/**
* Used by {@link optional_param()} and {@link required_param()} to
* clean the variables and/or cast to specific types, based on
* an options field.
* <code>
* $course->format = clean_param($course->format, PARAM_ALPHA);
* $selectedgrade_item = clean_param($selectedgrade_item, PARAM_CLEAN);
* </code>
*
* @uses $CFG
* @uses PARAM_RAW
* @uses PARAM_CLEAN
* @uses PARAM_CLEANHTML
* @uses PARAM_INT
* @uses PARAM_NUMBER
* @uses PARAM_ALPHA
* @uses PARAM_ALPHANUM
* @uses PARAM_ALPHAEXT
* @uses PARAM_SEQUENCE
* @uses PARAM_BOOL
* @uses PARAM_NOTAGS
* @uses PARAM_TEXT
* @uses PARAM_SAFEDIR
* @uses PARAM_CLEANFILE
* @uses PARAM_FILE
* @uses PARAM_PATH
* @uses PARAM_HOST
* @uses PARAM_URL
* @uses PARAM_LOCALURL
* @uses PARAM_PEM
* @uses PARAM_BASE64
* @uses PARAM_TAG
* @uses PARAM_SEQUENCE
* @param mixed $param the variable we are cleaning
* @param int $type expected format of param after cleaning.
* @return mixed
*/
function clean_param($param, $type)
{
global $CFG;
if (is_array($param)) {
// Let's loop
$newparam = array();
foreach ($param as $key => $value) {
$newparam[$key] = clean_param($value, $type);
}
return $newparam;
}
switch ($type) {
case PARAM_RAW:
// no cleaning at all
return $param;
case PARAM_CLEAN:
// General HTML cleaning, try to use more specific type if possible
if (is_numeric($param)) {
return $param;
}
$param = stripslashes($param);
// Needed for kses to work fine
$param = clean_text($param);
// Sweep for scripts, etc
return addslashes($param);
// Restore original request parameter slashes
// Restore original request parameter slashes
case PARAM_CLEANHTML:
// prepare html fragment for display, do not store it into db!!
$param = stripslashes($param);
// Remove any slashes
$param = clean_text($param);
// Sweep for scripts, etc
return trim($param);
case PARAM_INT:
return (int) $param;
// Convert to integer
// Convert to integer
case PARAM_NUMBER:
return (double) $param;
// Convert to integer
// Convert to integer
case PARAM_ALPHA:
// Remove everything not a-z
return eregi_replace('[^a-zA-Z]', '', $param);
case PARAM_ALPHANUM:
// Remove everything not a-zA-Z0-9
return eregi_replace('[^A-Za-z0-9]', '', $param);
case PARAM_ALPHAEXT:
// Remove everything not a-zA-Z/_-
return eregi_replace('[^a-zA-Z/_-]', '', $param);
case PARAM_SEQUENCE:
// Remove everything not 0-9,
return eregi_replace('[^0-9,]', '', $param);
case PARAM_BOOL:
// Convert to 1 or 0
$tempstr = strtolower($param);
if ($tempstr == 'on' or $tempstr == 'yes') {
$param = 1;
} else {
if ($tempstr == 'off' or $tempstr == 'no') {
$param = 0;
} else {
$param = empty($param) ? 0 : 1;
}
}
return $param;
case PARAM_NOTAGS:
// Strip all tags
return strip_tags($param);
case PARAM_TEXT:
// leave only tags needed for multilang
return clean_param(strip_tags($param, '<lang><span>'), PARAM_CLEAN);
case PARAM_SAFEDIR:
// Remove everything not a-zA-Z0-9_-
return eregi_replace('[^a-zA-Z0-9_-]', '', $param);
case PARAM_CLEANFILE:
// allow only safe characters
return clean_filename($param);
case PARAM_FILE:
// Strip all suspicious characters from filename
$param = ereg_replace('[[:cntrl:]]|[<>"`\\|\':\\/]', '', $param);
$param = ereg_replace('\\.\\.+', '', $param);
if ($param == '.') {
$param = '';
}
return $param;
case PARAM_PATH:
// Strip all suspicious characters from file path
$param = str_replace('\\\'', '\'', $param);
$param = str_replace('\\"', '"', $param);
$param = str_replace('\\', '/', $param);
$param = ereg_replace('[[:cntrl:]]|[<>"`\\|\':]', '', $param);
$param = ereg_replace('\\.\\.+', '', $param);
$param = ereg_replace('//+', '/', $param);
return ereg_replace('/(\\./)+', '/', $param);
case PARAM_HOST:
// allow FQDN or IPv4 dotted quad
$param = preg_replace('/[^\\.\\d\\w-]/', '', $param);
// only allowed chars
// match ipv4 dotted quad
if (preg_match('/(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/', $param, $match)) {
// confirm values are ok
if ($match[0] > 255 || $match[1] > 255 || $match[3] > 255 || $match[4] > 255) {
// hmmm, what kind of dotted quad is this?
$param = '';
}
} elseif (preg_match('/^[\\w\\d\\.-]+$/', $param) && !preg_match('/^[\\.-]/', $param) && !preg_match('/[\\.-]$/', $param)) {
// all is ok - $param is respected
} else {
// all is not ok...
$param = '';
}
return $param;
case PARAM_URL:
// allow safe ftp, http, mailto urls
include_once $CFG->dirroot . '/lib/validateurlsyntax.php';
if (!empty($param) && validateUrlSyntax($param, 's?H?S?F?E?u-P-a?I?p?f?q?r?')) {
// all is ok, param is respected
} else {
$param = '';
// not really ok
}
return $param;
case PARAM_LOCALURL:
// allow http absolute, root relative and relative URLs within wwwroot
$param = clean_param($param, PARAM_URL);
if (!empty($param)) {
if (preg_match(':^/:', $param)) {
// root-relative, ok!
} elseif (preg_match('/^' . preg_quote($CFG->wwwroot, '/') . '/i', $param)) {
// absolute, and matches our wwwroot
} else {
// relative - let's make sure there are no tricks
if (validateUrlSyntax($param, 's-u-P-a-p-f+q?r?')) {
// looks ok.
} else {
$param = '';
}
}
}
return $param;
case PARAM_PEM:
$param = trim($param);
// PEM formatted strings may contain letters/numbers and the symbols
// forward slash: /
// plus sign: +
// equal sign: =
// , surrounded by BEGIN and END CERTIFICATE prefix and suffixes
if (preg_match('/^-----BEGIN CERTIFICATE-----([\\s\\w\\/\\+=]+)-----END CERTIFICATE-----$/', trim($param), $matches)) {
list($wholething, $body) = $matches;
unset($wholething, $matches);
$b64 = clean_param($body, PARAM_BASE64);
if (!empty($b64)) {
return "-----BEGIN CERTIFICATE-----\n{$b64}\n-----END CERTIFICATE-----\n";
} else {
return '';
}
}
return '';
case PARAM_BASE64:
if (!empty($param)) {
// PEM formatted strings may contain letters/numbers and the symbols
// forward slash: /
// plus sign: +
// equal sign: =
if (0 >= preg_match('/^([\\s\\w\\/\\+=]+)$/', trim($param))) {
return '';
}
$lines = preg_split('/[\\s]+/', $param, -1, PREG_SPLIT_NO_EMPTY);
// Each line of base64 encoded data must be 64 characters in
// length, except for the last line which may be less than (or
// equal to) 64 characters long.
for ($i = 0, $j = count($lines); $i < $j; $i++) {
if ($i + 1 == $j) {
if (64 < strlen($lines[$i])) {
return '';
}
continue;
}
if (64 != strlen($lines[$i])) {
return '';
}
}
return implode("\n", $lines);
} else {
return '';
}
case PARAM_TAG:
//as long as magic_quotes_gpc is used, a backslash will be a
//problem, so remove *all* backslash.
$param = str_replace('\\', '', $param);
//convert many whitespace chars into one
$param = preg_replace('/\\s+/', ' ', $param);
$textlib = textlib_get_instance();
$param = $textlib->substr(trim($param), 0, TAG_MAX_LENGTH);
return $param;
case PARAM_TAGLIST:
$tags = explode(',', $param);
$result = array();
foreach ($tags as $tag) {
$res = clean_param($tag, PARAM_TAG);
if ($res != '') {
$result[] = $res;
}
}
if ($result) {
return implode(',', $result);
} else {
return '';
}
default:
// throw error, switched parameters in optional_param or another serious problem
error("Unknown parameter type: {$type}");
}
}
/**
* Used by {@link optional_param()} and {@link required_param()} to
* clean the variables and/or cast to specific types, based on
* an options field.
* <code>
* $course->format = clean_param($course->format, PARAM_ALPHA);
* $selectedgradeitem = clean_param($selectedgradeitem, PARAM_INT);
* </code>
*
* @param mixed $param the variable we are cleaning
* @param string $type expected format of param after cleaning.
* @return mixed
* @throws coding_exception
*/
function clean_param($param, $type)
{
global $CFG;
if (is_array($param)) {
throw new coding_exception('clean_param() can not process arrays, please use clean_param_array() instead.');
} else {
if (is_object($param)) {
if (method_exists($param, '__toString')) {
$param = $param->__toString();
} else {
throw new coding_exception('clean_param() can not process objects, please use clean_param_array() instead.');
}
}
}
switch ($type) {
case PARAM_RAW:
// No cleaning at all.
$param = fix_utf8($param);
return $param;
case PARAM_RAW_TRIMMED:
// No cleaning, but strip leading and trailing whitespace.
$param = fix_utf8($param);
return trim($param);
case PARAM_CLEAN:
// General HTML cleaning, try to use more specific type if possible this is deprecated!
// Please use more specific type instead.
if (is_numeric($param)) {
return $param;
}
$param = fix_utf8($param);
// Sweep for scripts, etc.
return clean_text($param);
case PARAM_CLEANHTML:
// Clean html fragment.
$param = fix_utf8($param);
// Sweep for scripts, etc.
$param = clean_text($param, FORMAT_HTML);
return trim($param);
case PARAM_INT:
// Convert to integer.
return (int) $param;
case PARAM_FLOAT:
// Convert to float.
return (double) $param;
case PARAM_ALPHA:
// Remove everything not `a-z`.
return preg_replace('/[^a-zA-Z]/i', '', $param);
case PARAM_ALPHAEXT:
// Remove everything not `a-zA-Z_-` (originally allowed "/" too).
return preg_replace('/[^a-zA-Z_-]/i', '', $param);
case PARAM_ALPHANUM:
// Remove everything not `a-zA-Z0-9`.
return preg_replace('/[^A-Za-z0-9]/i', '', $param);
case PARAM_ALPHANUMEXT:
// Remove everything not `a-zA-Z0-9_-`.
return preg_replace('/[^A-Za-z0-9_-]/i', '', $param);
case PARAM_SEQUENCE:
// Remove everything not `0-9,`.
return preg_replace('/[^0-9,]/i', '', $param);
case PARAM_BOOL:
// Convert to 1 or 0.
$tempstr = strtolower($param);
if ($tempstr === 'on' or $tempstr === 'yes' or $tempstr === 'true') {
$param = 1;
} else {
if ($tempstr === 'off' or $tempstr === 'no' or $tempstr === 'false') {
$param = 0;
} else {
$param = empty($param) ? 0 : 1;
}
}
return $param;
case PARAM_NOTAGS:
// Strip all tags.
$param = fix_utf8($param);
return strip_tags($param);
case PARAM_TEXT:
// Leave only tags needed for multilang.
$param = fix_utf8($param);
// If the multilang syntax is not correct we strip all tags because it would break xhtml strict which is required
// for accessibility standards please note this cleaning does not strip unbalanced '>' for BC compatibility reasons.
do {
if (strpos($param, '</lang>') !== false) {
// Old and future mutilang syntax.
$param = strip_tags($param, '<lang>');
if (!preg_match_all('/<.*>/suU', $param, $matches)) {
break;
}
$open = false;
foreach ($matches[0] as $match) {
if ($match === '</lang>') {
if ($open) {
$open = false;
continue;
} else {
break 2;
}
}
if (!preg_match('/^<lang lang="[a-zA-Z0-9_-]+"\\s*>$/u', $match)) {
break 2;
} else {
$open = true;
}
}
if ($open) {
break;
}
return $param;
} else {
if (strpos($param, '</span>') !== false) {
// Current problematic multilang syntax.
$param = strip_tags($param, '<span>');
if (!preg_match_all('/<.*>/suU', $param, $matches)) {
break;
}
$open = false;
foreach ($matches[0] as $match) {
if ($match === '</span>') {
if ($open) {
$open = false;
continue;
} else {
break 2;
}
}
if (!preg_match('/^<span(\\s+lang="[a-zA-Z0-9_-]+"|\\s+class="multilang"){2}\\s*>$/u', $match)) {
break 2;
} else {
$open = true;
}
}
if ($open) {
break;
}
return $param;
}
}
} while (false);
// Easy, just strip all tags, if we ever want to fix orphaned '&' we have to do that in format_string().
return strip_tags($param);
case PARAM_COMPONENT:
// We do not want any guessing here, either the name is correct or not
// please note only normalised component names are accepted.
if (!preg_match('/^[a-z]+(_[a-z][a-z0-9_]*)?[a-z0-9]+$/', $param)) {
return '';
}
if (strpos($param, '__') !== false) {
return '';
}
if (strpos($param, 'mod_') === 0) {
// Module names must not contain underscores because we need to differentiate them from invalid plugin types.
if (substr_count($param, '_') != 1) {
return '';
}
}
return $param;
case PARAM_PLUGIN:
case PARAM_AREA:
// We do not want any guessing here, either the name is correct or not.
if (!is_valid_plugin_name($param)) {
return '';
}
return $param;
case PARAM_SAFEDIR:
// Remove everything not a-zA-Z0-9_- .
return preg_replace('/[^a-zA-Z0-9_-]/i', '', $param);
case PARAM_SAFEPATH:
// Remove everything not a-zA-Z0-9/_- .
return preg_replace('/[^a-zA-Z0-9\\/_-]/i', '', $param);
case PARAM_FILE:
// Strip all suspicious characters from filename.
$param = fix_utf8($param);
$param = preg_replace('~[[:cntrl:]]|[&<>"`\\|\':\\\\/]~u', '', $param);
if ($param === '.' || $param === '..') {
$param = '';
}
return $param;
case PARAM_PATH:
// Strip all suspicious characters from file path.
$param = fix_utf8($param);
$param = str_replace('\\', '/', $param);
// Explode the path and clean each element using the PARAM_FILE rules.
$breadcrumb = explode('/', $param);
foreach ($breadcrumb as $key => $crumb) {
if ($crumb === '.' && $key === 0) {
// Special condition to allow for relative current path such as ./currentdirfile.txt.
} else {
$crumb = clean_param($crumb, PARAM_FILE);
}
$breadcrumb[$key] = $crumb;
}
$param = implode('/', $breadcrumb);
// Remove multiple current path (./././) and multiple slashes (///).
$param = preg_replace('~//+~', '/', $param);
$param = preg_replace('~/(\\./)+~', '/', $param);
return $param;
case PARAM_HOST:
// Allow FQDN or IPv4 dotted quad.
$param = preg_replace('/[^\\.\\d\\w-]/', '', $param);
// Match ipv4 dotted quad.
if (preg_match('/(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/', $param, $match)) {
// Confirm values are ok.
if ($match[0] > 255 || $match[1] > 255 || $match[3] > 255 || $match[4] > 255) {
// Hmmm, what kind of dotted quad is this?
$param = '';
}
} else {
if (preg_match('/^[\\w\\d\\.-]+$/', $param) && !preg_match('/^[\\.-]/', $param) && !preg_match('/[\\.-]$/', $param)) {
// All is ok - $param is respected.
} else {
// All is not ok...
$param = '';
}
}
return $param;
case PARAM_URL:
// Allow safe ftp, http, mailto urls.
$param = fix_utf8($param);
include_once $CFG->dirroot . '/lib/validateurlsyntax.php';
if (!empty($param) && validateUrlSyntax($param, 's?H?S?F?E?u-P-a?I?p?f?q?r?')) {
// All is ok, param is respected.
} else {
// Not really ok.
$param = '';
}
return $param;
case PARAM_LOCALURL:
// Allow http absolute, root relative and relative URLs within wwwroot.
$param = clean_param($param, PARAM_URL);
if (!empty($param)) {
// Simulate the HTTPS version of the site.
$httpswwwroot = str_replace('http://', 'https://', $CFG->wwwroot);
if ($param === $CFG->wwwroot) {
// Exact match;
} else {
if (!empty($CFG->loginhttps) && $param === $httpswwwroot) {
// Exact match;
} else {
if (preg_match(':^/:', $param)) {
// Root-relative, ok!
} else {
if (preg_match('/^' . preg_quote($CFG->wwwroot . '/', '/') . '/i', $param)) {
// Absolute, and matches our wwwroot.
} else {
if (!empty($CFG->loginhttps) && preg_match('/^' . preg_quote($httpswwwroot . '/', '/') . '/i', $param)) {
// Absolute, and matches our httpswwwroot.
} else {
// Relative - let's make sure there are no tricks.
if (validateUrlSyntax('/' . $param, 's-u-P-a-p-f+q?r?')) {
// Looks ok.
} else {
$param = '';
}
}
}
}
}
}
}
return $param;
case PARAM_PEM:
$param = trim($param);
// PEM formatted strings may contain letters/numbers and the symbols:
// forward slash: /
// plus sign: +
// equal sign: =
// , surrounded by BEGIN and END CERTIFICATE prefix and suffixes.
if (preg_match('/^-----BEGIN CERTIFICATE-----([\\s\\w\\/\\+=]+)-----END CERTIFICATE-----$/', trim($param), $matches)) {
list($wholething, $body) = $matches;
unset($wholething, $matches);
$b64 = clean_param($body, PARAM_BASE64);
if (!empty($b64)) {
return "-----BEGIN CERTIFICATE-----\n{$b64}\n-----END CERTIFICATE-----\n";
} else {
return '';
}
}
return '';
case PARAM_BASE64:
if (!empty($param)) {
// PEM formatted strings may contain letters/numbers and the symbols
// forward slash: /
// plus sign: +
// equal sign: =.
if (0 >= preg_match('/^([\\s\\w\\/\\+=]+)$/', trim($param))) {
return '';
}
$lines = preg_split('/[\\s]+/', $param, -1, PREG_SPLIT_NO_EMPTY);
// Each line of base64 encoded data must be 64 characters in length, except for the last line which may be less
// than (or equal to) 64 characters long.
for ($i = 0, $j = count($lines); $i < $j; $i++) {
if ($i + 1 == $j) {
if (64 < strlen($lines[$i])) {
return '';
}
continue;
}
if (64 != strlen($lines[$i])) {
return '';
}
}
return implode("\n", $lines);
} else {
return '';
}
case PARAM_TAG:
$param = fix_utf8($param);
// Please note it is not safe to use the tag name directly anywhere,
// it must be processed with s(), urlencode() before embedding anywhere.
// Remove some nasties.
$param = preg_replace('~[[:cntrl:]]|[<>`]~u', '', $param);
// Convert many whitespace chars into one.
$param = preg_replace('/\\s+/u', ' ', $param);
$param = core_text::substr(trim($param), 0, TAG_MAX_LENGTH);
return $param;
case PARAM_TAGLIST:
$param = fix_utf8($param);
$tags = explode(',', $param);
$result = array();
foreach ($tags as $tag) {
$res = clean_param($tag, PARAM_TAG);
if ($res !== '') {
$result[] = $res;
}
}
if ($result) {
return implode(',', $result);
} else {
return '';
}
case PARAM_CAPABILITY:
if (get_capability_info($param)) {
return $param;
} else {
return '';
}
case PARAM_PERMISSION:
$param = (int) $param;
if (in_array($param, array(CAP_INHERIT, CAP_ALLOW, CAP_PREVENT, CAP_PROHIBIT))) {
return $param;
} else {
return CAP_INHERIT;
}
case PARAM_AUTH:
$param = clean_param($param, PARAM_PLUGIN);
if (empty($param)) {
return '';
} else {
if (exists_auth_plugin($param)) {
return $param;
} else {
return '';
}
}
case PARAM_LANG:
$param = clean_param($param, PARAM_SAFEDIR);
if (get_string_manager()->translation_exists($param)) {
return $param;
} else {
// Specified language is not installed or param malformed.
return '';
}
case PARAM_THEME:
$param = clean_param($param, PARAM_PLUGIN);
if (empty($param)) {
return '';
} else {
if (file_exists("{$CFG->dirroot}/theme/{$param}/config.php")) {
return $param;
} else {
if (!empty($CFG->themedir) and file_exists("{$CFG->themedir}/{$param}/config.php")) {
return $param;
} else {
// Specified theme is not installed.
return '';
}
}
}
case PARAM_USERNAME:
$param = fix_utf8($param);
$param = trim($param);
// Convert uppercase to lowercase MDL-16919.
$param = core_text::strtolower($param);
if (empty($CFG->extendedusernamechars)) {
$param = str_replace(" ", "", $param);
// Regular expression, eliminate all chars EXCEPT:
// alphanum, dash (-), underscore (_), at sign (@) and period (.) characters.
$param = preg_replace('/[^-\\.@_a-z0-9]/', '', $param);
}
return $param;
case PARAM_EMAIL:
$param = fix_utf8($param);
if (validate_email($param)) {
return $param;
} else {
return '';
}
case PARAM_STRINGID:
if (preg_match('|^[a-zA-Z][a-zA-Z0-9\\.:/_-]*$|', $param)) {
return $param;
} else {
return '';
}
case PARAM_TIMEZONE:
// Can be int, float(with .5 or .0) or string seperated by '/' and can have '-_'.
$param = fix_utf8($param);
$timezonepattern = '/^(([+-]?(0?[0-9](\\.[5|0])?|1[0-3](\\.0)?|1[0-2]\\.5))|(99)|[[:alnum:]]+(\\/?[[:alpha:]_-])+)$/';
if (preg_match($timezonepattern, $param)) {
return $param;
} else {
return '';
}
default:
// Doh! throw error, switched parameters in optional_param or another serious problem.
print_error("unknownparamtype", '', '', $type);
}
}
public function validation($data, $files)
{
global $CFG;
$errors = array();
// Submit is redirected if error occurs, so we store errordata in session.
$sessionerrordata = array();
$cache = cache::make('format_socialwall', 'postformerrors');
$cache->delete($data['id']);
// ... do validation of externalurl.
if (!empty($data['externalurl'])) {
include_once $CFG->libdir . '/validateurlsyntax.php';
if (!validateUrlSyntax($data['externalurl'])) {
$errors['externalurl'] = get_string('invalidurl', 'url');
$sessionerrordata['externalurl'] = array('message' => $errors['externalurl'], 'value' => $data['externalurl']);
}
}
// ... check if post is all empty.
if (isset($data['submitbutton'])) {
$empty = empty($data['posttext']) && empty($data['cmsequence']) && empty($data['externalurl']) && empty($files);
if ($empty) {
$errors['posttext'] = get_string('attachmentorpostrequired', 'format_socialwall');
$sessionerrordata['posttext'] = array('message' => $errors['posttext'], 'value' => $data['posttext']);
}
}
// ... store or clean.
if (!empty($sessionerrordata)) {
$cache->set($data['id'], $sessionerrordata);
}
return $errors;
}
/**
* Used by {@link optional_param()} and {@link required_param()} to
* clean the variables and/or cast to specific types, based on
* an options field.
* <code>
* $course->format = clean_param($course->format, PARAM_ALPHA);
* $selectedgrade_item = clean_param($selectedgrade_item, PARAM_INT);
* </code>
*
* @param mixed $param the variable we are cleaning
* @param int $type expected format of param after cleaning.
* @return mixed
*/
function clean_param($param, $type)
{
global $CFG;
if (is_array($param)) {
// Let's loop
$newparam = array();
foreach ($param as $key => $value) {
$newparam[$key] = clean_param($value, $type);
}
return $newparam;
}
switch ($type) {
case PARAM_RAW:
// no cleaning at all
return $param;
case PARAM_RAW_TRIMMED:
// no cleaning, but strip leading and trailing whitespace.
return trim($param);
case PARAM_CLEAN:
// General HTML cleaning, try to use more specific type if possible
// this is deprecated!, please use more specific type instead
if (is_numeric($param)) {
return $param;
}
return clean_text($param);
// Sweep for scripts, etc
// Sweep for scripts, etc
case PARAM_CLEANHTML:
// clean html fragment
$param = clean_text($param, FORMAT_HTML);
// Sweep for scripts, etc
return trim($param);
case PARAM_INT:
return (int) $param;
// Convert to integer
// Convert to integer
case PARAM_FLOAT:
case PARAM_NUMBER:
return (double) $param;
// Convert to float
// Convert to float
case PARAM_ALPHA:
// Remove everything not a-z
return preg_replace('/[^a-zA-Z]/i', '', $param);
case PARAM_ALPHAEXT:
// Remove everything not a-zA-Z_- (originally allowed "/" too)
return preg_replace('/[^a-zA-Z_-]/i', '', $param);
case PARAM_ALPHANUM:
// Remove everything not a-zA-Z0-9
return preg_replace('/[^A-Za-z0-9]/i', '', $param);
case PARAM_ALPHANUMEXT:
// Remove everything not a-zA-Z0-9_-
return preg_replace('/[^A-Za-z0-9_-]/i', '', $param);
case PARAM_SEQUENCE:
// Remove everything not 0-9,
return preg_replace('/[^0-9,]/i', '', $param);
case PARAM_BOOL:
// Convert to 1 or 0
$tempstr = strtolower($param);
if ($tempstr === 'on' or $tempstr === 'yes' or $tempstr === 'true') {
$param = 1;
} else {
if ($tempstr === 'off' or $tempstr === 'no' or $tempstr === 'false') {
$param = 0;
} else {
$param = empty($param) ? 0 : 1;
}
}
return $param;
case PARAM_NOTAGS:
// Strip all tags
return strip_tags($param);
case PARAM_TEXT:
// leave only tags needed for multilang
// if the multilang syntax is not correct we strip all tags
// because it would break xhtml strict which is required for accessibility standards
// please note this cleaning does not strip unbalanced '>' for BC compatibility reasons
do {
if (strpos($param, '</lang>') !== false) {
// old and future mutilang syntax
$param = strip_tags($param, '<lang>');
if (!preg_match_all('/<.*>/suU', $param, $matches)) {
break;
}
$open = false;
foreach ($matches[0] as $match) {
if ($match === '</lang>') {
if ($open) {
$open = false;
continue;
} else {
break 2;
}
}
if (!preg_match('/^<lang lang="[a-zA-Z0-9_-]+"\\s*>$/u', $match)) {
break 2;
} else {
$open = true;
}
}
if ($open) {
break;
}
return $param;
} else {
if (strpos($param, '</span>') !== false) {
// current problematic multilang syntax
$param = strip_tags($param, '<span>');
if (!preg_match_all('/<.*>/suU', $param, $matches)) {
break;
}
$open = false;
foreach ($matches[0] as $match) {
if ($match === '</span>') {
if ($open) {
$open = false;
continue;
} else {
break 2;
}
}
if (!preg_match('/^<span(\\s+lang="[a-zA-Z0-9_-]+"|\\s+class="multilang"){2}\\s*>$/u', $match)) {
break 2;
} else {
$open = true;
}
}
if ($open) {
break;
}
return $param;
}
}
} while (false);
// easy, just strip all tags, if we ever want to fix orphaned '&' we have to do that in format_string()
return strip_tags($param);
case PARAM_SAFEDIR:
// Remove everything not a-zA-Z0-9_-
return preg_replace('/[^a-zA-Z0-9_-]/i', '', $param);
case PARAM_SAFEPATH:
// Remove everything not a-zA-Z0-9/_-
return preg_replace('/[^a-zA-Z0-9\\/_-]/i', '', $param);
case PARAM_FILE:
// Strip all suspicious characters from filename
$param = preg_replace('~[[:cntrl:]]|[&<>"`\\|\':\\\\/]~u', '', $param);
$param = preg_replace('~\\.\\.+~', '', $param);
if ($param === '.') {
$param = '';
}
return $param;
case PARAM_PATH:
// Strip all suspicious characters from file path
$param = str_replace('\\', '/', $param);
$param = preg_replace('~[[:cntrl:]]|[&<>"`\\|\':]~u', '', $param);
$param = preg_replace('~\\.\\.+~', '', $param);
$param = preg_replace('~//+~', '/', $param);
return preg_replace('~/(\\./)+~', '/', $param);
case PARAM_HOST:
// allow FQDN or IPv4 dotted quad
$param = preg_replace('/[^\\.\\d\\w-]/', '', $param);
// only allowed chars
// match ipv4 dotted quad
if (preg_match('/(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/', $param, $match)) {
// confirm values are ok
if ($match[0] > 255 || $match[1] > 255 || $match[3] > 255 || $match[4] > 255) {
// hmmm, what kind of dotted quad is this?
$param = '';
}
} elseif (preg_match('/^[\\w\\d\\.-]+$/', $param) && !preg_match('/^[\\.-]/', $param) && !preg_match('/[\\.-]$/', $param)) {
// all is ok - $param is respected
} else {
// all is not ok...
$param = '';
}
return $param;
case PARAM_URL:
// allow safe ftp, http, mailto urls
include_once $CFG->dirroot . '/lib/validateurlsyntax.php';
if (!empty($param) && validateUrlSyntax($param, 's?H?S?F?E?u-P-a?I?p?f?q?r?')) {
// all is ok, param is respected
} else {
$param = '';
// not really ok
}
return $param;
case PARAM_LOCALURL:
// allow http absolute, root relative and relative URLs within wwwroot
$param = clean_param($param, PARAM_URL);
if (!empty($param)) {
if (preg_match(':^/:', $param)) {
// root-relative, ok!
} elseif (preg_match('/^' . preg_quote($CFG->wwwroot, '/') . '/i', $param)) {
// absolute, and matches our wwwroot
} else {
// relative - let's make sure there are no tricks
if (validateUrlSyntax('/' . $param, 's-u-P-a-p-f+q?r?')) {
// looks ok.
} else {
$param = '';
}
}
}
return $param;
case PARAM_PEM:
$param = trim($param);
// PEM formatted strings may contain letters/numbers and the symbols
// forward slash: /
// plus sign: +
// equal sign: =
// , surrounded by BEGIN and END CERTIFICATE prefix and suffixes
if (preg_match('/^-----BEGIN CERTIFICATE-----([\\s\\w\\/\\+=]+)-----END CERTIFICATE-----$/', trim($param), $matches)) {
list($wholething, $body) = $matches;
unset($wholething, $matches);
$b64 = clean_param($body, PARAM_BASE64);
if (!empty($b64)) {
return "-----BEGIN CERTIFICATE-----\n{$b64}\n-----END CERTIFICATE-----\n";
} else {
return '';
}
}
return '';
case PARAM_BASE64:
if (!empty($param)) {
// PEM formatted strings may contain letters/numbers and the symbols
// forward slash: /
// plus sign: +
// equal sign: =
if (0 >= preg_match('/^([\\s\\w\\/\\+=]+)$/', trim($param))) {
return '';
}
$lines = preg_split('/[\\s]+/', $param, -1, PREG_SPLIT_NO_EMPTY);
// Each line of base64 encoded data must be 64 characters in
// length, except for the last line which may be less than (or
// equal to) 64 characters long.
for ($i = 0, $j = count($lines); $i < $j; $i++) {
if ($i + 1 == $j) {
if (64 < strlen($lines[$i])) {
return '';
}
continue;
}
if (64 != strlen($lines[$i])) {
return '';
}
}
return implode("\n", $lines);
} else {
return '';
}
case PARAM_TAG:
// Please note it is not safe to use the tag name directly anywhere,
// it must be processed with s(), urlencode() before embedding anywhere.
// remove some nasties
$param = preg_replace('~[[:cntrl:]]|[<>`]~u', '', $param);
//convert many whitespace chars into one
$param = preg_replace('/\\s+/', ' ', $param);
$textlib = textlib_get_instance();
$param = $textlib->substr(trim($param), 0, TAG_MAX_LENGTH);
return $param;
case PARAM_TAGLIST:
$tags = explode(',', $param);
$result = array();
foreach ($tags as $tag) {
$res = clean_param($tag, PARAM_TAG);
if ($res !== '') {
$result[] = $res;
}
}
if ($result) {
return implode(',', $result);
} else {
return '';
}
case PARAM_CAPABILITY:
if (get_capability_info($param)) {
return $param;
} else {
return '';
}
case PARAM_PERMISSION:
$param = (int) $param;
if (in_array($param, array(CAP_INHERIT, CAP_ALLOW, CAP_PREVENT, CAP_PROHIBIT))) {
return $param;
} else {
return CAP_INHERIT;
}
case PARAM_AUTH:
$param = clean_param($param, PARAM_SAFEDIR);
if (exists_auth_plugin($param)) {
return $param;
} else {
return '';
}
case PARAM_LANG:
$param = clean_param($param, PARAM_SAFEDIR);
if (get_string_manager()->translation_exists($param)) {
return $param;
} else {
return '';
// Specified language is not installed or param malformed
}
case PARAM_THEME:
$param = clean_param($param, PARAM_SAFEDIR);
if (file_exists("{$CFG->dirroot}/theme/{$param}/config.php")) {
return $param;
} else {
if (!empty($CFG->themedir) and file_exists("{$CFG->themedir}/{$param}/config.php")) {
return $param;
} else {
return '';
// Specified theme is not installed
}
}
case PARAM_USERNAME:
$param = str_replace(" ", "", $param);
$param = moodle_strtolower($param);
// Convert uppercase to lowercase MDL-16919
if (empty($CFG->extendedusernamechars)) {
// regular expression, eliminate all chars EXCEPT:
// alphanum, dash (-), underscore (_), at sign (@) and period (.) characters.
$param = preg_replace('/[^-\\.@_a-z0-9]/', '', $param);
}
return $param;
case PARAM_EMAIL:
if (validate_email($param)) {
return $param;
} else {
return '';
}
case PARAM_STRINGID:
if (preg_match('|^[a-zA-Z][a-zA-Z0-9\\.:/_-]*$|', $param)) {
return $param;
} else {
return '';
}
default:
// throw error, switched parameters in optional_param or another serious problem
print_error("unknownparamtype", '', '', $type);
}
}
function validateFtpSyntax($ftpaddr, $options = "")
{
// Check Options Parameter
if (!ereg('^([sHSEFuPaIpfqr][+?-])*$', $options)) {
trigger_error("Options attribute malformed", E_USER_ERROR);
}
// Set Options Array, set defaults if options are not specified
// Scheme
if (strpos($options, 's') === false) {
$aOptions['s'] = '?';
} else {
$aOptions['s'] = substr($options, strpos($options, 's') + 1, 1);
}
// http://
if (strpos($options, 'H') === false) {
$aOptions['H'] = '-';
} else {
$aOptions['H'] = substr($options, strpos($options, 'H') + 1, 1);
}
// https:// (SSL)
if (strpos($options, 'S') === false) {
$aOptions['S'] = '-';
} else {
$aOptions['S'] = substr($options, strpos($options, 'S') + 1, 1);
}
// mailto: (email)
if (strpos($options, 'E') === false) {
$aOptions['E'] = '-';
} else {
$aOptions['E'] = substr($options, strpos($options, 'E') + 1, 1);
}
// ftp://
if (strpos($options, 'F') === false) {
$aOptions['F'] = '+';
} else {
$aOptions['F'] = substr($options, strpos($options, 'F') + 1, 1);
}
// User section
if (strpos($options, 'u') === false) {
$aOptions['u'] = '?';
} else {
$aOptions['u'] = substr($options, strpos($options, 'u') + 1, 1);
}
// Password in user section
if (strpos($options, 'P') === false) {
$aOptions['P'] = '?';
} else {
$aOptions['P'] = substr($options, strpos($options, 'P') + 1, 1);
}
// Address Section
if (strpos($options, 'a') === false) {
$aOptions['a'] = '+';
} else {
$aOptions['a'] = substr($options, strpos($options, 'a') + 1, 1);
}
// IP Address in address section
if (strpos($options, 'I') === false) {
$aOptions['I'] = '?';
} else {
$aOptions['I'] = substr($options, strpos($options, 'I') + 1, 1);
}
// Port number
if (strpos($options, 'p') === false) {
$aOptions['p'] = '?';
} else {
$aOptions['p'] = substr($options, strpos($options, 'p') + 1, 1);
}
// File Path
if (strpos($options, 'f') === false) {
$aOptions['f'] = '?';
} else {
$aOptions['f'] = substr($options, strpos($options, 'f') + 1, 1);
}
// Query Section
if (strpos($options, 'q') === false) {
$aOptions['q'] = '-';
} else {
$aOptions['q'] = substr($options, strpos($options, 'q') + 1, 1);
}
// Fragment (Anchor)
if (strpos($options, 'r') === false) {
$aOptions['r'] = '-';
} else {
$aOptions['r'] = substr($options, strpos($options, 'r') + 1, 1);
}
// Generate options
$newoptions = '';
foreach ($aOptions as $key => $value) {
$newoptions .= $key . $value;
}
// DEBUGGING - Uncomment line below to display generated options
// echo '<pre>' . $newoptions . '</pre>';
// Send to validateUrlSyntax() and return result
return validateUrlSyntax($ftpaddr, $newoptions);
}
// figure out what the returnto URL should be
$wantsurl = param_variable("wantsurl", false);
if (!$wantsurl) {
if (isset($_SESSION['wantsurl'])) {
$wantsurl = $_SESSION['wantsurl'];
} else {
if (!$saml_session->getIdP()) {
$wantsurl = array_key_exists('HTTP_REFERER', $_SERVER) ? $_SERVER['HTTP_REFERER'] : $CFG->wwwroot;
} else {
$wantsurl = $CFG->wwwroot;
}
}
}
// taken from Moodle clean_param - make sure the wantsurl is correctly formed
include_once 'validateurlsyntax.php';
if (!validateUrlSyntax($wantsurl, 's?H?S?F?E?u-P-a?I?p?f?q?r?')) {
$wantsurl = $CFG->wwwroot;
}
// trim off any reference to login and stash
$_SESSION['wantsurl'] = preg_replace('/\\&login$/', '', $wantsurl);
// now - are we logged in?
$as->requireAuth();
// ensure that $_SESSION is cleared for simplesamlphp
if (isset($_SESSION['wantsurl'])) {
unset($_SESSION['wantsurl']);
}
$saml_attributes = $as->getAttributes();
@session_write_close();
// now - let's continue with the session handling that would normally be done
// by Maharas init.php
// the main thin is that it sets the session cookie name back to what it should be
<link href="popcss.css" rel="stylesheet" type="text/css" />
</head>
<body>
<h3>Feeds importieren</h3>
<?php
include './libs/URL.php';
ob_end_flush();
$_ok = TRUE;
if (isset($_FILES['probe']) || !empty($_POST['url'])) {
require_once 'magpie/rss_fetch.inc';
require_once 'magpie/rss_parse.inc';
#require_once('magpie/rss_utils.inc');
if (!empty($_POST['url'])) {
if (validateUrlSyntax($_POST['url'], 's+a+')) {
if (!($snoopy = _fetch_remote_file($_POST['url']))) {
echo "Ich kann " . $_POST['url'] . " nicht ?en...<br />";
$_ok = FALSE;
}
$simple = $snoopy->results;
unset($snoopy);
} else {
echo "Also, " . $_POST['url'] . " ist aber keine richtige URL...<br />";
$_ok = FALSE;
}
} elseif (isset($_FILES['probe'])) {
$name = "temp/" . time() . ".opml";
$_ok = move_uploaded_file($_FILES['probe']['tmp_name'], $name);
$simple = implode("", file($name));
}
/**
* Used by {@link optional_param()} and {@link required_param()} to
* clean the variables and/or cast to specific types, based on
* an options field.
* <code>
* $course->format = clean_param($course->format, PARAM_ALPHA);
* $selectedgrade_item = clean_param($selectedgrade_item, PARAM_CLEAN);
* </code>
*
* @uses $CFG
* @uses PARAM_CLEAN
* @uses PARAM_INT
* @uses PARAM_INTEGER
* @uses PARAM_ALPHA
* @uses PARAM_ALPHANUM
* @uses PARAM_NOTAGS
* @uses PARAM_ALPHATEXT
* @uses PARAM_BOOL
* @uses PARAM_SAFEDIR
* @uses PARAM_CLEANFILE
* @uses PARAM_FILE
* @uses PARAM_PATH
* @uses PARAM_HOST
* @uses PARAM_URL
* @uses PARAM_LOCALURL
* @uses PARAM_CLEANHTML
* @param mixed $param the variable we are cleaning
* @param int $options a bit field that specifies the cleaning needed. This field is specified by combining PARAM_* definitions together with a logical or.
* @return mixed
*/
function clean_param($param, $options)
{
global $CFG;
if (is_array($param)) {
// Let's loop
$newparam = array();
foreach ($param as $key => $value) {
$newparam[$key] = clean_param($value, $options);
}
return $newparam;
}
if (!$options) {
return $param;
// Return raw value
}
//this corrupts data - Sven
//if ((string)$param == (string)(int)$param) { // It's just an integer
// return (int)$param;
//}
if ($options & PARAM_CLEAN) {
// this breaks backslashes in user input
// $param = stripslashes($param); // Needed by kses to work fine
$param = clean_text($param);
// Sweep for scripts, etc
// and this unnecessarily escapes quotes, etc in user input
// $param = addslashes($param); // Restore original request parameter slashes
}
if ($options & PARAM_INT) {
$param = (int) $param;
// Convert to integer
}
if ($options & PARAM_ALPHA) {
// Remove everything not a-z
$param = eregi_replace('[^a-zA-Z]', '', $param);
}
if ($options & PARAM_ALPHANUM) {
// Remove everything not a-zA-Z0-9
$param = eregi_replace('[^A-Za-z0-9]', '', $param);
}
if ($options & PARAM_ALPHAEXT) {
// Remove everything not a-zA-Z/_-
$param = eregi_replace('[^a-zA-Z/_-]', '', $param);
}
if ($options & PARAM_BOOL) {
// Convert to 1 or 0
$tempstr = strtolower($param);
if ($tempstr == 'on') {
$param = 1;
} else {
if ($tempstr == 'off') {
$param = 0;
} else {
$param = empty($param) ? 0 : 1;
}
}
}
if ($options & PARAM_NOTAGS) {
// Strip all tags completely
$param = strip_tags($param);
}
if ($options & PARAM_SAFEDIR) {
// Remove everything not a-zA-Z0-9_-
$param = eregi_replace('[^a-zA-Z0-9_-]', '', $param);
}
if ($options & PARAM_CLEANFILE) {
// allow only safe characters
$param = clean_filename($param);
}
if ($options & PARAM_FILE) {
// Strip all suspicious characters from filename
$param = ereg_replace('[[:cntrl:]]|[<>"`\\|\':\\/]', '', $param);
$param = ereg_replace('\\.\\.+', '', $param);
if ($param == '.') {
$param = '';
}
}
if ($options & PARAM_PATH) {
// Strip all suspicious characters from file path
$param = str_replace('\\\'', '\'', $param);
$param = str_replace('\\"', '"', $param);
$param = str_replace('\\', '/', $param);
$param = ereg_replace('[[:cntrl:]]|[<>"`\\|\':]', '', $param);
$param = ereg_replace('\\.\\.+', '', $param);
$param = ereg_replace('//+', '/', $param);
$param = ereg_replace('/(\\./)+', '/', $param);
}
if ($options & PARAM_HOST) {
// allow FQDN or IPv4 dotted quad
preg_replace('/[^\\.\\d\\w-]/', '', $param);
// only allowed chars
// match ipv4 dotted quad
if (preg_match('/(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/', $param, $match)) {
// confirm values are ok
if ($match[0] > 255 || $match[1] > 255 || $match[3] > 255 || $match[4] > 255) {
// hmmm, what kind of dotted quad is this?
$param = '';
}
} elseif (preg_match('/^[\\w\\d\\.-]+$/', $param) && !preg_match('/^[\\.-]/', $param) && !preg_match('/[\\.-]$/', $param)) {
// all is ok - $param is respected
} else {
// all is not ok...
$param = '';
}
}
if ($options & PARAM_URL) {
// allow safe ftp, http, mailto urls
include_once $CFG->dirroot . 'lib/validateurlsyntax.php';
//
// Parameters to validateurlsyntax()
//
// s? scheme is optional
// H? http optional
// S? https optional
// F? ftp optional
// E? mailto optional
// u- user section not allowed
// P- password not allowed
// a? address optional
// I? Numeric IP address optional (can use IP or domain)
// p- port not allowed -- restrict to default port
// f? "file" path section optional
// q? query section optional
// r? fragment (anchor) optional
//
if (!empty($param) && validateUrlSyntax($param, 's?H?S?F?E?u-P-a?I?p-f?q?r?')) {
// all is ok, param is respected
} else {
$param = '';
// not really ok
}
$options ^= PARAM_URL;
// Turn off the URL bit so that simple PARAM_URLs don't test true for PARAM_LOCALURL
}
if ($options & PARAM_LOCALURL) {
// assume we passed the PARAM_URL test...
// allow http absolute, root relative and relative URLs within wwwroot
if (!empty($param)) {
if (preg_match(':^/:', $param)) {
// root-relative, ok!
} elseif (preg_match('/^' . preg_quote($CFG->wwwroot, '/') . '/i', $param)) {
// absolute, and matches our wwwroot
} else {
// relative - let's make sure there are no tricks
if (validateUrlSyntax($param, 's-u-P-a-p-f+q?r?')) {
// looks ok.
} else {
$param = '';
}
}
}
}
if ($options & PARAM_CLEANHTML) {
// $param = stripslashes($param); // Remove any slashes
$param = clean_text($param);
// Sweep for scripts, etc
// $param = trim($param); // Sweep for scripts, etc
}
return $param;
}
private function create_node_course_modules_mod_resource($sheet_mod_resource, $instance)
{
global $CFG;
require_once $CFG->libdir . '/validateurlsyntax.php';
$link = '';
$mod_alltext = '';
$mod_summary = '';
$xpath = cc2moodle::newx_path(cc2moodle::$manifest, cc2moodle::$namespaces);
if ($instance['common_cartriedge_type'] == cc2moodle::CC_TYPE_WEBCONTENT || $instance['common_cartriedge_type'] == cc2moodle::CC_TYPE_ASSOCIATED_CONTENT) {
$resource = $xpath->query('/imscc:manifest/imscc:resources/imscc:resource[@identifier="' . $instance['resource_indentifier'] . '"]/@href');
$resource = !empty($resource->item(0)->nodeValue) ? $resource->item(0)->nodeValue : '';
if (empty($resource)) {
unset($resource);
$resource = $xpath->query('/imscc:manifest/imscc:resources/imscc:resource[@identifier="' . $instance['resource_indentifier'] . '"]/imscc:file/@href');
$resource = !empty($resource->item(0)->nodeValue) ? $resource->item(0)->nodeValue : '';
}
if (!empty($resource)) {
$link = $resource;
}
}
if ($instance['common_cartriedge_type'] == cc2moodle::CC_TYPE_WEBLINK) {
$external_resource = $xpath->query('/imscc:manifest/imscc:resources/imscc:resource[@identifier="' . $instance['resource_indentifier'] . '"]/imscc:file/@href')->item(0)->nodeValue;
if ($external_resource) {
$resource = $this->load_xml_resource(cc2moodle::$path_to_manifest_folder . DIRECTORY_SEPARATOR . $external_resource);
if (!empty($resource)) {
$xpath = cc2moodle::newx_path($resource, cc2moodle::getresourcens());
$resource = $xpath->query('//url/@href');
if ($resource->length > 0) {
$rawlink = $resource->item(0)->nodeValue;
if (!validateUrlSyntax($rawlink, 's+')) {
$changed = rawurldecode($rawlink);
if (validateUrlSyntax($changed, 's+')) {
$link = $changed;
} else {
$link = 'http://invalidurldetected/';
}
} else {
$link = $rawlink;
}
}
}
}
}
$find_tags = array('[#mod_instance#]', '[#mod_name#]', '[#mod_type#]', '[#mod_reference#]', '[#mod_summary#]', '[#mod_alltext#]', '[#mod_options#]', '[#date_now#]');
$mod_type = 'file';
$mod_options = 'objectframe';
$mod_reference = $link;
//detected if we are dealing with html file
if (!empty($link) && $instance['common_cartriedge_type'] == cc2moodle::CC_TYPE_WEBCONTENT) {
$ext = strtolower(pathinfo($link, PATHINFO_EXTENSION));
if (in_array($ext, array('html', 'htm', 'xhtml'))) {
$mod_type = 'html';
//extract the content of the file
$rootpath = realpath(cc112moodle::$path_to_manifest_folder);
$htmlpath = realpath($rootpath . DIRECTORY_SEPARATOR . $link);
$dirpath = dirname($htmlpath);
if (file_exists($htmlpath)) {
$fcontent = file_get_contents($htmlpath);
$mod_alltext = clean_param($this->prepare_content($fcontent), PARAM_CLEANHTML);
$mod_reference = '';
$mod_options = '';
//TODO: try to handle embedded resources
/**
* images, linked static resources, applets, videos
*/
$doc = new DOMDocument();
$cdir = getcwd();
chdir($dirpath);
try {
if (!empty($mod_alltext) && $doc->loadHTML($mod_alltext)) {
$xpath = new DOMXPath($doc);
$attributes = array('href', 'src', 'background', 'archive', 'code');
$qtemplate = "//*[@##][not(contains(@##,'://'))]/@##";
$query = '';
foreach ($attributes as $attrname) {
if (!empty($query)) {
$query .= " | ";
}
$query .= str_replace('##', $attrname, $qtemplate);
}
$list = $xpath->query($query);
$searches = array();
$replaces = array();
foreach ($list as $resrc) {
$rpath = $resrc->nodeValue;
$rtp = realpath($rpath);
if ($rtp !== false && is_file($rtp)) {
//file is there - we are in business
$strip = str_replace("\\", "/", str_ireplace($rootpath, '', $rtp));
$encoded_file = '$@FILEPHP@$' . str_replace('/', '$@SLASH@$', $strip);
$searches[] = $resrc->nodeValue;
$replaces[] = $encoded_file;
}
}
$mod_alltext = str_replace($searches, $replaces, $mod_alltext);
}
} catch (Exception $e) {
//silence the complaints
}
chdir($cdir);
$mod_alltext = self::safexml($mod_alltext);
}
}
}
$replace_values = array($instance['instance'], self::safexml($instance['title']), $mod_type, $mod_reference, '', $mod_alltext, $mod_options, time());
return str_replace($find_tags, $replace_values, $sheet_mod_resource);
}
echo '<p>' . get_string('nodatareturned', 'report_customsql') . '</p>';
} else {
list($csvfilename, $cvstimestamp) = report_customsql_csv_filename($report, $cvstimestamp);
if (!is_readable($csvfilename)) {
echo '<p>' . get_string('notrunyet', 'report_customsql') . '</p>';
} else {
$handle = fopen($csvfilename, 'r');
if ($report->runable != 'manual' && !$report->singlerow) {
print_heading(get_string('reportfor', 'report_customsql', userdate($cvstimestamp, get_string('strftimedate'))), '', 3);
}
$table = new stdClass();
$table->head = fgetcsv($handle);
while ($row = fgetcsv($handle)) {
$rowdata = array();
foreach ($row as $value) {
if (validateUrlSyntax($value, 's+H?S?F?E?u-P-a?I?p?f?q?r?')) {
$rowdata[] = '<a href="' . $value . '">' . $value . '</a>';
} else {
$rowdata[] = $value;
}
}
$table->data[] = $rowdata;
$count += 1;
}
fclose($handle);
print_table($table);
echo "<br/>" . get_string('recordcount', 'report_customsql') . " = {$count}<br/>";
if ($count >= REPORT_CUSTOMSQL_MAX_RECORDS) {
echo '<p class="admin_note">' . get_string('recordlimitreached', 'report_customsql', REPORT_CUSTOMSQL_MAX_RECORDS) . '</p>';
}
echo report_customsql_time_note($report, 'p');
function clean_param($param, $type = PARAM_CLEAN)
{
global $CFG;
if (is_array($param)) {
// Let's loop
$newparam = array();
foreach ($param as $key => $value) {
$newparam[$key] = clean_param($value, $type);
}
return $newparam;
}
switch ($type) {
case PARAM_RAW:
// no cleaning at all
return $param;
case PARAM_CLEAN:
// General HTML cleaning, try to use more specific type if possible
if (is_numeric($param)) {
return $param;
}
$param = stripslashes($param);
// Needed for kses to work fine
$param = clean_text($param);
// Sweep for scripts, etc
return addslashes($param);
// Restore original request parameter slashes
// Restore original request parameter slashes
case PARAM_CLEANHTML:
// prepare html fragment for display, do not store it into db!!
$param = stripslashes($param);
// Remove any slashes
$param = clean_text($param);
// Sweep for scripts, etc
return trim($param);
case PARAM_INT:
return (int) $param;
// Convert to integer
// Convert to integer
case PARAM_NUMBER:
return (double) $param;
// Convert to integer
// Convert to integer
case PARAM_BOOL:
// Convert to 1 or 0
$tempstr = strtolower($param);
if ($tempstr == 'on' or $tempstr == 'yes') {
$param = 1;
} else {
if ($tempstr == 'off' or $tempstr == 'no') {
$param = 0;
} else {
$param = empty($param) ? 0 : 1;
}
}
return $param;
case PARAM_NOTAGS:
// Strip all tags
return strip_tags($param);
case PARAM_TEXT:
// leave only tags needed for multilang
return clean_param(strip_tags($param, '<lang><span>'), PARAM_CLEAN);
case PARAM_SAFEDIR:
// Remove everything not a-zA-Z0-9_-
return eregi_replace('[^a-zA-Z0-9_-]', '', $param);
case PARAM_CLEANFILE:
// allow only safe characters
return clean_filename($param);
case PARAM_FILE:
// Strip all suspicious characters from filename
$param = ereg_replace('[[:cntrl:]]|[<>"`\\|\':\\/]', '', $param);
$param = ereg_replace('\\.\\.+', '', $param);
if ($param == '.') {
$param = '';
}
return $param;
case PARAM_PATH:
// Strip all suspicious characters from file path
$param = str_replace('\\\'', '\'', $param);
$param = str_replace('\\"', '"', $param);
$param = str_replace('\\', '/', $param);
$param = ereg_replace('[[:cntrl:]]|[<>"`\\|\':]', '', $param);
$param = ereg_replace('\\.\\.+', '', $param);
$param = ereg_replace('//+', '/', $param);
return ereg_replace('/(\\./)+', '/', $param);
case PARAM_HOST:
// allow FQDN or IPv4 dotted quad
$param = preg_replace('/[^\\.\\d\\w-]/', '', $param);
// only allowed chars
// match ipv4 dotted quad
if (preg_match('/(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/', $param, $match)) {
// confirm values are ok
if ($match[0] > 255 || $match[1] > 255 || $match[3] > 255 || $match[4] > 255) {
// hmmm, what kind of dotted quad is this?
$param = '';
}
} elseif (preg_match('/^[\\w\\d\\.-]+$/', $param) && !preg_match('/^[\\.-]/', $param) && !preg_match('/[\\.-]$/', $param)) {
// all is ok - $param is respected
} else {
// all is not ok...
$param = '';
}
return $param;
case PARAM_URL:
// allow safe ftp, http, mailto urls
include_once $CFG['dirroot'] . '/inc/validateurlsyntax.php';
if (!empty($param) && validateUrlSyntax($param, 's?H?S?F?E?u-P-a?I?p?f?q?r?')) {
// all is ok, param is respected
} else {
$param = '';
// not really ok
}
return $param;
}
}
