Exemple #1
0
function inc_safehtml_dist($t) {
	static $process, $test;

	if (!$test) {
		$process = false;
		if ($f = find_in_path('lib/safehtml/classes')) {
			define('XML_HTMLSAX3', $f.'/');
			require_once XML_HTMLSAX3.'safehtml.php';
			$process = new safehtml();
			$process->deleteTags[] = 'param'; // sinon bug Firefox
		}
		if ($process)
			$test = 1; # ok
		else
			$test = -1; # se rabattre sur une fonction de securite basique
	}

	if ($test > 0) {
		# autoriser des trucs
		# ex: l'embed de youtube
		if (
		false !== strpos($t, 'iframe')) {
			foreach (extraire_balises($t, 'iframe') as $iframe) {
				if (preg_match(',^http://(www\.)?(youtube\.com|(player\.)?vimeo\.com)/.*,', extraire_attribut($iframe, 'src'))) {
					$re = '___IFRAME___'.md5($iframe);
					$ok[$re] = $iframe;
					$t = str_replace($iframe, $re, $t);
				}
			}
		}

		# reset ($process->clear() ne vide que _xhtml...),
		# on doit pouvoir programmer ca plus propremement
		$process->_counter = array();
		$process->_stack = array();
		$process->_dcCounter = array();
		$process->_dcStack = array();
		$process->_listScope = 0;
		$process->_liStack = array();
#		$process->parse(''); # cas particulier ?
		$process->clear();
		$t = $process->parse($t);

		# reinserer les trucs autorises
		if ($ok)
		foreach ($ok as $re => $v)
			$t = str_replace($re, $v, $t);
	}
	else
		$t = entites_html($t); // tres laid, en cas d'erreur

	return $t;
}
Exemple #2
0
function inc_safehtml_dist($t)
{
    static $process, $test;
    if (!$test) {
        $process = false;
        if ($f = find_in_path('lib/safehtml/classes')) {
            define('XML_HTMLSAX3', $f . '/');
            require_once XML_HTMLSAX3 . 'safehtml.php';
            $process = new safehtml();
            $process->deleteTags[] = 'param';
            // sinon bug Firefox
        }
        if ($process) {
            $test = 1;
        } else {
            $test = -1;
        }
        # se rabattre sur une fonction de securite basique
    }
    if ($test > 0) {
        # reset ($process->clear() ne vide que _xhtml...),
        # on doit pouvoir programmer ca plus propremement
        $process->_counter = array();
        $process->_stack = array();
        $process->_dcCounter = array();
        $process->_dcStack = array();
        $process->_listScope = 0;
        $process->_liStack = array();
        #		$process->parse(''); # cas particulier ?
        $process->clear();
        $t = $process->parse($t);
    } else {
        $t = entites_html($t);
    }
    // tres laid, en cas d'erreur
    // supprimer un <li></li> provenant d'un <li> ouvrant seul+safehtml
    // cf http://core.spip.org/issues/2201
    $t = str_replace("<li></li>", "", $t);
    return $t;
}
 /**
  *	This function returns true if the variable value is a safe html (do not contain possible XSS html code).
  *
  *	@param $val			The value to test.
  *	@param $opts		No options.
  *	@param $formelement	(not required)
  */
 function safe($val, $opts = array(), $formelement = null)
 {
     require_once YD_DIR_HOME . '/3rdparty/safehtml/classes/safehtml.php';
     $_safehtml = new safehtml();
     return $_safehtml->parse($val) === $val;
 }
/**
 * Sanitize the given HTML using safeHTML library. It is better than PHP function 
 * strip_tags(), who does not modify any attributes on the tags that you allow.
 *
 * The parser strips down all potentially dangerous content within HTML:
 *
 *  * opening tag without its closing tag 
 *  * closing tag without its opening tag 
 *  * any of these tags: “base”, “basefont”, “head”, “html”, “body”, “applet”, “object”,
 *    “iframe”, “frame”, “frameset”, “script”, “layer”, “ilayer”, “embed”, “bgsound”,
 *    “link”, “meta”, “style”, “title”, “blink”, “xml” etc.
 *  * any of these attributes: on*, data*, dynsrc
 *  * javascript:/vbscript:/about: etc. protocols
 *  * expression/behavior etc. in styles
 *  * any other active content
 */
function sanitize($html)
{
    $safehtml = new safehtml();
    return $safehtml->parse($html);
}
Exemple #5
0
 /**
  * Use the HTML checker to remove any possible XSS attacks (eg, <script> tags)
  *
  * @param array $data
  * @return array
  */
 function purify($data)
 {
     require_once DIR_FS_PRONTO . DS . 'extlib' . DS . 'safehtml' . DS . 'safehtml.php';
     foreach ($data as $k => $v) {
         if (is_array($v)) {
             // PHP4 doesn't like self::purify()
             $data[$k] = Model::purify($v);
         } else {
             if (class_exists('safehtml')) {
                 $purifier = new safehtml();
                 $data[$k] = $purifier->parse($v);
             }
         }
     }
     return $data;
 }