function run_create_translation($args, $opts) { G::LoadSystem('inputfilter'); $filter = new InputFilter(); $opts = $filter->xssFilterHard($opts); $args = $filter->xssFilterHard($args); $rootDir = realpath(__DIR__."/../../../../"); $app = new Maveriks\WebApplication(); $app->setRootDir($rootDir); $loadConstants = false; $workspaces = get_workspaces_from_args($args); $lang = array_key_exists("lang", $opts) ? $opts['lang'] : 'en'; $translation = new Translation(); CLI::logging("Updating labels Mafe ...\n"); foreach ($workspaces as $workspace) { try { echo "Updating labels for workspace " . pakeColor::colorize($workspace->name, "INFO") . "\n"; $translation->generateTransaltionMafe($lang); } catch (Exception $e) { echo "Errors upgrading labels for workspace " . CLI::info($workspace->name) . ": " . CLI::error($e->getMessage()) . "\n"; } } CLI::logging("Create successful\n"); }
/** * Dump the contents of the file using fpassthru(). * * @return void * @throws Exception if no file or contents. */ function dump() { if (!$this->data) { // hmmm .. must be a file that needs to read in if ($this->inFile) { $fp = @fopen($this->inFile, "rb"); if (!$fp) { throw new Exception('Unable to open file: ' . $this->inFile); } fpassthru($fp); @fclose($fp); } else { throw new Exception('No data to dump'); } } else { $realdocuroot = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']); $docuroot = explode('/', $realdocuroot); array_pop($docuroot); $pathhome = implode('/', $docuroot) . '/'; array_pop($docuroot); $pathTrunk = implode('/', $docuroot) . '/'; require_once $pathTrunk . 'gulliver/system/class.inputfilter.php'; $filter = new InputFilter(); $data = $filter->xssFilterHard($this->data); echo $data; } }
/** overloaded check function */ function check() { // filter malicious code $ignoreList = array('params'); $this->filter($ignoreList); // specific filters $iFilter = new InputFilter(); if ($iFilter->badAttributeValue(array('href', $this->url))) { $this->_error = 'Please provide a valid URL'; return false; } /** check for valid name */ if (trim($this->title) == '') { $this->_error = _WEBLINK_TITLE; return false; } if (!(preg_match('http://', $this->url) || preg_match('https://', $this->url) || preg_match('ftp://', $this->url))) { $this->url = 'http://' . $this->url; } /** check for existing name */ $query = "SELECT id" . "\n FROM #__weblinks " . "\n WHERE title = " . $this->_db->Quote($this->title) . "\n AND catid = " . (int) $this->catid; $this->_db->setQuery($query); $xid = intval($this->_db->loadResult()); if ($xid && $xid != intval($this->id)) { $this->_error = _WEBLINK_EXIST; return false; } return true; }
public function getInputFilter() { if (!$this->inputFilter) { $inputFilter = new InputFilter(); $inputFilter->add(array('name' => 'id', 'required' => 'true', 'filters' => array(array('name' => 'Int')))); $inputFilter->add(array('name' => 'jenis', 'required' => 'true', 'filters' => array(array('name' => 'StripTags'), array('name' => 'StringTrim')), 'validators' => array(array('name' => 'StringLength', 'options' => array('encoding' => 'UTF-8', 'min' => 1, 'max' => 100))))); $inputFilter->add(array('name' => 'inmission', 'required' => 'true')); } return $inputFilter; }
public function getInputFilter() { if (!$this->inputFilter) { $inputFilter = new InputFilter(); $factory = new InputFactory(); $inputFilter->add($factory->createInput(array('name' => 'email', 'required' => true, 'filters' => array(array('name' => 'StripTags'), array('name' => 'StringTrim')), 'validators' => array(array('name' => 'StringLength', 'options' => array('encoding' => 'UTF-8', 'min' => 1, 'max' => 100)))))); $inputFilter->add($factory->createInput(array('name' => 'password', 'required' => true))); $this->inputFilter = $inputFilter; } return $this->inputFilter; }
public function getInputFilter($data) { $inputFilter = new InputFilter(); $factory = new InputFactory(); $inputFilter->add($factory->createInput(array('name' => 'id', 'required' => false))); $validator = new \DoctrineModule\Validator\NoObjectExists(array('object_repository' => $this->objectManager->getRepository($this->entityName), 'fields' => array('fullname'))); //use in check email exist when sign up $filter = $validator->isValid(array('fullname' => $data['fullName'])); // dumps 'true' if an entity matches return $filter; }
/** * Filters public properties * @access protected * @param array List of fields to ignore */ function filter($ignoreList = null) { $ignore = is_array($ignoreList); $iFilter = new InputFilter(); foreach ($this->getPublicProperties() as $k) { if ($ignore && in_array($k, $ignoreList)) { continue; } $this->{$k} = $iFilter->process($this->{$k}); } }
/** * A validation function that returns an error if the value passed in is not a valid URL. * * @param string $text A string to test if it is a valid URL * @param FormControl $control The control that defines the value * @param FormContainer $form The container that holds the control * @param string $warning An optional error message * @return array An empty array if the string is a valid URL, or an array with strings describing the errors */ public static function validate_url($text, $control, $form, $warning = null, $schemes = array('http', 'https'), $guess = true) { if (!empty($text)) { $parsed = InputFilter::parse_url($text); if ($parsed['is_relative']) { if ($guess) { // guess if they meant to use an absolute link $parsed = InputFilter::parse_url('http://' . $text); if ($parsed['is_error']) { // disallow relative URLs $warning = empty($warning) ? _t('Relative urls are not allowed') : $warning; return array($warning); } else { $warning = empty($warning) ? _t('Relative urls are not allowed') : $warning; return array($warning); } } } if ($parsed['is_pseudo'] || !in_array($parsed['scheme'], $schemes)) { // allow only http(s) URLs $warning = empty($warning) ? _t('Only %s urls are allowed', array(Format::and_list($schemes))) : $warning; return array($warning); } } return array(); }
function process() { $input_filter = new InputFilter(); $input_filter->process($this); if (!is_null($this->request->get("method"))) { $basic = array('reqip' => $this->request->userip . ':' . $this->request->clientip, 'uri' => $this->request->url, 'method' => $this->request->get("method"), 'logid' => $this->requestId); } else { $basic = array('reqip' => $this->request->userip . ':' . $this->request->clientip, 'uri' => $this->request->url, 'logid' => $this->requestId); } kc_log_addbasic($basic); $dispatch = new Dispatch($this); App::getTimer()->set('framework prepare'); $dispatch->dispatch_url($this->request->url); $this->response->send(); KC_LOG_TRACE('[TIME COST STATISTIC] [ ' . App::getTimer()->getString() . ' ].'); }
function rangeDownload($location, $mimeType) { G::LoadSystem('inputfilter'); $filter = new InputFilter(); $location = $filter->xssFilterHard($location, "path"); if (!file_exists($location)) { header("HTTP/1.0 404 Not Found"); return; } $size = filesize($location); $time = date('r', filemtime($location)); $fm = @fopen($location, 'rb'); if (!$fm) { header("HTTP/1.0 505 Internal server error"); return; } $begin = 0; $end = $size - 1; if (isset($_SERVER['HTTP_RANGE'])) { if (preg_match('/bytes=\\h*(\\d+)-(\\d*)[\\D.*]?/i', $_SERVER['HTTP_RANGE'], $matches)) { $begin = intval($matches[1]); if (!empty($matches[2])) { $end = intval($matches[2]); } } } header('HTTP/1.0 206 Partial Content'); header("Content-Type: {$mimeType}"); header('Cache-Control: public, must-revalidate, max-age=0'); header('Pragma: no-cache'); header('Accept-Ranges: bytes'); header('Content-Length:' . ($end - $begin + 1)); if (isset($_SERVER['HTTP_RANGE'])) { header("Content-Range: bytes {$begin}-{$end}/{$size}"); } header("Content-Disposition: inline; filename={$location}"); header("Content-Transfer-Encoding: binary"); header("Last-Modified: {$time}"); $cur = $begin; fseek($fm, $begin, 0); while (!feof($fm) && $cur <= $end && connection_status() == 0) { set_time_limit(0); print fread($fm, min(1024 * 16, $end - $cur + 1)); $cur += 1024 * 16; flush(); } }
/** * returns a filter object to use for this * * @param string $name * @return InputFilter */ public final function filter($name) { if ($this->_input_filter !== null) { return $this->_input_filter->filter($name); } App::getInstance()->includeFile('Sonic/InputFilter.php'); $this->_input_filter = new InputFilter($this->request()); return $this->_input_filter->filter($name); }
public function test_parse_url_sanitization_javascript() { $urls = array('javascript:alert(0);', 'javascript:alert(0);', 'java	script:alert(0);', '	javascript:alert(0);', 'java
script:alert(0);', '
javascript:alert(0);', 'java
script:alert(0);', '
javascript:alert(0);'); foreach ($urls as $url) { $url = html_entity_decode($url, null, 'UTF-8'); $parsed = InputFilter::parse_url($url); $this->assert_equal($parsed['scheme'], 'javascript', $url . ' != ' . $parsed['scheme']); } }
public function execute($method, $url, $headers, $body, $config) { $merged_headers = array(); foreach ($headers as $k => $v) { $merged_headers[] = $k . ': ' . $v; } // parse out the URL so we can refer to individual pieces $url_pieces = InputFilter::parse_url($url); // set up the options we'll use when creating the request's context $options = array('http' => array('method' => $method, 'header' => implode("\n", $merged_headers), 'timeout' => $config['timeout'], 'follow_location' => $this->can_followlocation, 'max_redirects' => $config['max_redirects'], 'verify_peer' => $config['ssl']['verify_peer'], 'cafile' => $config['ssl']['cafile'], 'capath' => $config['ssl']['capath'], 'local_cert' => $config['ssl']['local_cert'], 'passphrase' => $config['ssl']['passphrase'])); if ($method == 'POST') { $options['http']['content'] = $body; } if ($config['proxy']['server'] != '' && !in_array($url_pieces['host'], $config['proxy']['exceptions'])) { $proxy = $config['proxy']['server'] . ':' . $config['proxy']['port']; if ($config['proxy']['username'] != '') { $proxy = $config['proxy']['username'] . ':' . $config['proxy']['password'] . '@' . $proxy; } $options['http']['proxy'] = 'tcp://' . $proxy; } // create the context $context = stream_context_create($options); // perform the actual request - we use fopen so stream_get_meta_data works $fh = @fopen($url, 'r', false, $context); if ($fh === false) { throw new Exception(_t('Unable to connect to %s', array($url_pieces['host']))); } // read in all the contents -- this is the same as file_get_contens, only for a specific stream handle $body = stream_get_contents($fh); // get meta data $meta = stream_get_meta_data($fh); // close the connection before we do anything else fclose($fh); // did we timeout? if ($meta['timed_out'] == true) { throw new RemoteRequest_Timeout(_t('Request timed out')); } // $meta['wrapper_data'] should be a list of the headers, the same as is loaded into $http_response_header $headers = array(); foreach ($meta['wrapper_data'] as $header) { // break the header up into field and value $pieces = explode(': ', $header, 2); if (count($pieces) > 1) { // if the header was a key: value format, store it keyed in the array $headers[$pieces[0]] = $pieces[1]; } else { // some headers (like the HTTP version in use) aren't keyed, so just store it keyed as itself $headers[$pieces[0]] = $pieces[0]; } } $this->response_headers = $headers; $this->response_body = $body; $this->executed = true; return true; }
/** * Updates a particular model. * @param integer $_GET['id'] the ID of the model to be updated * @return updated comment text */ public function actionUpdate() { Yii::app()->end(); //disalow updates // get Comments object from $id parameter $model = $this->loadModel($_GET['id']); // if Comments form exist and was called via ajax if (isset($_POST['Comments']) && isset($_POST['ajax'])) { // set form elements to Users model attributes $model->attributes = $_POST['Comments']; // clear tag from text Yii::import('application.extensions.InputFilter.InputFilter'); $filter = new InputFilter(array('br', 'pre')); $model->comment_text = $filter->process($model->comment_text); // update comment $model->save(false); echo $model->comment_text; } Yii::app()->end(); }
function DumpHeaders($filename) { global $root_path; if (!$filename) { return; } $HTTP_USER_AGENT = $_SERVER['HTTP_USER_AGENT']; $isIE = 0; if (strstr($HTTP_USER_AGENT, 'compatible; MSIE ') !== false && strstr($HTTP_USER_AGENT, 'Opera') === false) { $isIE = 1; } if (strstr($HTTP_USER_AGENT, 'compatible; MSIE 6') !== false && strstr($HTTP_USER_AGENT, 'Opera') === false) { $isIE6 = 1; } $aux = preg_replace('[^-a-zA-Z0-9\\.]', '_', $filename); $aux = explode('_', $aux); $downloadName = $aux[count($aux) - 1]; // $downloadName = $filename; //$downloadName = ereg_replace('[^-a-zA-Z0-9\.]', '_', $filename); if ($isIE && !isset($isIE6)) { // http://support.microsoft.com/support/kb/articles/Q182/3/15.asp // Do not have quotes around filename, but that applied to // "attachment"... does it apply to inline too? // This combination seems to work mostly. IE 5.5 SP 1 has // known issues (see the Microsoft Knowledge Base) header("Content-Disposition: inline; filename={$downloadName}"); // This works for most types, but doesn't work with Word files header("Content-Type: application/download; name=\"{$downloadName}\""); //header("Content-Type: $type0/$type1; name=\"$downloadName\""); //header("Content-Type: application/x-msdownload; name=\"$downloadName\""); //header("Content-Type: application/octet-stream; name=\"$downloadName\""); } else { header("Content-Disposition: attachment; filename=\"{$downloadName}\""); header("Content-Type: application/octet-stream; name=\"{$downloadName}\""); } //$filename = PATH_UPLOAD . "$filename"; G::LoadSystem('inputfilter'); $filter = new InputFilter(); $filename = $filter->xssFilterHard($filename, 'path'); readfile($filename); }
function test_complete_filtering_run() { $this->assert_equal(InputFilter::filter('<p>I am <div><script src=\\"ohnoes\\" /><a>not a paragraph.</a><p CLASS=old><span> Or am I?</span>'), '<p>I am <div><a>not a paragraph.</a><p><span> Or am I?</span>'); $this->assert_equal(InputFilter::filter('<p onClick=\\"window.alert(\'stole yer cookies!\');\\">Do not click here.</p>\\n<script>alert(\\"See this?\\")</script>'), '<p>Do not click here.</p>\\n'); // http://ha.ckers.org/blog/20070124/stopping-xss-but-allowing-html-is-hard/ $this->assert_equal(InputFilter::filter('<IMG src=\\"http://ha.ckers.org/\\" style\\"=\\"style=\\"a/onerror=alert(String.fromCharCode(88,83,83))//\\" &gt;`>'), 'onerror=alert(String.fromCharCode(88,83,83))//\\" &`>'); $this->assert_equal(InputFilter::filter('<b>Hello world</b>\\n\\nThis is a <test>test</test> post.\\n\\nHere\'s a first XSS attack. <<SCRIPT>alert(\'XSS\');//<</SCRIPT>\\n\\nHere\'s a second try at a <a href=\\"#\\">second link</a>.\\n\\nHere\'s a second XSS attack. <IMG SRC=\\"  javascript:alert(\'XSS\');\\">\\n\\nHere\'s a third link hopefully <a href=\\"#\\">it won\'t get removed</a>.\\n\\n<em>Thanks!</em>'), '<b>Hello world</b>\\n\\nThis is a post.\\n\\nHere\'s a first XSS attack. '); $this->assert_equal(InputFilter::filter('<<test>script>alert(\'boom\');</test>'), ''); $this->assert_equal(InputFilter::filter('<<test></test>script>alert(\'boom\');'), ''); $this->assert_equal(InputFilter::filter('<<test><</test>script>alert(\'boom\');'), ''); $this->assert_equal(InputFilter::filter('<ScRIpT>alert(\'whee\');</SCRiPT>'), ''); }
/** * @package Mambo * @author Mambo Foundation Inc see README.php * @copyright Mambo Foundation Inc. * See COPYRIGHT.php for copyright notices and details. * @license GNU/GPL Version 2, see LICENSE.php * Mambo is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; version 2 of the License. */ function externalCallCheck($path, $secret) { if (isset($_COOKIE['mostlyce']['startup_key']) && isset($_COOKIE['mostlyce']['usertype'])) { require_once $path . '/includes/phpInputFilter/class.inputfilter.php'; $iFilter = new InputFilter(null, null, 1, 1); $startupKey = trim($iFilter->process($_COOKIE['mostlyce']['startup_key'])); //The MOStlyCE rebuild key should match this $usertype = strtolower(str_replace(' ', '', trim($iFilter->process($_COOKIE['mostlyce']['usertype'])))); } else { return false; } $env = md5($_SERVER['HTTP_USER_AGENT']); $rebuildKey = md5($secret . $env . $_SERVER['REMOTE_ADDR']); if ($rebuildKey !== $startupKey) { return false; } //Valid user types $vUsers = array('author', 'editor', 'publisher', 'manager', 'administrator', 'superadministrator'); if (!in_array($usertype, $vUsers)) { return false; } return true; }
protected static function fetch_backtype($url) { $backtype = array(); $cacheName = "backtype-{$url}"; if (Cache::has($cacheName)) { foreach (Cache::get($cacheName) as $cachedBacktype) { $cachedBacktype->date = HabariDateTime::date_create($cachedBacktype->date); $backtype[] = $cachedBacktype; } return $backtype; } $connectData = json_decode(file_get_contents("http://api.backtype.com/comments/connect.json?url={$url}&key=key&itemsperpage=10000")); if (isset($connectData->comments)) { foreach ($connectData->comments as $dat) { $comment = new StdClass(); switch ($dat->entry_type) { case 'tweet': $comment->id = 'backtype-twitter-' . $dat->tweet_id; $comment->url = 'http://twitter.com/' . $dat->tweet_from_user . '/status/' . $dat->tweet_id; $comment->name = '@' . $dat->tweet_from_user . ' (via Backtype: Twitter)'; $comment->content_out = InputFilter::filter($dat->tweet_text); $comment->date = $dat->tweet_created_at; break; case 'comment': $comment->id = 'backtype-comment-' . $dat->comment->id; $comment->url = $dat->comment->url; $comment->name = $dat->author->name . ' (via Backtype: ' . InputFilter::filter($dat->blog->title) . ')'; $comment->content_out = InputFilter::filter($dat->comment->content); $comment->date = $dat->comment->date; break; } if (!$comment) { continue; } $comment->status = Comment::STATUS_APPROVED; $comment->type = Comment::TRACKBACK; $comment->email = null; $backtype[] = $comment; } } Cache::set($cacheName, $backtype); return $backtype; }
/** * Dispatch a request from Apache * * Called from file dispatch.php, which is invoked by * {@link http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html Apache mod_rewrite} * whenever a client makes a request. Actions: * <ol> * <li>Remove forbidden tags and attributes from * {@link http://www.php.net/reserved.variables#reserved.variables.get $_GET}, * {@link http://www.php.net/reserved.variables#reserved.variables.post $_POST} and * {@link http://www.php.net/reserved.variables#reserved.variables.request $_REQUEST}. </li> * <li>Start a session to keep track of state between requests from * the client.</li> * <li>Construct an ActionController to process the action.</li> * <li>Process the route</li> * </ol> * @uses ActionController::__construct() * @uses ActionController::process_route() * @uses ActionController::process_with_exception() * @uses InputFilter::process_all() * @uses Session::start() */ function dispatch() { if (TRAX_ENV != 'production') { $start = microtime(true); } try { InputFilter::process_all(); Session::start(); $ac = new ActionController(); $ac->process_route(); } catch (Exception $e) { ActionController::process_with_exception($e); } if (TRAX_ENV != 'production') { $duration = "(" . round((microtime(true) - $start) * 1000, 1) . "ms)"; $url = parse_url($_SERVER['REQUEST_URI']); Trax::log("[1mRendered {$url['path']} {$duration}[0m"); } }
/** * Callback function for strip_illegal_entities, do not use. * @access private * @param array $m matches */ public static function _validate_entity($m) { $is_valid = FALSE; // valid entity references have the form // /&named([;<\n\r])/ // for named entities, or // /&#(\d{1,5}|[xX][0-9a-fA-F]{1,4})([;<\n\r])/ // for numeric character references $e = trim($m[1]); $r = $m[2]; if ($r == ';') { $r = ''; } if ($e[0] == '#') { $e = strtolower($e); if ($e[1] == 'x') { $e = hexdec(substr($e, 2)); } else { $e = substr($e, 1); } // numeric character references may only have values in the range 0-65535 (16 bit) // we strip null, though, just for kicks $is_valid = intval($e) > 0 && intval($e) <= 65535; if ($is_valid) { // normalize to decimal form $e = '#' . intval($e) . ';'; } } else { if (self::$character_entities_re == '') { self::$character_entities_re = ';(' . implode('|', self::$character_entities) . ');'; } // named entities must be known $is_valid = preg_match(self::$character_entities_re, $e, $matches); // XXX should we map named entities to their numeric equivalents? if ($is_valid) { // normalize to name and nothing but the name... eh. $e = $matches[1] . ';'; } } return $is_valid ? '&' . $e . $r : ''; }
function startCase() { G::LoadClass('case'); G::LoadSystem('inputfilter'); $filter = new InputFilter(); $_POST = $filter->xssFilterHard($_POST); $_REQUEST = $filter->xssFilterHard($_REQUEST); $_SESSION = $filter->xssFilterHard($_SESSION); /* GET , POST & $_SESSION Vars */ /* unset any variable, because we are starting a new case */ if (isset($_SESSION['APPLICATION'])) { unset($_SESSION['APPLICATION']); } if (isset($_SESSION['PROCESS'])) { unset($_SESSION['PROCESS']); } if (isset($_SESSION['TASK'])) { unset($_SESSION['TASK']); } if (isset($_SESSION['INDEX'])) { unset($_SESSION['INDEX']); } if (isset($_SESSION['STEP_POSITION'])) { unset($_SESSION['STEP_POSITION']); } /* Process */ try { $oCase = new Cases(); lookinginforContentProcess($_POST['processId']); $aData = $oCase->startCase($_REQUEST['taskId'], $_SESSION['USER_LOGGED']); $aData = $filter->xssFilterHard($aData); $_SESSION['APPLICATION'] = $aData['APPLICATION']; $_SESSION['INDEX'] = $aData['INDEX']; $_SESSION['PROCESS'] = $aData['PROCESS']; $_SESSION['TASK'] = $_REQUEST['taskId']; $_SESSION['STEP_POSITION'] = 0; $_SESSION['CASES_REFRESH'] = true; /*----------------------------------********---------------------------------*/ $oCase = new Cases(); $aNextStep = $oCase->getNextStep($_SESSION['PROCESS'], $_SESSION['APPLICATION'], $_SESSION['INDEX'], $_SESSION['STEP_POSITION']); $aNextStep['PAGE'] = 'open?APP_UID=' . $aData['APPLICATION'] . '&DEL_INDEX=' . $aData['INDEX'] . '&action=draft'; $_SESSION['BREAKSTEP']['NEXT_STEP'] = $aNextStep; $aData['openCase'] = $aNextStep; $aData['status'] = 'success'; print G::json_encode($aData); } catch (Exception $e) { $aData['status'] = 'failure'; $aData['message'] = $e->getMessage(); print_r(G::json_encode($aData)); } }
/** * Writes $message to the text browser. Also, passes the message * along to any Log_observer instances that are observing this Log. * * @param mixed $message String or object containing the message to log. * @param string $priority The priority of the message. Valid * values are: PEAR_LOG_EMERG, PEAR_LOG_ALERT, * PEAR_LOG_CRIT, PEAR_LOG_ERR, PEAR_LOG_WARNING, * PEAR_LOG_NOTICE, PEAR_LOG_INFO, and PEAR_LOG_DEBUG. * @return boolean True on success or false on failure. * @access public */ function log($message, $priority = null) { /* If a priority hasn't been specified, use the default value. */ if ($priority === null) { $priority = $this->_priority; } /* Abort early if the priority is above the maximum logging level. */ if (!$this->_isMasked($priority)) { return false; } /* Extract the string representation of the message. */ $message = $this->_extractMessage($message); /* Build and output the complete log line. */ $realdocuroot = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']); $docuroot = explode('/', $realdocuroot); array_pop($docuroot); $pathhome = implode('/', $docuroot) . '/'; array_pop($docuroot); $pathTrunk = implode('/', $docuroot) . '/'; require_once $pathTrunk . 'gulliver/system/class.inputfilter.php'; $filter = new InputFilter(); $tag = $filter->xssFilterHard(ucfirst($this->priorityToString($priority))); echo $this->_error_prepend . '<b>' . $tag . '</b>: ' . nl2br(htmlspecialchars($message)) . $this->_error_append . $this->_linebreak; /* Notify observers about this log message. */ $this->_announce(array('priority' => $priority, 'message' => $message)); return true; }
/** * Test saveSQL() * @todo Figure out problem w/ mysql_real_escape_string() * @todo Figure out how to test with magic quotes either on or off */ public function testSafeSQL() { $rs = mysql_connect(); if ($rs == false) { PHPUnit2_Framework_Assert::fail("InputFilterTest:" . " unable to open a connction to MySQL"); } // Trivial case, nothing to clean $this->assertEquals(InputFilter::safeSQL('foo', $rs), 'foo'); $this->assertEquals(InputFilter::safeSQL(array('foo', 'bar'), $rs), array('foo', 'bar')); if (get_magic_quotes_gpc()) { // verify stripping of magic quotes // FIXME: figure out how to test this case $this->assertEquals(InputFilter::safeSQL('a\\\'b\\"c\\\\d\\\\x00e\\\\nf\\\\rg\\\\x1a', $rs), 'a\\\'b\\"c\\\\d\\\\x00e\\\\nf\\\\rg\\\\x1a'); } else { // verify magic quotes aren't there $pattern = "a'b\"c\\de\nf\rgh"; $non_zero_pattern = "a'b\"c\\de\nf\rgh"; $quoted_pattern = "a\\'b\\\"c\\\\de\\\nf\\\rg\\h"; $quoted_non_zero_pattern = "a\\'b\\\"c\\\\de\\\nf\\\rg\\h"; // echo "\nIf this fails it means mysql_real_escape_string() is broken: "; // $this->assertEquals(mysql_real_escape_string($non_zero_pattern), // $quoted_non_zero_pattern); // echo "\nIf this fails it means mysql_real_escape_string() is broken: "; // $this->assertEquals(mysql_real_escape_string($pattern), // $quoted_pattern); // $this->assertEquals( // InputFilter::safeSQL($pattern,$rs),$quoted_pattern); } // Remove the following line when you complete this test. throw new PHPUnit2_Framework_IncompleteTestError(); }
<?php $mongo = new MongoClient('mongodb://*****:*****@ds052827.mongolab.com:52827/miblog'); $db = $mongo->selectDB("miblog"); $c_favoritos = $mongo->selectCollection($db, "favorito"); ///////////////////////////////// require_once 'seguridad/class.inputfilter.php'; $filtro = new InputFilter(); $_POST = $filtro->process($_POST); //////////////////////////////////////// $id = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST['id']))))); $titulo = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST['titulo']))))); $categoria = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST["categoria"]))))); $id = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST["id"]))))); $descripcion = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST['descripcion']))))); $url = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST['url']))))); //////////////////////////////////// $condicion = array("_id" => new MongoId($id)); $modFavorito = array("titulo" => $titulo, "categoria" => $categoria, "descripcion" => $descripcion, "url" => $url); $c_favoritos->update($condicion, $modFavorito); header("Refresh: 0;url=principal.php?mensaje=3");
/** * Gets the value of a user state variable * @param string The name of the user state variable * @param string The name of the variable passed in a request * @param string The default value for the variable if not found */ function getUserStateFromRequest($var_name, $req_name, $var_default = null) { if (is_array($this->_userstate)) { if (isset($_REQUEST[$req_name])) { $this->setUserState($var_name, $_REQUEST[$req_name]); } else { if (!isset($this->_userstate[$var_name])) { $this->setUserState($var_name, $var_default); } } // filter input $iFilter = new InputFilter(); $this->_userstate[$var_name] = $iFilter->process($this->_userstate[$var_name]); return $this->_userstate[$var_name]; } else { return null; } }
/** * Constructor for inputFilter class. Only first parameter is required. * @access constructor * @data Mixed - input string/array-of-string to be 'cleaned' * @param Array $tagsArray - list of user-defined tags * @param Array $attrArray - list of user-defined attributes * @param int $tagsMethod - 0= allow just user-defined, 1= allow all but user-defined * @param int $attrMethod - 0= allow just user-defined, 1= allow all but user-defined * @param int $xssAuto - 0= only auto clean essentials, 1= allow clean blacklisted tags/attr */ public function sanitizeInput($data, $tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1) { G::LoadSystem('inputfilter'); $filtro = new InputFilter($tagsArray, $attrArray, $tagsMethod, $attrMethod, $xssAuto); return $filtro->process($data); }
function cleanHTML($text, $allowable_tags = null, $forbidden_attr = null) { // INCLUDE FILTER CLASS if (!class_exists("InputFilter")) { require SE_ROOT . "/include/class_inputfilter.php"; } // New method if (!method_exists('InputFilter', 'safeSQL')) { return InputFilter::process($text, array('allowedTags' => $allowable_tags, 'forbiddenAttributes' => $forbidden_attr)); } else { // INSTANTIATE INPUT FILTER CLASS WITH APPROPRIATE TAGS $xssFilter = new InputFilter(explode(",", str_replace(" ", "", $allowable_tags)), "", 0, 1, 1); // ADD NECESSARY BLACKLIST ITEMS for ($i = 0; $i < count($forbidden_attr); $i++) { $xssFilter->attrBlacklist[] = $forbidden_attr[$i]; } // RETURN PROCESSED TEXT return $xssFilter->process($text); } }
/** * function act_comment_insert_before * This function is executed when the action "comment_insert_before" * is invoked from a Comment object. * The parent class, Plugin, handles registering the action * and hook name using the name of the function to determine * where it will be applied. * You can still register functions as hooks without using * this method, but boy, is it handy. * @param Comment The comment that will be processed before storing it in the database. **/ function action_comment_insert_before ( $comment ) { // This plugin ignores non-comments if ($comment->type != Comment::COMMENT) { return; } $spamcheck = array(); // <script> is bad, mmmkay? $comment->content = InputFilter::filter($comment->content); // first, check the commenter's name // if it's only digits, then we can discard this comment if ( preg_match( "/^\d+$/", $comment->name ) ) { $comment->status = Comment::STATUS_SPAM; $spamcheck[] = _t('Commenters with numeric names are spammy.'); } // now look at the comment text // if it's digits only, discard it $textonly = strip_tags( $comment->content ); if ( preg_match( "/^\d+$/", $textonly ) ) { $comment->status = Comment::STATUS_SPAM; $spamcheck[] = _t('Comments that are only numeric are spammy.'); } // is the content whitespaces only? if ( preg_match( "/\A\s+\z/", $textonly ) ) { $comment->status = Comment::STATUS_SPAM; $spamcheck[] = _t('Comments that are only whitespace characters are spammy.'); } // is the content the single word "array"? if ( 'array' == strtolower( $textonly ) ) { $comment->status = Comment::STATUS_SPAM; $spamcheck[] = _t('Comments that are only "array" are spammy.'); } // is the content the same as the name? if ( strtolower( $textonly ) == strtolower( $comment->name ) ) { $comment->status = Comment::STATUS_SPAM; $spamcheck[] = _t('Comments that consist of only the commenters name are spammy.'); } // a lot of spam starts with "<strong>some text...</strong>" if ( preg_match( "#^<strong>[^.]+\.\.\.</strong>#", $comment->content ) ) { $comment->status = Comment::STATUS_SPAM; $spamcheck[] = _t('Comments that start with strong text are spammy.'); } // are there more than 3 URLs posted? If so, it's almost certainly spam if ( preg_match_all( "#https?://#", strtolower( $comment->content ), $matches, PREG_SET_ORDER ) > 3 ) { $comment->status = Comment::STATUS_SPAM; $spamcheck[] = _t('There is a 3 URL limit in comments.'); } // are there more than 3 URLencoded characters in the content? if ( preg_match_all( "/%[0-9a-f]{2}/", strtolower( $comment->content ), $matches, PREG_SET_ORDER ) > 3 ) { $comment->status = Comment::STATUS_SPAM; $spamcheck[] = _t('There is a 3 URL-encoded character limit in comments.'); } // Was the tcount high enough? /* // This only works with special javascript running on comment form if ( empty($handlervars['tcount']) || $handlervars['tcount'] < 10 ) { $comment->status = Comment::STATUS_SPAM; $spamcheck[] = _t('Commenter did not actually type content.'); } */ // We don't allow bbcode here, silly if ( stripos($comment->content, '[url=') !== false ) { $comment->status = Comment::STATUS_SPAM; $spamcheck[] = _t('We do not accept BBCode here.'); } // Must have less than half link content $nonacontent = strip_tags(preg_replace('/<a.*?<\/a/i', '', $comment->content)); $text_length = strlen( $textonly ); if ( strlen($nonacontent) / ( $text_length == 0 ? 1 : $text_length) < 0.5 ) { $comment->status = Comment::STATUS_SPAM; $spamcheck[] = _t('Too much text that is a link compared to that which is not.'); } // Only do db checks if it's not already spam if ($comment->status != Comment::STATUS_SPAM) { $spams = DB::get_value('SELECT count(*) FROM ' . DB::table('comments') . ' WHERE status = ? AND ip = ?', array(Comment::STATUS_SPAM, $comment->ip)); // If you've already got two spams on your IP address, all you ever do is spam if ($spams > 1) { $comment->status = Comment::STATUS_SPAM; $spamcheck[] = sprintf(_t('Too many existing spams from this IP: %s'), $comment->ip); } } // Any commenter that takes longer than the session timeout is automatically moderated if (!isset($_SESSION['comments_allowed']) || ! in_array(Controller::get_var('ccode'), $_SESSION['comments_allowed'])) { $comment->status = Comment::STATUS_UNAPPROVED; $spamcheck[] = _t("The commenter's session timed out."); } if ( isset($comment->info->spamcheck) && is_array($comment->info->spamcheck)) { $comment->info->spamcheck = array_unique(array_merge($comment->info->spamcheck, $spamcheck)); } else { $comment->info->spamcheck = $spamcheck; } // otherwise everything looks good // so continue processing the comment return; }
* * You should have received a copy of the GNU Affero General Public License * along with this program. If not, see <http://www.gnu.org/licenses/>. * * For more information, contact Colosa Inc, 2566 Le Jeune Rd., * Coral Gables, FL, 33134, USA, or email info@colosa.com. * */ $path = PATH_DB; //using the opendir function if (!($dir_handle = @opendir(PATH_DB))) { header("location: /errors/error704.php"); die; } G::LoadSystem('inputfilter'); $filter = new InputFilter(); echo "<table class='basicTable' cellpadding='5' cellspacing='0' border='0'>"; echo "<tr class='Record'><td colspan='2' class='formTitle'>Please select a valid workspace to continue</td></tr>"; echo "<tr valign='top'>"; $curPage = getenv("REQUEST_URI"); $curPage = $filter->xssFilterHard($curPage, "url"); //running the while loop $first = 0; while ($file = readdir($dir_handle)) { if (substr($file, 0, 3) == 'db_') { if ($first == 0) { echo "<td><table class='Record' ><tr class='formLabel''><td>RBAC built-in workspaces</td></tr>"; $first = 1; } $name = substr(substr($file, 0, strlen($file) - 4), 3); $link = str_replace("/sys/", "/sys{$name}/", $curPage);
public function filter_post_content($content, Post $post) { if ($post->info->password) { // if user logged in, show post // make sure it's not just the anonymous user! $user = User::identify(); if ($user instanceof User && $user != User::anonymous()) { return $content; } $session = Session::get_set('post_passwords', false); $token = Utils::crypt('42' . $post->info->password . $post->id . Options::get('GUID')); // if password was submitted verify it if (Controller::get_var('post_password') && Controller::get_var('post_password_id') == $post->id) { $pass = InputFilter::filter(Controller::get_var('post_password')); if (Utils::crypt($pass, $post->info->password)) { Session::add_to_set('post_passwords', $token, $post->id); $session[$post->id] = $token; } else { Session::error(_t('That password was incorrect.', 'postpass')); } } // if password is stored in session verify it if (isset($session[$post->id]) && $session[$post->id] == $token) { return $content; } else { $theme = Themes::create(); $theme->post = $post; return $theme->fetch('post_password_form'); } } else { return $content; } }