/** * Remove any script or dangerous HTML * * @param string $value */ public function xssFilter($value) { $filter = new CHtmlPurifier(); $filter->options = array('AutoFormat.RemoveEmpty' => false, 'Core.NormalizeNewlines' => false, 'CSS.AllowTricky' => true, 'HTML.SafeObject' => true, 'Output.FlashCompat' => true, 'Attr.EnableID' => true, 'Attr.AllowedFrameTargets' => array('_blank', '_self'), 'URI.AllowedSchemes' => array('http' => true, 'https' => true, 'mailto' => true, 'ftp' => true, 'nntp' => true, 'news' => true)); // To allow script BUT purify : HTML.Trusted=true (plugin idea for admin or without XSS filtering ?) /** Start to get complete filtered value with url decode {QCODE} (bug #09300). This allow only question number in url, seems OK with XSS protection **/ $sFiltered = preg_replace('#%7B([a-zA-Z0-9\\.]*)%7D#', '{$1}', $filter->purify($value)); Yii::import('application.helpers.expressions.em_core_helper'); // Already imported in em_manager_helper.php ? $oExpressionManager = new ExpressionManager(); /** We get 2 array : one filtered, other unfiltered **/ $aValues = $oExpressionManager->asSplitStringOnExpressions($value); // Return array of array : 0=>the string,1=>string length,2=>string type (STRING or EXPRESSION) $aFilteredValues = $oExpressionManager->asSplitStringOnExpressions($sFiltered); // Same but for the filtered string $bCountIsOk = count($aValues) == count($aFilteredValues); /** Construction of new string with unfiltered EM and filtered HTML **/ $sNewValue = ""; foreach ($aValues as $key => $aValue) { if ($aValue[2] == "STRING") { $sNewValue .= $bCountIsOk ? $aFilteredValues[$key][0] : $filter->purify($aValue[0]); } else { $sExpression = trim($aValue[0], '{}'); $sNewValue .= "{"; $aParsedExpressions = $oExpressionManager->Tokenize($sExpression, true); foreach ($aParsedExpressions as $aParsedExpression) { if ($aParsedExpression[2] == 'DQ_STRING') { $sNewValue .= "\"" . $filter->purify($aParsedExpression[0]) . "\""; } elseif ($aParsedExpression[2] == 'SQ_STRING') { $sNewValue .= "'" . $filter->purify($aParsedExpression[0]) . "'"; } else { $sNewValue .= $aParsedExpression[0]; } } $sNewValue .= "}"; } } gc_collect_cycles(); // To counter a high memory usage of HTML-Purifier return $sNewValue; }
/** * Remove any script or dangerous HTML * * @param string $value */ public function xssFilter($value) { $filter = new CHtmlPurifier(); $filter->options = array('AutoFormat.RemoveEmpty' => false, 'CSS.AllowTricky' => true, 'HTML.SafeObject' => true, 'Output.FlashCompat' => true, 'Attr.EnableID' => true, 'Attr.AllowedFrameTargets' => array('_blank', '_self'), 'URI.AllowedSchemes' => array('http' => true, 'https' => true, 'mailto' => true, 'ftp' => true, 'nntp' => true, 'news' => true)); // To allow script BUT purify : HTML.Trusted=true (plugin idea for admin or without XSS filtering ?) Yii::import('application.helpers.expressions.em_core_helper'); // Already imported in em_manager_helper.php ? $oExpressionManager = new ExpressionManager(); $aValues = $oExpressionManager->asSplitStringOnExpressions($value); // Return array of array : 0=>the string,1=>string length,2=>string type (STRING or EXPRESSION) $sNewValue = ""; foreach ($aValues as $aValue) { if ($aValue[2] == "STRING") { $sNewValue .= $filter->purify($aValue[0]); } else { $sExpression = trim($aValue[0], '{}'); $sNewValue .= "{"; $aParsedExpressions = $oExpressionManager->Tokenize($sExpression, true); // Return array of array : 0=>the string,1=>string length,2=>string type foreach ($aParsedExpressions as $aParsedExpression) { if ($aParsedExpression[2] == 'DQ_STRING') { $sNewValue .= "\"" . $filter->purify($aParsedExpression[0]) . "\""; } elseif ($aParsedExpression[2] == 'SQ_STRING') { $sNewValue .= "'" . $filter->purify($aParsedExpression[0]) . "'"; } else { $sNewValue .= $aParsedExpression[0]; } } $sNewValue .= "}"; } } return $sNewValue; }