/**
* Remove any script or dangerous HTML
*
* @param string $value
*/
public function xssFilter($value)
{
$filter = new CHtmlPurifier();
$filter->options = array('AutoFormat.RemoveEmpty' => false, 'Core.NormalizeNewlines' => false, 'CSS.AllowTricky' => true, 'HTML.SafeObject' => true, 'Output.FlashCompat' => true, 'Attr.EnableID' => true, 'Attr.AllowedFrameTargets' => array('_blank', '_self'), 'URI.AllowedSchemes' => array('http' => true, 'https' => true, 'mailto' => true, 'ftp' => true, 'nntp' => true, 'news' => true));
// To allow script BUT purify : HTML.Trusted=true (plugin idea for admin or without XSS filtering ?)
/** Start to get complete filtered value with url decode {QCODE} (bug #09300). This allow only question number in url, seems OK with XSS protection **/
$sFiltered = preg_replace('#%7B([a-zA-Z0-9\\.]*)%7D#', '{$1}', $filter->purify($value));
Yii::import('application.helpers.expressions.em_core_helper');
// Already imported in em_manager_helper.php ?
$oExpressionManager = new ExpressionManager();
/** We get 2 array : one filtered, other unfiltered **/
$aValues = $oExpressionManager->asSplitStringOnExpressions($value);
// Return array of array : 0=>the string,1=>string length,2=>string type (STRING or EXPRESSION)
$aFilteredValues = $oExpressionManager->asSplitStringOnExpressions($sFiltered);
// Same but for the filtered string
$bCountIsOk = count($aValues) == count($aFilteredValues);
/** Construction of new string with unfiltered EM and filtered HTML **/
$sNewValue = "";
foreach ($aValues as $key => $aValue) {
if ($aValue[2] == "STRING") {
$sNewValue .= $bCountIsOk ? $aFilteredValues[$key][0] : $filter->purify($aValue[0]);
} else {
$sExpression = trim($aValue[0], '{}');
$sNewValue .= "{";
$aParsedExpressions = $oExpressionManager->Tokenize($sExpression, true);
foreach ($aParsedExpressions as $aParsedExpression) {
if ($aParsedExpression[2] == 'DQ_STRING') {
$sNewValue .= "\"" . $filter->purify($aParsedExpression[0]) . "\"";
} elseif ($aParsedExpression[2] == 'SQ_STRING') {
$sNewValue .= "'" . $filter->purify($aParsedExpression[0]) . "'";
} else {
$sNewValue .= $aParsedExpression[0];
}
}
$sNewValue .= "}";
}
}
gc_collect_cycles();
// To counter a high memory usage of HTML-Purifier
return $sNewValue;
}
/**
* Remove any script or dangerous HTML
*
* @param string $value
*/
public function xssFilter($value)
{
$filter = new CHtmlPurifier();
$filter->options = array('AutoFormat.RemoveEmpty' => false, 'CSS.AllowTricky' => true, 'HTML.SafeObject' => true, 'Output.FlashCompat' => true, 'Attr.EnableID' => true, 'Attr.AllowedFrameTargets' => array('_blank', '_self'), 'URI.AllowedSchemes' => array('http' => true, 'https' => true, 'mailto' => true, 'ftp' => true, 'nntp' => true, 'news' => true));
// To allow script BUT purify : HTML.Trusted=true (plugin idea for admin or without XSS filtering ?)
Yii::import('application.helpers.expressions.em_core_helper');
// Already imported in em_manager_helper.php ?
$oExpressionManager = new ExpressionManager();
$aValues = $oExpressionManager->asSplitStringOnExpressions($value);
// Return array of array : 0=>the string,1=>string length,2=>string type (STRING or EXPRESSION)
$sNewValue = "";
foreach ($aValues as $aValue) {
if ($aValue[2] == "STRING") {
$sNewValue .= $filter->purify($aValue[0]);
} else {
$sExpression = trim($aValue[0], '{}');
$sNewValue .= "{";
$aParsedExpressions = $oExpressionManager->Tokenize($sExpression, true);
// Return array of array : 0=>the string,1=>string length,2=>string type
foreach ($aParsedExpressions as $aParsedExpression) {
if ($aParsedExpression[2] == 'DQ_STRING') {
$sNewValue .= "\"" . $filter->purify($aParsedExpression[0]) . "\"";
} elseif ($aParsedExpression[2] == 'SQ_STRING') {
$sNewValue .= "'" . $filter->purify($aParsedExpression[0]) . "'";
} else {
$sNewValue .= $aParsedExpression[0];
}
}
$sNewValue .= "}";
}
}
return $sNewValue;
}
