/** * tidy up the image source url */ function cleanSource($src) { $host = str_replace('www.', '', $_SERVER['HTTP_HOST']); $regex = "/^((ht|f)tp(s|):\\/\\/)(www\\.|)" . $host . "/i"; $src = preg_replace($regex, '', $src); $src = strip_tags($src); $src = checkExternal($src); // remove slash from start of string if (strpos($src, '/') === 0) { $src = substr($src, -(strlen($src) - 1)); } // don't allow users the ability to use '../' // in order to gain access to files below document root $src = preg_replace("/\\.\\.+\\//", "", $src); // get path to image on file system $src = get_document_root($src) . '/' . $src; return $src; }
/** * tidy up the image source url */ function cleanSource($src) { $src = str_replace('http://' . $_SERVER['HTTP_HOST'], '', $src); $src = str_replace('https://' . $_SERVER['HTTP_HOST'], '', $src); $src = htmlentities($src); $src = checkExternal($src); // remove slash from start of string if (strpos($src, '/') === 0) { $src = substr($src, -(strlen($src) - 1)); } // remove http/ https/ ftp $src = preg_replace("/^((ht|f)tp(s|):\\/\\/)/i", '', $src); // remove domain name from the source url $host = $_SERVER['HTTP_HOST']; $src = str_replace($host, '', $src); $host = str_replace('www.', '', $host); $src = str_replace($host, '', $src); // don't allow users the ability to use '../' // in order to gain access to files below document root // src should be specified relative to document root like: // src=images/img.jpg or src=/images/img.jpg // not like: // src=../images/img.jpg $src = preg_replace("/\\.\\.+\\//", "", $src); // get path to image on file system $src = get_document_root($src) . '/' . $src; return $src; }