function sanitize($link, $str, $force_strip_tags = false, $owner = false, $site_url = false) { if (!$owner) { $owner = $_SESSION["uid"]; } $res = trim($str); if (!$res) { return ''; } $config = array('safe' => 1, 'deny_attribute' => 'style, width, height, class, id', 'comment' => 1, 'cdata' => 1, 'balance' => 0); $res = htmLawed($res, $config); if (get_pref($link, "STRIP_IMAGES", $owner)) { $res = preg_replace('/<img[^>]+>/is', '', $res); } if (strpos($res, "href=") === false) { $res = rewrite_urls($res); } $charset_hack = '<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> </head>'; $res = trim($res); if (!$res) { return ''; } libxml_use_internal_errors(true); $doc = new DOMDocument(); $doc->loadHTML($charset_hack . $res); $xpath = new DOMXPath($doc); $entries = $xpath->query('(//a[@href]|//img[@src])'); $br_inserted = 0; foreach ($entries as $entry) { if ($site_url) { if ($entry->hasAttribute('href')) { $entry->setAttribute('href', rewrite_relative_url($site_url, $entry->getAttribute('href'))); } if ($entry->hasAttribute('src')) { if (preg_match('/^image.php\\?i=[a-z0-9]+$/', $entry->getAttribute('src')) == 0) { $entry->setAttribute('src', rewrite_relative_url($site_url, $entry->getAttribute('src'))); } } } if (strtolower($entry->nodeName) == "a") { $entry->setAttribute("target", "_blank"); } if (strtolower($entry->nodeName) == "img" && !$br_inserted) { $br = $doc->createElement("br"); if ($entry->parentNode->nextSibling) { $entry->parentNode->insertBefore($br, $entry->nextSibling); $br_inserted = 1; } } } $node = $doc->getElementsByTagName('body')->item(0); // http://tt-rss.org/redmine/issues/357 return $doc->saveXML($node, LIBXML_NOEMPTYTAG); }
function sanitize($str, $force_remove_images = false, $owner = false, $site_url = false) { if (!$owner) { $owner = $_SESSION["uid"]; } $res = trim($str); if (!$res) { return ''; } if (strpos($res, "href=") === false) { $res = rewrite_urls($res); } $charset_hack = '<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> </head>'; $res = trim($res); if (!$res) { return ''; } libxml_use_internal_errors(true); $doc = new DOMDocument(); $doc->loadHTML($charset_hack . $res); $xpath = new DOMXPath($doc); $entries = $xpath->query('(//a[@href]|//img[@src])'); foreach ($entries as $entry) { if ($site_url) { if ($entry->hasAttribute('href')) { $entry->setAttribute('href', rewrite_relative_url($site_url, $entry->getAttribute('href'))); } if ($entry->hasAttribute('src')) { $src = rewrite_relative_url($site_url, $entry->getAttribute('src')); $cached_filename = CACHE_DIR . '/images/' . sha1($src) . '.png'; if (file_exists($cached_filename)) { $src = SELF_URL_PATH . '/image.php?hash=' . sha1($src); } $entry->setAttribute('src', $src); } if ($entry->nodeName == 'img') { if ($owner && get_pref("STRIP_IMAGES", $owner) || $force_remove_images || $_SESSION["bw_limit"]) { $p = $doc->createElement('p'); $a = $doc->createElement('a'); $a->setAttribute('href', $entry->getAttribute('src')); $a->appendChild(new DOMText($entry->getAttribute('src'))); $a->setAttribute('target', '_blank'); $p->appendChild($a); $entry->parentNode->replaceChild($p, $entry); } } } if (strtolower($entry->nodeName) == "a") { $entry->setAttribute("target", "_blank"); } } $entries = $xpath->query('//iframe'); foreach ($entries as $entry) { $entry->setAttribute('sandbox', 'allow-scripts'); } $allowed_elements = array('a', 'address', 'audio', 'article', 'aside', 'b', 'bdi', 'bdo', 'big', 'blockquote', 'body', 'br', 'caption', 'cite', 'center', 'code', 'col', 'colgroup', 'data', 'dd', 'del', 'details', 'div', 'dl', 'font', 'dt', 'em', 'footer', 'figure', 'figcaption', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'header', 'html', 'i', 'img', 'ins', 'kbd', 'li', 'main', 'mark', 'nav', 'noscript', 'ol', 'p', 'pre', 'q', 'ruby', 'rp', 'rt', 's', 'samp', 'section', 'small', 'source', 'span', 'strike', 'strong', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'wbr', 'video'); if ($_SESSION['hasSandbox']) { $allowed_elements[] = 'iframe'; } $disallowed_attributes = array('id', 'style', 'class'); foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_SANITIZE) as $plugin) { $retval = $plugin->hook_sanitize($doc, $site_url, $allowed_elements, $disallowed_attributes); if (is_array($retval)) { $doc = $retval[0]; $allowed_elements = $retval[1]; $disallowed_attributes = $retval[2]; } else { $doc = $retval; } } $doc->removeChild($doc->firstChild); //remove doctype $doc = strip_harmful_tags($doc, $allowed_elements, $disallowed_attributes); $res = $doc->saveHTML(); return $res; }
function sanitize_rss($link, $str, $force_strip_tags = false, $owner = false, $site_url = false) { global $purifier; if (!$owner) { $owner = $_SESSION["uid"]; } $res = trim($str); if (!$res) { return ''; } // if (get_pref($link, "STRIP_UNSAFE_TAGS", $owner) || $force_strip_tags) { $res = $purifier->purify($res); // } if (get_pref($link, "STRIP_IMAGES", $owner)) { $res = preg_replace('/<img[^>]+>/is', '', $res); } if (strpos($res, "href=") === false) { $res = rewrite_urls($res); } $charset_hack = '<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> </head>'; $res = trim($res); if (!$res) { return ''; } libxml_use_internal_errors(true); $doc = new DOMDocument(); $doc->loadHTML($charset_hack . $res); $xpath = new DOMXPath($doc); $entries = $xpath->query('(//a[@href]|//img[@src])'); $br_inserted = 0; foreach ($entries as $entry) { if ($site_url) { if ($entry->hasAttribute('href')) { $entry->setAttribute('href', rewrite_relative_url($site_url, $entry->getAttribute('href'))); } if ($entry->hasAttribute('src')) { if (preg_match('/^image.php\\?i=[a-z0-9]+$/', $entry->getAttribute('src')) == 0) { $entry->setAttribute('src', rewrite_relative_url($site_url, $entry->getAttribute('src'))); } } } if (strtolower($entry->nodeName) == "a") { $entry->setAttribute("target", "_blank"); } if (strtolower($entry->nodeName) == "img" && !$br_inserted) { $br = $doc->createElement("br"); if ($entry->parentNode->nextSibling) { $entry->parentNode->insertBefore($br, $entry->nextSibling); $br_inserted = 1; } } } $node = $doc->getElementsByTagName('body')->item(0); return $doc->saveXML($node); }
function sanitize($link, $str, $force_strip_tags = false, $owner = false, $site_url = false) { global $purifier; if (!$owner) { $owner = $_SESSION["uid"]; } $res = trim($str); if (!$res) { return ''; } // create global Purifier object if needed if (!$purifier) { require_once 'lib/htmlpurifier/library/HTMLPurifier.auto.php'; $config = HTMLPurifier_Config::createDefault(); $allowed = "p,a[href],i,em,b,strong,code,pre,blockquote,br,img[src|alt|title|align|hspace],ul,ol,li,h1,h2,h3,h4,s,object[classid|type|id|name|width|height|codebase],param[name|value],table,tr,td,span[class]"; $config->set('HTML.SafeObject', true); @$config->set('HTML', 'Allowed', $allowed); $config->set('Output.FlashCompat', true); $config->set('Attr.EnableID', true); if (!defined('MOBILE_VERSION')) { @$config->set('Cache', 'SerializerPath', CACHE_DIR . "/htmlpurifier"); } else { @$config->set('Cache', 'SerializerPath', "../" . CACHE_DIR . "/htmlpurifier"); } $config->set('Filter.YouTube', true); $purifier = new HTMLPurifier($config); } $res = $purifier->purify($res); if (get_pref($link, "STRIP_IMAGES", $owner)) { $res = preg_replace('/<img[^>]+>/is', '', $res); } if (strpos($res, "href=") === false) { $res = rewrite_urls($res); } $charset_hack = '<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> </head>'; $res = trim($res); if (!$res) { return ''; } libxml_use_internal_errors(true); $doc = new DOMDocument(); $doc->loadHTML($charset_hack . $res); $xpath = new DOMXPath($doc); $entries = $xpath->query('(//a[@href]|//img[@src])'); $br_inserted = 0; foreach ($entries as $entry) { if ($site_url) { if ($entry->hasAttribute('href')) { $entry->setAttribute('href', rewrite_relative_url($site_url, $entry->getAttribute('href'))); } if ($entry->hasAttribute('src')) { if (preg_match('/^image.php\\?i=[a-z0-9]+$/', $entry->getAttribute('src')) == 0) { $entry->setAttribute('src', rewrite_relative_url($site_url, $entry->getAttribute('src'))); } } } if (strtolower($entry->nodeName) == "a") { $entry->setAttribute("target", "_blank"); } if (strtolower($entry->nodeName) == "img" && !$br_inserted) { $br = $doc->createElement("br"); if ($entry->parentNode->nextSibling) { $entry->parentNode->insertBefore($br, $entry->nextSibling); $br_inserted = 1; } } } $node = $doc->getElementsByTagName('body')->item(0); return $doc->saveXML($node, LIBXML_NOEMPTYTAG); }
function get_new_lines($link, $last_id) { $result = db_query($link, "SELECT ttirc_messages.id,\n\t\t\tmessage_type, sender, channel, connection_id, incoming,\n\t\t\tmessage, " . SUBSTRING_FOR_DATE . "(ts,12,8) AS ts\n\t\t\tFROM ttirc_messages, ttirc_connections WHERE\n\t\t\tconnection_id = ttirc_connections.id AND\n\t\t\tmessage_type != " . MSGT_COMMAND . " AND\n\t\t\t((ts > NOW() - INTERVAL '15 minutes' AND \n\t\t\t\tmessage_type != " . MSGT_PRIVATE_PRIVMSG . ") OR\n\t\t\t(ts > NOW() - INTERVAL '5 hours' AND \n\t\t\t\tmessage_type = " . MSGT_PRIVATE_PRIVMSG . ")) AND\n\t\t\tttirc_messages.id > '{$last_id}' AND \n\t\t\towner_uid = " . $_SESSION["uid"] . " ORDER BY ttirc_messages.id LIMIT 50"); $lines = array(); while ($line = db_fetch_assoc($result)) { $line["message"] = rewrite_urls(htmlspecialchars($line["message"])); $line["sender_color"] = color_of($line["sender"]); $line["incoming"] = sql_bool_to_bool($line["incoming"]); array_push($lines, $line); } return $lines; }
/** * Handler for exit calls in phpBB. * * Note: This function is called after the template has been outputted. */ function exit_handler() { global $phpbb_hook, $config; if (!empty($phpbb_hook) && $phpbb_hook->call_hook(__FUNCTION__)) { if ($phpbb_hook->hook_return(__FUNCTION__)) { return $phpbb_hook->hook_return_result(__FUNCTION__); } } // URL Rewrite - BEGIN // Compress buffered output if required and send to browser if (!empty($config['url_rw_runtime'])) { $contents = rewrite_urls(ob_get_contents()); ob_end_clean(); @extension_loaded('zlib') && !empty($config['gzip_compress_runtime']) ? ob_start('ob_gzhandler') : ob_start(); echo $contents; } // URL Rewrite - END // As a pre-caution... some setups display a blank page if the flush() is not there. empty($config['gzip_compress_runtime']) && empty($config['url_rw_runtime']) ? @flush() : @ob_flush(); exit; }