PHP5,
* but it is dog slow compared to these simplified non-capturing
* preg_match(), especially if the pattern exists in the string
*/
// EDIT: 设定是否存在 img标签
$have_img = FALSE;
do {
$original = $str;
if (preg_match("/<a/i", $str)) {
$str = preg_replace_callback("#<a\\s+([^>]*?)(>|\$)#si", array($this, '_js_link_removal'), $str);
}
if (preg_match("/<img/i", $str)) {
$str = preg_replace_callback("#<img\\s+([^>\t]*?)(\\s?/?>|\$)#si", array($this, '_js_img_removal'), $str);
$have_img = TRUE;
}
if (preg_match("/script/i", $str) or preg_match("/xss/i", $str)) {
$str = preg_replace("#<(/*)(script|xss)(.*?)\\>#si", '[removed]', $str);
}
} while ($original != $str);
unset($original);
// Remove evil attributes such as style, onclick and xmlns
$str = $this->_remove_evil_attributes($str, $is_image, $have_img);
/*
* Sanitize naughty HTML elements
*
* If a tag containing any of the words in the list
* below is found, the tag gets converted to entities.
*
* So this: <blink>
* Becomes: <blink>
*/
// 过滤规则
// $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|script|textarea|title|video|xml|xss';
$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|script|textarea|title|video|xml|xss';
$str = preg_replace_callback('#<(/*\\s*)(' . $naughty . ')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
/*
* Sanitize naughty scripting elements
*
* Similar to above, only instead of looking for
* tags it looks for PHP and JavaScript commands
* that are disallowed. Rather than removing the
* code, it simply converts the parenthesis to entities
* rendering the code un-executable.
*
* For example: eval('some code')
* Becomes: eval('some code')
*/
$str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\\s*)\\((.*?)\\)#si', "\\1\\2(\\3)", $str);
// Final clean up
// This adds a bit of extra precaution in case
// something got through the above filters
$str = $this->_do_never_allowed($str);
/*
* Images are Handled in a Special Way
* - Essentially, we want to know that after all of the character
* conversion is done whether any unwanted, likely XSS, code was found.
* If not, we return TRUE, as the image is clean.
* However, if the string post-conversion does not matched the
* string post-removal of XSS, then it fails, as there was unwanted XSS
* code found and removed/changed during processing.
*/
if ($is_image === TRUE) {
return $str == $converted_string ? TRUE : FALSE;
}
log_message('debug', "XSS Filtering completed");
return $str;
}
/**
* Remove ASCII control characters.
*
* Removes all ASCII control characters except horizontal tabs,
* line feeds, and carriage returns, as all others can cause
* problems in XML
*
* @param string
*
* @return string
*/
public function safe_ascii_for_xml($str)
{
return remove_invisible_characters($str, false);
}
/**
* Set URI String
*
* @param string $str
* @return void
*/
protected function _set_uri_string($str)
{
// Filter out control characters and trim slashes
$this->uri_string = trim(remove_invisible_characters($str, FALSE), '/');
}
/**
* Platform-dependant string escape
*
* @param string
* @return string
*/
protected function _escape_str($str)
{
return $this->conn_id->escapeString(remove_invisible_characters($str));
}
/**
* Prep data
*
* Prep all data we need to create an entry
*
* @access private
* @param mixed
* @param mixed
* @return void
*/
function _prepare_data(&$data, &$mod_data, $autosave = FALSE)
{
$this->instantiate('channel_categories');
ee()->api_channel_categories->initialize(array('categories' => array(), 'cat_parents' => array(), 'cat_array' => array()));
// Category parents - we toss the rest
if (isset($data['category']) and is_array($data['category'])) {
foreach ($data['category'] as $cat_id) {
ee()->api_channel_categories->cat_parents[] = $cat_id;
}
if (ee()->api_channel_categories->assign_cat_parent == TRUE) {
ee()->api_channel_categories->fetch_category_parents($data['category']);
}
}
// Remove invisible characters from entry title
if (isset($data['title'])) {
$data['title'] = remove_invisible_characters($data['title']);
}
unset($data['category']);
// Prep y / n values
$data['allow_comments'] = isset($data['allow_comments']) && $data['allow_comments'] == 'y' ? 'y' : 'n';
if (isset($data['cp_call']) && $data['cp_call'] == TRUE) {
$data['allow_comments'] = ($data['allow_comments'] !== 'y' or $this->c_prefs['comment_system_enabled'] == 'n') ? 'n' : 'y';
}
if ($this->c_prefs['enable_versioning'] == 'n') {
$data['versioning_enabled'] = 'y';
} else {
if (isset($data['versioning_enabled'])) {
$data['versioning_enabled'] = 'y';
} else {
$data['versioning_enabled'] = 'n';
// In 1.6, this happened right before inserting new revisions,
// but it makes more sense here.
$this->c_prefs['enable_versioning'] = 'n';
}
}
$this->instantiate('channel_fields');
$result_array = $this->_get_custom_fields();
foreach ($result_array as $row) {
$field_name = 'field_id_' . $row['field_id'];
// @todo remove in 2.1.2
// backwards compatible for some incorrect code noticed in a few third party modules.
// Will be removed in 2.1.2, and a note to that effect is in the 2.1.1 update notes
// $this->field_id should be used instead as documented
// http://ellislab.com/expressionengine/user-guide/development/fieldtypes.html#class-variables
ee()->api_channel_fields->settings[$row['field_id']]['field_id'] = $row['field_id'];
if (isset($data[$field_name]) or isset($mod_data[$field_name])) {
ee()->api_channel_fields->setup_handler($row['field_id']);
ee()->api_channel_fields->apply('_init', array(array('content_id' => $this->entry_id)));
// Break out module fields here
if (isset($data[$field_name])) {
if (!$autosave) {
$data[$field_name] = ee()->api_channel_fields->apply('save', array($data[$field_name]));
}
} elseif (isset($mod_data[$field_name])) {
if (!$autosave) {
$mod_data[$field_name] = ee()->api_channel_fields->apply('save', array($mod_data[$field_name]));
}
}
}
}
}
/**
* Escape String
*
* @access public
* @param string
* @param bool whether or not the string will be used in a LIKE condition
* @return string
*/
public function escape_str($str, $like = FALSE)
{
if (is_array($str)) {
foreach ($str as $key => $val) {
$str[$key] = $this->escape_str($val, $like);
}
return $str;
}
$str = remove_invisible_characters($str);
if ($like === TRUE) {
$str = str_replace(array('%', '_', $this->_like_escape_chr), array($this->_like_escape_chr . '%', $this->_like_escape_chr . '_', $this->_like_escape_chr . $this->_like_escape_chr), $str);
}
return $str;
}
function _clean_input_data($str)
{
if (is_array($str)) {
$new_array = array();
foreach ($str as $key => $val) {
$new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
}
return $new_array;
}
if (!is_php('5.4') && get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
if (UTF8_ENABLED === TRUE) {
$str = $this->uni->clean_string($str);
}
$str = remove_invisible_characters($str);
if ($this->_enable_xss === TRUE) {
$str = $this->security->xss_clean($str);
}
if ($this->_standardize_newlines == TRUE) {
if (strpos($str, "\r") !== FALSE) {
$str = str_replace(array("\r\n", "\r", "\r\n\n"), PHP_EOL, $str);
}
}
return $str;
}
/**
* Escape String.
*
* @param string
* @param bool whether or not the string will be used in a LIKE condition
*
* @return string
*/
public function escape_str($str, $like = false)
{
if (is_array($str)) {
foreach ($str as $key => $val) {
$str[$key] = $this->escape_str($val, $like);
}
return $str;
}
// ODBC doesn't require escaping
$str = remove_invisible_characters($str);
// escape LIKE condition wildcards
if ($like === true) {
$str = str_replace(['%', '_', $this->_like_escape_chr], [$this->_like_escape_chr . '%', $this->_like_escape_chr . '_', $this->_like_escape_chr . $this->_like_escape_chr], $str);
}
return $str;
}
/**
* XSS Clean
*
* Sanitizes data so that Cross Site Scripting Hacks can be
* prevented. This function does a fair amount of work but
* it is extremely thorough, designed to prevent even the
* most obscure XSS attempts. Nothing is ever 100% foolproof,
* of course, but I haven't been able to get anything passed
* the filter.
*
* Note: This function should only be used to deal with data
* upon submission. It's not something that should
* be used for general runtime processing.
*
* This function was based in part on some code and ideas I
* got from Bitflux: http://channel.bitflux.ch/wiki/XSS_Prevention
*
* To help develop this script I used this great list of
* vulnerabilities along with a few other hacks I've
* harvested from examining vulnerabilities in other programs:
* http://ha.ckers.org/xss.html
*
* @access public
* @param mixed string or array
* @return string
*/
public function xss_clean($str, $is_image = FALSE)
{
/*
* Is the string an array?
*
*/
if (is_array($str)) {
while (list($key) = each($str)) {
$str[$key] = $this->xss_clean($str[$key]);
}
return $str;
}
/*
* Remove Invisible Characters
*/
$str = remove_invisible_characters($str);
/*
* Protect GET variables in URLs
*/
// 901119URL5918AMP18930PROTECT8198
$str = preg_replace('|\\&([a-z\\_0-9\\-]+)\\=([a-z\\_0-9\\-]+)|i', $this->xss_hash() . "\\1=\\2", $str);
/*
* Validate standard character entities
*
* Add a semicolon if missing. We do this to enable
* the conversion of entities to ASCII later.
*
*/
$str = preg_replace('#(&\\#?[0-9a-z]{2,})([\\x00-\\x20])*;?#i', "\\1;\\2", $str);
/*
* Validate UTF16 two byte encoding (x00)
*
* Just as above, adds a semicolon if missing.
*
*/
$str = preg_replace('#(&\\#x?)([0-9A-F]+);?#i', "\\1\\2;", $str);
/*
* Un-Protect GET variables in URLs
*/
$str = str_replace($this->xss_hash(), '&', $str);
/*
* URL Decode
*
* Just in case stuff like this is submitted:
*
* <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
*
* Note: Use rawurldecode() so it does not remove plus signs
*
*/
$str = rawurldecode($str);
/*
* Convert character entities to ASCII
*
* This permits our tests below to work reliably.
* We only convert entities that are within tags since
* these are the ones that will pose security problems.
*
*/
$str = preg_replace_callback("/[a-z]+=([\\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str);
$str = preg_replace_callback("/<\\w+.*?(?=>|<|\$)/si", array($this, '_decode_entity'), $str);
/*
* Remove Invisible Characters Again!
*/
$str = remove_invisible_characters($str);
/*
* Convert all tabs to spaces
*
* This prevents strings like this: ja vascript
* NOTE: we deal with spaces between characters later.
* NOTE: preg_replace was found to be amazingly slow here on large blocks of data,
* so we use str_replace.
*
*/
if (strpos($str, "\t") !== FALSE) {
$str = str_replace("\t", ' ', $str);
}
/*
* Capture converted string for later comparison
*/
$converted_string = $str;
/*
* Not Allowed Under Any Conditions
*/
foreach ($this->never_allowed_str as $key => $val) {
$str = str_replace($key, $val, $str);
}
foreach ($this->never_allowed_regex as $key => $val) {
$str = preg_replace("#" . $key . "#i", $val, $str);
}
/*
* Makes PHP tags safe
*
* Note: XML tags are inadvertently replaced too:
*
* <?xml
*
* But it doesn't seem to pose a problem.
*
*/
if ($is_image === TRUE) {
// Images have a tendency to have the PHP short opening and closing tags every so often
// so we skip those and only do the long opening tags.
$str = preg_replace('/<\\?(php)/i', "<?\\1", $str);
} else {
$str = str_replace(array('<?', '?' . '>'), array('<?', '?>'), $str);
}
/*
* Compact any exploded words
*
* This corrects words like: j a v a s c r i p t
* These words are compacted back to their correct state.
*
*/
$words = array('javascript', 'expression', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
foreach ($words as $word) {
$temp = '';
for ($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++) {
$temp .= substr($word, $i, 1) . "\\s*";
}
// We only want to do this when it is followed by a non-word character
// That way valid stuff like "dealer to" does not become "dealerto"
$str = preg_replace_callback('#(' . substr($temp, 0, -3) . ')(\\W)#is', array($this, '_compact_exploded_words'), $str);
}
/*
* Remove disallowed Javascript in links or img tags
* We used to do some version comparisons and use of stripos for PHP5, but it is dog slow compared
* to these simplified non-capturing preg_match(), especially if the pattern exists in the string
*/
do {
$original = $str;
if (preg_match("/<a/i", $str)) {
$str = preg_replace_callback("#<a\\s+([^>]*?)(>|\$)#si", array($this, '_js_link_removal'), $str);
}
if (preg_match("/<img/i", $str)) {
$str = preg_replace_callback("#<img\\s+([^>]*?)(\\s?/?>|\$)#si", array($this, '_js_img_removal'), $str);
}
if (preg_match("/script/i", $str) or preg_match("/xss/i", $str)) {
$str = preg_replace("#<(/*)(script|xss)(.*?)\\>#si", '[removed]', $str);
}
} while ($original != $str);
unset($original);
/*
* Remove JavaScript Event Handlers
*
* Note: This code is a little blunt. It removes
* the event handler and anything up to the closing >,
* but it's unlikely to be a problem.
*
*/
$event_handlers = array('[^a-z_\\-]on\\w*', 'xmlns');
if ($is_image === TRUE) {
/*
* Adobe Photoshop puts XML metadata into JFIF images, including namespacing,
* so we have to allow this for images. -Paul
*/
unset($event_handlers[array_search('xmlns', $event_handlers)]);
}
$str = preg_replace("#<([^><]+?)(" . implode('|', $event_handlers) . ")(\\s*=\\s*[^><]*)([><]*)#i", "<\\1\\4", $str);
/*
* Sanitize naughty HTML elements
*
* If a tag containing any of the words in the list
* below is found, the tag gets converted to entities.
*
* So this: <blink>
* Becomes: <blink>
*
*/
$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
$str = preg_replace_callback('#<(/*\\s*)(' . $naughty . ')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
/*
* Sanitize naughty scripting elements
*
* Similar to above, only instead of looking for
* tags it looks for PHP and JavaScript commands
* that are disallowed. Rather than removing the
* code, it simply converts the parenthesis to entities
* rendering the code un-executable.
*
* For example: eval('some code')
* Becomes: eval('some code')
*
*/
$str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\\s*)\\((.*?)\\)#si', "\\1\\2(\\3)", $str);
/*
* Final clean up
*
* This adds a bit of extra precaution in case
* something got through the above filters
*
*/
foreach ($this->never_allowed_str as $key => $val) {
$str = str_replace($key, $val, $str);
}
foreach ($this->never_allowed_regex as $key => $val) {
$str = preg_replace("#" . $key . "#i", $val, $str);
}
/*
* Images are Handled in a Special Way
* - Essentially, we want to know that after all of the character conversion is done whether
* any unwanted, likely XSS, code was found. If not, we return TRUE, as the image is clean.
* However, if the string post-conversion does not matched the string post-removal of XSS,
* then it fails, as there was unwanted XSS code found and removed/changed during processing.
*/
if ($is_image === TRUE) {
if ($str == $converted_string) {
return TRUE;
} else {
return FALSE;
}
}
log_message('debug', "XSS Filtering completed");
return $str;
}
/**
* Set the URI String
*
* @access public
* @param string
* @return string
*/
function _set_uri_string($str)
{
// Filter out control characters
$str = remove_invisible_characters($str, FALSE);
// var_dump($GLOBALS['REQUEST']->server['path_info'],$str);
// If the URI contains only a slash we'll kill it
$this->uri_string = $str == '/' ? '' : $str;
}
/**
* Clean Input Data
*
* This is a helper function. It escapes data and
* standardizes newline characters to \n
*
* @access private
* @param string
* @return string
*/
function _clean_input_data($str)
{
if (is_array($str)) {
$new_array = array();
foreach ($str as $key => $val) {
$new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
}
return $new_array;
}
// We strip slashes if magic quotes is on to keep things consistent
if (get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
// Clean UTF-8 if supported
if (UTF8_ENABLED === TRUE) {
$str = $this->uni->clean_string($str);
}
// Remove control characters
$str = remove_invisible_characters($str);
// Should we filter the input data?
if ($this->_enable_xss === TRUE) {
$str = $this->security->xss_clean($str);
}
// Standardize newlines if needed
if ($this->_standardize_newlines == TRUE) {
if (strpos($str, "\r") !== FALSE) {
$str = str_replace(array("\r\n", "\r"), "\n", $str);
}
}
return $str;
}
public function _set_uri_string($str)
{
// Filter out control characters and trim slashes
$this->uri_string = trim(remove_invisible_characters($str, FALSE), '/');
// Removed by Ivan Tcholakov, 19-JAN-2014.
// TODO: This is for supporting HMVC library, resolve at first chance.
//if ($this->uri_string !== '')
//{
// // Remove the URL suffix, if present
// if (($suffix = (string) $this->config->item('url_suffix')) !== '')
// {
// $slen = strlen($suffix);
//
// if (substr($this->uri_string, -$slen) === $suffix)
// {
// $this->uri_string = substr($this->uri_string, 0, -$slen);
// }
// }
//
// $this->segments[0] = NULL;
// // Populate the segments array
// foreach (explode('/', trim($this->uri_string, '/')) as $val)
// {
// $val = trim($val);
// // Filter segments for security
// $this->filter_uri($val);
//
// if ($val !== '')
// {
// $this->segments[] = $val;
// }
// }
//
// unset($this->segments[0]);
//}
//
}
/**
* Filename Security.
*
* @param string
* @param bool
*
* @return string
*/
public function sanitize_filename($str, $relative_path = false)
{
$bad = ['../', '<!--', '-->', '<', '>', "'", '"', '&', '$', '#', '{', '}', '[', ']', '=', ';', '?', '%20', '%22', '%3c', '%253c', '%3e', '%0e', '%28', '%29', '%2528', '%26', '%24', '%3f', '%3b', '%3d'];
if (!$relative_path) {
$bad[] = './';
$bad[] = '/';
}
$str = remove_invisible_characters($str, false);
return stripslashes(str_replace($bad, '', $str));
}
/**
* Platform-dependant string escape
*
* @param string
* @return string
*/
protected function _escape_str($str)
{
return remove_invisible_characters($str);
}
/**
* Clean Input Data
*
* This is a helper function. It escapes data and
* standardizes newline characters to \n
*
* @access private
* @param string
* @return string
*/
function _clean_input_data($str)
{
if (is_array($str)) {
$new_array = array();
foreach ($str as $key => $val) {
$new_array[$this->{$key}] = $this->_clean_input_data($val);
}
return $new_array;
}
// Clean UTF-8 if supported
if (UTF8_ENABLED === TRUE) {
$str = $this->uni->clean_string($str);
}
// Remove control characters
$str = remove_invisible_characters($str);
// Should we filter the input data?
if ($this->_enable_xss === TRUE) {
$str = $this->security->xss_clean($str);
}
// Standardize newlines if needed
if ($this->_standardize_newlines == TRUE) {
if (strpos($str, "\r") !== FALSE) {
$str = str_replace(array("\r\n", "\r", "\r\n\n"), PHP_EOL, $str);
}
}
return $str;
}
/**
* Platform-dependant string escape
*
* @param string
* @return string
*/
protected function _escape_str($str)
{
return str_replace("'", "''", remove_invisible_characters($str));
}
/**
* Extend _sanitize_globals to allow css
*
* For action requests we need to fully allow GET variables, so we set
* an exception in EE_Config. For css, we only need that one and it's a
* path, so we'll do some stricter cleaning.
*
* @param string
* @return string
*/
function _sanitize_globals()
{
$_css = $this->get('css');
parent::_sanitize_globals();
if ($_css) {
$_GET['css'] = remove_invisible_characters($_css);
}
}
/**
* Clean Input Data
*
* This is a helper function. It escapes data and
* standardizes newline characters to \n
*
* @access private
* @param string
* @return string
*/
function _clean_input_data($str)
{
if (is_array($str)) {
$new_array = array();
foreach ($str as $key => $val) {
$new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
}
return $new_array;
}
/* We strip slashes if magic quotes is on to keep things consistent
NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and
it will probably not exist in future versions at all.
*/
if (!is_php('5.4') && get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
// Clean UTF-8 if supported
if (UTF8_ENABLED === TRUE) {
$str = $this->uni->clean_string($str);
}
// Remove control characters
$str = remove_invisible_characters($str);
// Should we filter the input data?
if ($this->_enable_xss === TRUE) {
$str = $this->security->xss_clean($str);
}
// Standardize newlines if needed
if ($this->_standardize_newlines == TRUE) {
if (strpos($str, "\r") !== FALSE) {
$str = str_replace(array("\r\n", "\r", "\r\n\n"), PHP_EOL, $str);
}
}
return $str;
}
function _set_uri_string($str)
{
$str = remove_invisible_characters($str, FALSE);
$this->uri_string = $str == '/' ? '' : $str;
}
/**
* Sanitize Filename
*
* @param string $str Input file name
* @param bool $relative_path Whether to preserve paths
* @return string
*/
public function sanitize_filename($str, $relative_path = FALSE)
{
$bad = array('../', '<!--', '-->', '<', '>', "'", '"', '&', '$', '#', '{', '}', '[', ']', '=', ';', '?', '%20', '%22', '%3c', '%253c', '%3e', '%0e', '%28', '%29', '%2528', '%26', '%24', '%3f', '%3b', '%3d');
if (!$relative_path) {
$bad[] = './';
$bad[] = '/';
}
$str = remove_invisible_characters($str, FALSE);
do {
$old = $str;
$str = str_replace($bad, '', $str);
} while ($old !== $str);
return stripslashes($str);
}
private function direction_check($str)
{
$r = remove_invisible_characters($str);
$r = html_escape($r);
return strip_tags($r);
}
