/** * Filters public properties * @access protected * @param array List of fields to ignore */ function filter($ignoreList = null) { $ignore = is_array($ignoreList); $iFilter = new InputFilter(); foreach ($this->getPublicProperties() as $k) { if ($ignore && in_array($k, $ignoreList)) { continue; } $this->{$k} = $iFilter->process($this->{$k}); } }
/** * @package Mambo * @author Mambo Foundation Inc see README.php * @copyright Mambo Foundation Inc. * See COPYRIGHT.php for copyright notices and details. * @license GNU/GPL Version 2, see LICENSE.php * Mambo is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; version 2 of the License. */ function externalCallCheck($path, $secret) { if (isset($_COOKIE['mostlyce']['startup_key']) && isset($_COOKIE['mostlyce']['usertype'])) { require_once $path . '/includes/phpInputFilter/class.inputfilter.php'; $iFilter = new InputFilter(null, null, 1, 1); $startupKey = trim($iFilter->process($_COOKIE['mostlyce']['startup_key'])); //The MOStlyCE rebuild key should match this $usertype = strtolower(str_replace(' ', '', trim($iFilter->process($_COOKIE['mostlyce']['usertype'])))); } else { return false; } $env = md5($_SERVER['HTTP_USER_AGENT']); $rebuildKey = md5($secret . $env . $_SERVER['REMOTE_ADDR']); if ($rebuildKey !== $startupKey) { return false; } //Valid user types $vUsers = array('author', 'editor', 'publisher', 'manager', 'administrator', 'superadministrator'); if (!in_array($usertype, $vUsers)) { return false; } return true; }
function process() { $input_filter = new InputFilter(); $input_filter->process($this); if (!is_null($this->request->get("method"))) { $basic = array('reqip' => $this->request->userip . ':' . $this->request->clientip, 'uri' => $this->request->url, 'method' => $this->request->get("method"), 'logid' => $this->requestId); } else { $basic = array('reqip' => $this->request->userip . ':' . $this->request->clientip, 'uri' => $this->request->url, 'logid' => $this->requestId); } kc_log_addbasic($basic); $dispatch = new Dispatch($this); App::getTimer()->set('framework prepare'); $dispatch->dispatch_url($this->request->url); $this->response->send(); KC_LOG_TRACE('[TIME COST STATISTIC] [ ' . App::getTimer()->getString() . ' ].'); }
/** * Updates a particular model. * @param integer $_GET['id'] the ID of the model to be updated * @return updated comment text */ public function actionUpdate() { Yii::app()->end(); //disalow updates // get Comments object from $id parameter $model = $this->loadModel($_GET['id']); // if Comments form exist and was called via ajax if (isset($_POST['Comments']) && isset($_POST['ajax'])) { // set form elements to Users model attributes $model->attributes = $_POST['Comments']; // clear tag from text Yii::import('application.extensions.InputFilter.InputFilter'); $filter = new InputFilter(array('br', 'pre')); $model->comment_text = $filter->process($model->comment_text); // update comment $model->save(false); echo $model->comment_text; } Yii::app()->end(); }
function shRedirect($url, $msg = '', $redirKind = '301', $msgType = 'message') { global $mainframe; $sefConfig =& shRouter::shGetConfig(); // specific filters if (class_exists('InputFilter')) { $iFilter = new InputFilter(); $url = $iFilter->process($url); if (!empty($msg)) { $msg = $iFilter->process($msg); } if ($iFilter->badAttributeValue(array('href', $url))) { $url = $GLOBALS['shConfigLiveSite']; } } // If the message exists, enqueue it if (JString::trim($msg)) { $mainframe->enqueueMessage($msg, $msgType); } // Persist messages if they exist if (count($mainframe->_messageQueue)) { $session =& JFactory::getSession(); $session->set('application.queue', $mainframe->_messageQueue); } if (headers_sent()) { echo "<script>document.location.href='{$url}';</script>\n"; } else { @ob_end_clean(); // clear output buffer switch ($redirKind) { case '302': $redirHeader = 'HTTP/1.1 302 Moved Temporarily'; break; case '303': $redirHeader = 'HTTP/1.1 303 See Other'; break; default: $redirHeader = 'HTTP/1.1 301 Moved Permanently'; break; } header($redirHeader); header("Location: " . $url); } $mainframe->close(); }
$surveyid = sRandomChars(5, '123456789'); $isquery = "SELECT sid FROM " . db_table_name('surveys') . " WHERE sid={$surveyid}"; $isresult = db_execute_assoc($isquery); // Checked } while ($isresult->RecordCount() > 0); if (!isset($_POST['template'])) { $_POST['template'] = 'default'; } if ($_SESSION['USER_RIGHT_SUPERADMIN'] != 1 && $_SESSION['USER_RIGHT_MANAGE_TEMPLATE'] != 1 && !hasTemplateManageRights($_SESSION['loginID'], $_POST['template'])) { $_POST['template'] = "default"; } // insert base language into surveys_language_settings if ($filterxsshtml) { require_once "../classes/inputfilter/class.inputfilter_clean.php"; $myFilter = new InputFilter('', '', 1, 1, 1); $_POST['surveyls_title'] = $myFilter->process($_POST['surveyls_title']); $_POST['description'] = $myFilter->process($_POST['description']); $_POST['welcome'] = $myFilter->process($_POST['welcome']); $_POST['urldescrip'] = $myFilter->process($_POST['urldescrip']); } else { $_POST['surveyls_title'] = html_entity_decode($_POST['surveyls_title'], ENT_QUOTES, "UTF-8"); $_POST['description'] = html_entity_decode($_POST['description'], ENT_QUOTES, "UTF-8"); $_POST['welcome'] = html_entity_decode($_POST['welcome'], ENT_QUOTES, "UTF-8"); $_POST['urldescrip'] = html_entity_decode($_POST['urldescrip'], ENT_QUOTES, "UTF-8"); } //make sure only numbers are passed within the $_POST variable $_POST['dateformat'] = (int) $_POST['dateformat']; $_POST['tokenlength'] = (int) $_POST['tokenlength']; if (trim($_POST['expires']) == '') { $_POST['expires'] = null; } else {
//Preprocessing if ($error == false) { $the_text = isset($_REQUEST['thetext']) ? $_REQUEST['thetext'] : ''; $the_html = isset($_REQUEST['thehtml']) ? $_REQUEST['thehtml'] : ''; if (isset($_REQUEST['toStep2'])) { $tplname = 'htmlprev_step2'; $the_html = htmlspecialchars(mb_ereg_replace("\n", "<br />\n", stripslashes(htmlspecialchars($the_text, ENT_COMPAT, 'UTF-8'))), ENT_COMPAT, 'UTF-8'); } else { if (isset($_REQUEST['toStep3'])) { global $rootpath, $stylepath; //check the html ... require_once $rootpath . 'lib/class.inputfilter.php'; require_once $stylepath . '/htmlprev.inc.php'; $myFilter = new InputFilter($allowedtags, $allowedattr, 0, 0, 1); $orghtml = $the_html; $the_html = $myFilter->process($the_html); $tplname = 'htmlprev_step3'; tpl_set_var('orghtml', htmlspecialchars($orghtml, ENT_COMPAT, 'UTF-8')); tpl_set_var('thecode', $the_html); tpl_set_var('thehtmlcode', nl2br(stripslashes(htmlspecialchars($the_html, ENT_COMPAT, 'UTF-8')))); } else { if (isset($_REQUEST['backStep2'])) { $tplname = 'htmlprev_step2'; $the_html = stripslashes(htmlspecialchars($the_html, ENT_COMPAT, 'UTF-8')); } else { //start $tplname = 'htmlprev'; } } } tpl_set_var('thetext', stripslashes(htmlspecialchars($the_text, ENT_COMPAT, 'UTF-8')));
<? include("../ressources/.mysql_common.php"); require_once("class.inputfilter_clean.php"); ?> <?php $tags = ''; $attr = ''; $tag_method = 0; $attr_method = 0; $xss_auto = 1; $myFilter = new InputFilter($tags, $attr, $tag_method, $attr_method, $xss_auto); // submitbutton=Udlever1 $divisionday = $myFilter->process($_GET["divisionday"]); $uid = $myFilter->process($_GET["submitbutton"]); $orderline_uid = str_replace('Udlever', '', $uid); $query = 'SELECT ff_orderlines.item as article, ff_pickupdates.pickupdate as pickupdate, ff_divisions.name as name, ff_items.units, ff_items.measure, ff_producttypes.explained as txt, ff_orderlines.quant, ff_persons.firstname, ff_persons.middlename, ff_persons.lastname, ff_persons.tel, ff_persons.email, ff_persons.uid as medlem, ff_orderlines.status2, ff_orderlines.uid FROM ff_orderlines, ff_orderhead, ff_items, ff_producttypes, ff_pickupdates, ff_divisions, ff_persons WHERE ff_orderlines.orderno = ff_orderhead.orderno AND ((ff_orderhead.status1 = "kontant") or (ff_orderhead.status1 = "nets")) AND ff_orderlines.item = ff_items.id AND ff_items.producttype_id = ff_producttypes.id AND ff_orderlines.iteminfo = ff_pickupdates.uid AND ff_divisions.uid = ff_pickupdates.division AND ff_pickupdates.division = ff_items.division AND ff_orderlines.puid = ff_persons.uid AND ff_pickupdates.uid = ' . (int) $divisionday . ' AND ff_orderlines.uid = ' . (int) $orderline_uid . ' ORDER BY ff_pickupdates.pickupdate, ff_producttypes.explained '; $result = doquery($query);
tpl_set_var('GeoKretyApiConfigured', 'none'); tpl_set_var('GeoKretApiSelector', ''); } // descMode is depreciated. this was description type. Now all description are in html, then always use 3 for back compatibility $descMode = 3; // fuer alte Versionen von OCProp if (isset($_POST['submit']) && !isset($_POST['version2'])) { $descMode = 1; $_POST['submitform'] = $_POST['submit']; $log_text = iconv("ISO-8859-1", "UTF-8", $log_text); } if ($descMode != 1) { // check input require_once $rootpath . 'lib/class.inputfilter.php'; $myFilter = new InputFilter($allowedtags, $allowedattr, 0, 0, 1); $log_text = $myFilter->process($log_text); } else { // escape text //if( $all_ok ) $log_text = nl2br(htmlspecialchars($log_text, ENT_COMPAT, 'UTF-8')); //else //$log_text = strip_tags(htmlspecialchars($log_text, ENT_COMPAT, 'UTF-8')); } //setting tpl messages if they should be not visible. tpl_set_var('lat_message', ''); tpl_set_var('lon_message', ''); //validate data if (is_numeric($log_date_month) && is_numeric($log_date_day) && is_numeric($log_date_year) && is_numeric($log_date_hour) && is_numeric($log_date_min)) { $date_not_ok = checkdate($log_date_month, $log_date_day, $log_date_year) == false || $log_date_hour < 0 || $log_date_hour > 23 || $log_date_min < 0 || $log_date_min > 60; if ($date_not_ok == false) { if (isset($_POST['submitform'])) {
/** * Utility function redirect the browser location to another url * * Can optionally provide a message. * @param string The file system path * @param string A filter for the names */ function extRedirect($url, $msg = '') { global $mainframe; // specific filters $iFilter = new InputFilter(); $url = $iFilter->process($url); if (!empty($msg)) { $msg = $iFilter->process($msg); } if ($iFilter->badAttributeValue(array('href', $url))) { $url = $GLOBALS['home_dir']; } if (trim($msg)) { if (strpos($url, '?')) { $url .= '&extmsg=' . urlencode($msg); } else { $url .= '?extmsg=' . urlencode($msg); } } if (headers_sent()) { echo "<script>document.location.href='{$url}';</script>\n"; } else { @ob_end_clean(); // clear output buffer header('HTTP/1.1 301 Moved Permanently'); header("Location: " . $url); } exit; }
function cleanHTML($text, $allowable_tags = null, $forbidden_attr = null) { // INCLUDE FILTER CLASS if (!class_exists("InputFilter")) { require SE_ROOT . "/include/class_inputfilter.php"; } // New method if (!method_exists('InputFilter', 'safeSQL')) { return InputFilter::process($text, array('allowedTags' => $allowable_tags, 'forbiddenAttributes' => $forbidden_attr)); } else { // INSTANTIATE INPUT FILTER CLASS WITH APPROPRIATE TAGS $xssFilter = new InputFilter(explode(",", str_replace(" ", "", $allowable_tags)), "", 0, 1, 1); // ADD NECESSARY BLACKLIST ITEMS for ($i = 0; $i < count($forbidden_attr); $i++) { $xssFilter->attrBlacklist[] = $forbidden_attr[$i]; } // RETURN PROCESSED TEXT return $xssFilter->process($text); } }
if ($first == true) { $first = false; $aid = $connect->Insert_ID(db_table_name_nq('assessments'), "id"); } } } elseif ($action == "assessmentupdate") { if ($filterxsshtml) { require_once "../classes/inputfilter/class.inputfilter_clean.php"; $myFilter = new InputFilter('', '', 1, 1, 1); } foreach ($assessmentlangs as $assessmentlang) { if (!isset($_POST['gid'])) { $_POST['gid'] = 0; } if ($filterxsshtml) { $_POST['name_' . $assessmentlang] = $myFilter->process($_POST['name_' . $assessmentlang]); $_POST['assessmentmessage_' . $assessmentlang] = $myFilter->process($_POST['assessmentmessage_' . $assessmentlang]); } $query = "UPDATE {$dbprefix}assessments\n\t\t\t SET scope='" . db_quote($_POST['scope'], true) . "',\n\t\t\t gid=" . sanitize_int($_POST['gid']) . ",\n\t\t\t minimum='" . sanitize_signedint($_POST['minimum']) . "',\n\t\t\t maximum='" . sanitize_signedint($_POST['maximum']) . "',\n\t\t\t name='" . db_quote($_POST['name_' . $assessmentlang], true) . "',\n\t\t\t message='" . db_quote($_POST['assessmentmessage_' . $assessmentlang], true) . "'\n\t\t\t WHERE language='{$assessmentlang}' and id=" . sanitize_int($_POST['id']); $result = $connect->Execute($query) or safe_die("Error updating<br />{$query}<br />" . $connect->ErrorMsg()); } } elseif ($action == "assessmentdelete") { $query = "DELETE FROM {$dbprefix}assessments\n\t\t\t\t WHERE id=" . sanitize_int($_POST['id']); $result = $connect->Execute($query); } $assessmentsoutput = PrepareEditorScript(); $assessmentsoutput .= "<script type=\"text/javascript\">\n <!-- \n var strnogroup='" . $clang->gT("There are no groups available.", "js") . "';\n --></script>\n"; $assessmentsoutput .= "<div class='menubar'>\n" . "\t<div class='menubar-title'>\n" . "<strong>" . $clang->gT("Assessments") . "</strong>\n"; $assessmentsoutput .= "\t</div>\n" . "\t<div class='menubar-main'>\n" . "<div class='menubar-left'>\n" . "\t<a href=\"#\" onclick=\"window.open('{$scriptname}?sid={$surveyid}', '_top')\" title='" . $clang->gTview("Return to survey administration") . "'>" . "<img name='Administration' src='{$imagefiles}/home.png' alt='" . $clang->gT("Return to survey administration") . "' /></a>\n" . "\t<img src='{$imagefiles}/blank.gif' alt='' width='11' />\n" . "\t<img src='{$imagefiles}/seperator.gif' alt='' />\n"; if ($surveyinfo['assessments'] != 'Y') { $assessmentsoutput .= '<span style="font-size:11px;">' . sprintf($clang->gT("Notice: Assessment mode for this survey is not activated. You can activate it in the %s survey settings %s (tab 'Notification & data management')."), '<a href="admin.php?action=editsurvey&sid=' . $surveyid . '">', '</a>') . '</span>';
if ($usr == false) { $target = urlencode(tpl_get_current_page()); tpl_redirect('login.php?target=' . $target); } else { $tplname = 'myroutes'; $user_id = $usr['userid']; $route_rs = XDb::xSql("SELECT `route_id` ,`description` `desc`, `name`,`radius`,`length`\n FROM `routes` WHERE `user_id`= ?\n ORDER BY `route_id` DESC", $user_id); if ($routes_record = XDb::xFetchArray($route_rs)) { $routes .= '<div class="headitems">'; $routes .= '<div style="width:80px;" class="myr">' . tr('route_name') . '</div><div class="ver"> </div><div style="width:295px;" class="myr"> ' . tr('route_desc') . '</div><div class="ver"> </div><div style="width:60px;" class="myr"> ' . tr('radius') . '</div><div class="ver"> </div><div style="width:60px;" class="myr"> ' . tr('length') . '</div><div class="ver"> </div><div style="width:70px;" class="myr"> ' . tr('caches') . '</div><div class="ver"> </div><div style="width:50px;" class="myr">' . tr('edit') . '</div><div class="ver"> </div><div style="width:20px;" class="myr"> ' . tr('delete') . '</div></div>'; do { $desc = $routes_record['desc']; if ($desc != '') { require_once $rootpath . 'lib/class.inputfilter.php'; $myFilter = new InputFilter($allowedtags, $allowedattr, 0, 0, 1); $desc = $myFilter->process($desc); } $routes .= '<div class="listitems">'; // $routes .= '<div style="margin-left:5px;width:75px;" class="myr">'.$routes_record['name']. '</div><div class="ver35"> </div><div style="width:295px;" class="myr">'.nl2br($desc).'</div><div class="ver35"> </div><div style="width:60px;text-align:center;" class="myr">'.$routes_record['radius']. ' km</div><div class="ver35"> </div><div style="width:60px;text-align:center;" class="myr">'.round($routes_record['length'],0). ' km</div><div class="ver35"> </div><div style="width:70px;float:left;text-align:center;"><a class="links" href="myroutes_search.php?routeid='.$routes_record['route_id'].'"><img src="tpl/stdstyle/images/action/16x16-search.png" alt="" title="Search caches along route" /></a></div><div class="ver35"> </div><div style="width:50px;float:left;text-align:center;"><a class="links" href="myroutes_edit.php?routeid='.$routes_record['route_id'].'"><img src="images/actions/edit-16.png" alt="" title="Edit route" /></a></div><div class="ver35"> </div><div style="width:20px;float:left;text-align:center;"><a class="links" href="myroutes_edit.php?routeid='.$routes_record['route_id'].'&delete" onclick="return confirm(\'Czy chcesz usunąć tę trase?\');"><img src="tpl/stdstyle/images/log/16x16-trash.png" alt="" title="Usuń" /></a></div></div>'; $routes .= '<table border="0" class="myr"><tr><td style="margin-left:3px;width:75px;" class="myr">' . $routes_record['name'] . '</td><td width="2" style="border-right:solid thin #7fa2ca"></td> <td style="width:297px;" class="myr">' . nl2br($desc) . '</td><td width="2" style="border-right:solid thin #7fa2ca"></td> <td style="width:65px;" class="myr">' . $routes_record['radius'] . ' km</td><td width="2" style="border-right:solid thin #7fa2ca"></td> <td style="width:62px;" class="myr">' . $routes_record['length'] . ' km</td><td width="2" style="border-right:solid thin #7fa2ca"></td> <td style="width:73px;" class="myr"><a class="links" href="myroutes_search.php?routeid=' . $routes_record['route_id'] . '"><img src="tpl/stdstyle/images/action/16x16-search.png" alt="" title=' . tr("search_caches_along_route") . ' /></a></td><td width="2" style="border-right:solid thin #7fa2ca"></td> <td style="width:53px;" class="myr"><a class="links" href="myroutes_edit.php?routeid=' . $routes_record['route_id'] . '"><img src="images/actions/edit-16.png" alt="" title=' . tr('edit_route') . ' /></a></td><td width="2" style="border-right:solid thin #7fa2ca"></td> <td style="width:23px;" class="myr"><a class="links" href="myroutes_edit.php?routeid=' . $routes_record['route_id'] . '&delete" onclick="return confirm(\'' . tr("confirm_remove_route") . '\');"><img style="vertical-align: middle;" src="tpl/stdstyle/images/log/16x16-trash.png" alt="" title=' . tr('delete') . ' /></a></td></tr></table></div>'; } while ($routes_record = XDb::xFetchArray($route_rs)); $routes .= ''; tpl_set_var('content', $routes); } else { tpl_set_var('content', "<div class=\"listitems\"><br/><center><span style=\"font-size:140%;font-weight:bold \"> " . tr('no_routes') . "</span><br/><br/></center></div>");
$importsurvey .= "<div class='errorheader'>" . $clang->gT("Error") . "</div>\n"; $importsurvey .= $clang->gT("Import failed. You specified an invalid file type.") . "\n"; $importerror = true; } } elseif ($action == 'copysurvey') { $surveyid = sanitize_int($_POST['copysurveylist']); $exclude = array(); if (get_magic_quotes_gpc()) { $sNewSurveyName = stripslashes($_POST['copysurveyname']); } else { $sNewSurveyName = $_POST['copysurveyname']; } require_once "../classes/inputfilter/class.inputfilter_clean.php"; $myFilter = new InputFilter('', '', 1, 1, 1); if ($filterxsshtml) { $sNewSurveyName = $myFilter->process($sNewSurveyName); } else { $sNewSurveyName = html_entity_decode($sNewSurveyName, ENT_QUOTES, "UTF-8"); } if (isset($_POST['copysurveyexcludequotas']) && $_POST['copysurveyexcludequotas'] == "on") { $exclude['quotas'] = true; } if (isset($_POST['copysurveyexcludeanswers']) && $_POST['copysurveyexcludeanswers'] == "on") { $exclude['answers'] = true; } if (isset($_POST['copysurveyresetconditions']) && $_POST['copysurveyresetconditions'] == "on") { $exclude['conditions'] = true; } include "export_structure_xml.php"; $copysurveydata = getXMLData($exclude); }
/** * Removes illegal tags and attributes from html input */ function inputFilter($html) { // Replaced code to fix issue with img tags jimport('phpinputfilter.inputfilter'); $filter = new InputFilter(array(), array(), 1, 1); return $filter->process($html); }
$_SESSION['adminlang'] = $browlang; } else { $_SESSION['adminlang'] = $fields['lang']; } $clang = new limesurvey_lang($_SESSION['adminlang']); } $login = true; $loginsummary .= "<div class='messagebox ui-corner-all'>\n"; $loginsummary .= "<div class='header ui-widget-header'>" . $clang->gT("Logged in") . "</div>"; $loginsummary .= "<br />" . sprintf($clang->gT("Welcome %s!"), $_SESSION['full_name']) . "<br /> "; $loginsummary .= "</div>\n"; if (isset($_POST['refererargs']) && $_POST['refererargs'] && strpos($_POST['refererargs'], "action=logout") === FALSE) { require_once "../classes/inputfilter/class.inputfilter_clean.php"; $myFilter = new InputFilter('', '', 1, 1, 1); // Prevent XSS attacks $sRefererArg = $myFilter->process($_POST['refererargs']); $_SESSION['metaHeader'] = "<meta http-equiv=\"refresh\"" . " content=\"1;URL={$scriptname}?" . $sRefererArg . "\" />"; $loginsummary .= "<p><font size='1'><i>" . $clang->gT("Reloading screen. Please wait.") . "</i></font>\n"; } $loginsummary .= "<br /><br />\n"; GetSessionUserRights($_SESSION['loginID']); } else { $query = fGetLoginAttemptUpdateQry($bLoginAttempted, $sIp); $result = $connect->Execute($query) or safe_die($query . "<br />" . $connect->ErrorMsg()); if ($result) { // wrong or unknown username $loginsummary .= "<p>" . $clang->gT("Incorrect username and/or password!") . "<br />"; if ($intNthAttempt + 1 >= $maxLoginAttempt) { $loginsummary .= sprintf($clang->gT("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"), $timeOutTime / 60) . "<br />"; } $loginsummary .= "<br /><a href='{$scriptname}'>" . $clang->gT("Continue") . "</a><br /> \n";
function modlabelsetanswers($lid) { global $dbprefix, $connect, $clang, $labelsoutput, $databasetype, $filterxsshtml, $postsortorder; $ajax = false; if (isset($_POST['ajax']) && $_POST['ajax'] == "1") { $ajax = true; } if (!isset($_POST['method'])) { $_POST['method'] = $clang->gT("Save"); } $data = json_decode(html_entity_decode($_POST['dataToSend'], ENT_QUOTES, "UTF-8")); if ($ajax) { $lid = insertlabelset(); } if (count(array_unique($data->{'codelist'})) == count($data->{'codelist'})) { if ($filterxsshtml) { require_once "../classes/inputfilter/class.inputfilter_clean.php"; $myFilter = new InputFilter('', '', 1, 1, 1); } $query = "DELETE FROM " . db_table_name('labels') . " WHERE lid = {$lid}"; $result = db_execute_assoc($query) or safe_die($connect->ErrorMsg()); foreach ($data->{'codelist'} as $index => $codeid) { $codeObj = $data->{$codeid}; $actualcode = db_quoteall($codeObj->{'code'}, true); $codeid = db_quoteall($codeid, true); $assessmentvalue = (int) $codeObj->{'assessmentvalue'}; foreach ($data->{'langs'} as $lang) { $strTemp = 'text_' . $lang; $title = $codeObj->{$strTemp}; if ($filterxsshtml) { $title = $myFilter->process($title); } else { $title = html_entity_decode($title, ENT_QUOTES, "UTF-8"); } // Fix bug with FCKEditor saving strange BR types $title = fix_FCKeditor_text($title); $title = db_quoteall($title, true); $sort_order = db_quoteall($index); $lang = db_quoteall($lang); $query = "INSERT INTO " . db_table_name('labels') . " (lid,code,title,sortorder, assessment_value, language)\n VALUES({$lid},{$actualcode},{$title},{$sort_order},{$assessmentvalue},{$lang})"; $result = db_execute_assoc($query) or safe_die($connect->ErrorMsg()); } } $_SESSION['flashmessage'] = $clang->gT("Labels sucessfully updated"); } else { $labelsoutput .= "<script type=\"text/javascript\">\n<!--\n alert(\"" . $clang->gT("Can't update labels because you are using duplicated codes", "js") . "\")\n //-->\n</script>\n"; } if ($ajax) { die; } }
</div> <hr /> <tr><td align="center"><br /><span style="color:red;"><strong> </strong></span><br /> </table> <form onsubmit="self.close()"> <input type="submit" value="' . $clang->gT("Close Editor") . '" /> <input type="hidden" name="checksessionbypost" value="' . $_SESSION['checksessionpost'] . '" /> </form> </body> </html>'; } else { require_once "../classes/inputfilter/class.inputfilter_clean.php"; $oFilter = new InputFilter('', '', 1, 1, 1); $fieldname = $oFilter->process($_GET['fieldname']); $fieldtext = $oFilter->process($_GET['fieldtext']); if (get_magic_quotes_gpc()) { $fieldtext = stripslashes($fieldtext); } $controlidena = $_GET['fieldname'] . '_popupctrlena'; $controliddis = $_GET['fieldname'] . '_popupctrldis'; $sid = sanitize_int($_GET['sid']); $gid = sanitize_int($_GET['gid']); $qid = sanitize_int($_GET['qid']); $fieldtype = preg_replace("/[^_.a-zA-Z0-9-]/", "", $_GET['fieldtype']); $action = preg_replace("/[^_.a-zA-Z0-9-]/", "", $_GET['action']); $toolbarname = 'popup'; $htmlformatoption = ''; if ($fieldtype == 'email-inv' || $fieldtype == 'email-reg' || $fieldtype == 'email-conf' || $fieldtype == 'email-rem') { $htmlformatoption = ",fullPage:true";
function modlabelsetanswers($lid) { global $dbprefix, $connect, $clang, $labelsoutput, $databasetype, $filterxsshtml,$postsortorder; $qulabelset = "SELECT * FROM ".db_table_name('labelsets')." WHERE lid='$lid'"; $rslabelset = db_execute_assoc($qulabelset) or safe_die($connect->ErrorMsg()); $rwlabelset=$rslabelset->FetchRow(); $lslanguages=explode(" ", trim($rwlabelset['languages'])); if (!isset($_POST['method'])) { $_POST['method'] = $clang->gT("Save"); } switch($_POST['method']) { case $clang->gT("Add new label", "unescaped"): if (isset($_POST['insertcode']) && $_POST['insertcode']!='') { $_SESSION['nextlabelcode']=getNextCode($_POST['insertcode']); $_POST['insertcode'] = db_quoteall($_POST['insertcode'],true); // check that the code doesn't exist yet $query = "SELECT code FROM ".db_table_name('labels')." WHERE lid='$lid' AND code=".$_POST['insertcode']; $result = $connect->Execute($query); $codeoccurences=$result->RecordCount(); if ($codeoccurences == 0) { $query = "select max(sortorder) as maxorder from ".db_table_name('labels')." where lid='$lid'"; $result = $connect->Execute($query); $newsortorder=sprintf("%05d", $result->fields['maxorder']+1); if ($filterxsshtml) { require_once("../classes/inputfilter/class.inputfilter_clean.php"); $myFilter = new InputFilter('','',1,1,1); $_POST['inserttitle']=$myFilter->process($_POST['inserttitle']); } else { $_POST['inserttitle'] = html_entity_decode($_POST['inserttitle'], ENT_QUOTES, "UTF-8"); } // Fix bug with FCKEditor saving strange BR types $_POST['inserttitle']=fix_FCKeditor_text($_POST['inserttitle']); $_POST['inserttitle'] = db_quoteall($_POST['inserttitle'],true); $_POST['insertassessmentvalue']=(int)$_POST['insertassessmentvalue']; foreach ($lslanguages as $lslanguage) { db_switchIDInsert('labels',true); $query = "INSERT INTO ".db_table_name('labels')." (lid, code, title, sortorder,language, assessment_value) VALUES ($lid, {$_POST['insertcode']}, {$_POST['inserttitle']}, '$newsortorder','$lslanguage',{$_POST['insertassessmentvalue']})"; if (!$result = $connect->Execute($query)) { $labelsoutput.= "<script type=\"text/javascript\">\n<!--\n alert(\"".$clang->gT("Failed to insert label", "js")." - ".$query." - ".$connect->ErrorMsg()."\")\n //-->\n</script>\n"; } db_switchIDInsert('labels',false); } } else { $labelsoutput.= "<script type=\"text/javascript\">\n<!--\n alert(\"".$clang->gT("This label code is already used in this labelset. Please choose another code or rename the existing one.", "js")."\")\n //-->\n</script>\n"; } } break; // Save all labels with one button case $clang->gT("Save Changes", "unescaped"): //Determine autoids by evaluating the hidden field $sortorderids=explode(' ', trim($_POST['sortorderids'])); $codeids=explode(' ', trim($_POST['codeids'])); $count=0; // Quote each code_codeid first foreach ($codeids as $codeid) { $_POST['code_'.$codeid] = db_quoteall($_POST['code_'.$codeid],true); if (isset($_POST['oldcode_'.$codeid])) $_POST['oldcode_'.$codeid] = db_quoteall($_POST['oldcode_'.$codeid],true); // Get the code values to check for duplicates $codevalues[] = $_POST['code_'.$codeid]; } // Check that there is no code duplicate if (count(array_unique($codevalues)) == count($codevalues)) { if ($filterxsshtml) { require_once("../classes/inputfilter/class.inputfilter_clean.php"); $myFilter = new InputFilter('','',1,1,1); } foreach ($sortorderids as $sortorderid) { $orderid=substr($sortorderid,strrpos($sortorderid,'_')+1,20); foreach ($lslanguages as $langid) { $sortorderid = $langid . '_' . $orderid; if ($filterxsshtml) { $_POST['title_'.$sortorderid]=$myFilter->process($_POST['title_'.$sortorderid]); } else { $_POST['title_'.$sortorderid] = html_entity_decode($_POST['title_'.$sortorderid], ENT_QUOTES, "UTF-8"); } // Fix bug with FCKEditor saving strange BR types $_POST['title_'.$sortorderid]=fix_FCKeditor_text($_POST['title_'.$sortorderid]); $_POST['title_'.$sortorderid] = db_quoteall($_POST['title_'.$sortorderid],true); $query = "UPDATE ".db_table_name('labels')." SET code=".$_POST['code_'.$codeids[$count]].", title={$_POST['title_'.$sortorderid]}, assessment_value={$_POST['assessmentvalue_'.$codeids[$count]]} WHERE lid=$lid AND sortorder=$orderid AND language='$langid'"; if (!$result = $connect->Execute($query)) // if update didn't work we assume the label does not exist and insert it { $query = "insert into ".db_table_name('labels')." (code,title,lid,sortorder,language) VALUES (".$_POST['code_'.$codeids[$count]].", {$_POST['title_'.$sortorderid]}, $lid , $orderid , '$langid')"; if (!$result = $connect->Execute($query)) { $labelsoutput.= "<script type=\"text/javascript\">\n<!--\n alert(\"".$clang->gT("Failed to update label","js")." - ".$query." - ".$connect->ErrorMsg()."\")\n //-->\n</script>\n"; } } } $count++; if ($count>count($codeids)-1) {$count=0;} } fixorder($lid); } else { $labelsoutput.= "<script type=\"text/javascript\">\n<!--\n alert(\"".$clang->gT("Can't update labels because you are using duplicated codes","js")."\")\n //-->\n</script>\n"; } break; // Pressing the Up button case $clang->gT("Up", "unescaped"): $newsortorder=$postsortorder-1; $oldsortorder=$postsortorder; $cdquery = "UPDATE ".db_table_name('labels')." SET sortorder=-1 WHERE lid=$lid AND sortorder=$newsortorder"; $cdresult=$connect->Execute($cdquery) or safe_die($connect->ErrorMsg()); $cdquery = "UPDATE ".db_table_name('labels')." SET sortorder=$newsortorder WHERE lid=$lid AND sortorder=$oldsortorder"; $cdresult=$connect->Execute($cdquery) or safe_die($connect->ErrorMsg()); $cdquery = "UPDATE ".db_table_name('labels')." SET sortorder='$oldsortorder' WHERE lid=$lid AND sortorder=-1"; $cdresult=$connect->Execute($cdquery) or safe_die($connect->ErrorMsg()); break; // Pressing the Down button case $clang->gT("Dn", "unescaped"): $newsortorder=$postsortorder+1; $oldsortorder=$postsortorder; $cdquery = "UPDATE ".db_table_name('labels')." SET sortorder=-1 WHERE lid=$lid AND sortorder='$newsortorder'"; $cdresult=$connect->Execute($cdquery) or safe_die($connect->ErrorMsg()); $cdquery = "UPDATE ".db_table_name('labels')." SET sortorder='$newsortorder' WHERE lid=$lid AND sortorder=$oldsortorder"; $cdresult=$connect->Execute($cdquery) or safe_die($connect->ErrorMsg()); $cdquery = "UPDATE ".db_table_name('labels')." SET sortorder=$oldsortorder WHERE lid=$lid AND sortorder=-1"; $cdresult=$connect->Execute($cdquery) or safe_die($connect->ErrorMsg()); break; // Delete Button case $clang->gT("Del", "unescaped"): $query = "DELETE FROM ".db_table_name('labels')." WHERE lid=$lid AND sortorder='{$postsortorder}'"; if (!$result = $connect->Execute($query)) { $labelsoutput.= "<script type=\"text/javascript\">\n<!--\n alert(\"".$clang->gT("Failed to delete label","js")." - ".$query." - ".$connect->ErrorMsg()."\")\n //-->\n</script>\n"; } fixorder($lid); break; } }
/** * Constructor for inputFilter class. Only first parameter is required. * @access constructor * @data Mixed - input string/array-of-string to be 'cleaned' * @param Array $tagsArray - list of user-defined tags * @param Array $attrArray - list of user-defined attributes * @param int $tagsMethod - 0= allow just user-defined, 1= allow all but user-defined * @param int $attrMethod - 0= allow just user-defined, 1= allow all but user-defined * @param int $xssAuto - 0= only auto clean essentials, 1= allow clean blacklisted tags/attr */ public function sanitizeInput($data, $tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1) { G::LoadSystem('inputfilter'); $filtro = new InputFilter($tagsArray, $attrArray, $tagsMethod, $attrMethod, $xssAuto); return $filtro->process($data); }
function saveMessage($option) { global $database, $mainframe, $my, $mosConfig_absolute_path; global $mosConfig_mailfrom, $mosConfig_fromname; require_once $mosConfig_absolute_path . "/includes/mambofunc.php"; $row = new mosMessage($database); if (!$row->bind($_POST)) { echo "<script> alert('" . $row->getError() . "'); window.history.go(-1); </script>\n"; exit; } require_once mamboCore::get('mosConfig_absolute_path') . '/includes/phpInputFilter/class.inputfilter.php'; $iFilter = new InputFilter(null, null, 1, 1); $row->subject = trim($iFilter->process($row->subject)); $row->message = trim($iFilter->process($row->message)); if (!$row->send()) { mosRedirect("index2.php?option=com_messages&mosmsg=" . $row->getError()); } $msg = $row->subject . ' - ' . $row->message; $sql = "SELECT a.id, a.name, a.email" . "\nFROM #__users AS a" . "\nWHERE a.sendEmail = '1'" . "\nAND a.id = '" . $row->user_id_to . "'"; $database->setQuery($sql); $rows = $database->loadObjectList(); if ($rows) { foreach ($rows as $row) { $recipient = $row->email; $subject = "New private message from " . $row->name; mosMail($mosConfig_mailfrom, $mosConfig_fromname, $recipient, $subject, $msg); } } mosRedirect("index2.php?option=com_messages"); }
<?php $mongo = new MongoClient('mongodb://*****:*****@ds052827.mongolab.com:52827/miblog'); $db = $mongo->selectDB("miblog"); $c_favoritos = $mongo->selectCollection($db, "favorito"); ///////////////////////////////// require_once 'seguridad/class.inputfilter.php'; $filtro = new InputFilter(); $_POST = $filtro->process($_POST); //////////////////////////////////////// $id = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST['id']))))); $titulo = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST['titulo']))))); $categoria = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST["categoria"]))))); $id = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST["id"]))))); $descripcion = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST['descripcion']))))); $url = htmlspecialchars(addslashes(stripslashes(strip_tags(trim($_POST['url']))))); //////////////////////////////////// $condicion = array("_id" => new MongoId($id)); $modFavorito = array("titulo" => $titulo, "categoria" => $categoria, "descripcion" => $descripcion, "url" => $url); $c_favoritos->update($condicion, $modFavorito); header("Refresh: 0;url=principal.php?mensaje=3");
//anti Cache pour HTTP/1.0 header("Pragma: no-cache"); if (isset($_POST['blabla']) && isset($_POST['cibl'])) { if (get_magic_quotes_gpc()) { require_once "/usr/share/lcs/Plugins/Cdt/Includes/class.inputfilter_clean.php"; } else { require_once '../Includes/htmlpur/library/HTMLPurifier.auto.php'; } // Connexion a la base de donnees require_once '../Includes/config.inc.php'; //Creer la requete pour la mise a jour des donnees if (get_magic_quotes_gpc()) { $Contenu = htmlentities($_POST['blabla']); $Cib = htmlentities($_POST['cibl']); $oMyFilter = new InputFilter($aAllowedTags, $aAllowedAttr, 0, 0, 1); $cont = $oMyFilter->process($Contenu); $cible = $oMyFilter->process($Cib); } else { // htlmpurifier $Contenu = $_POST['blabla']; $Cib = addSlashes($_POST['cibl']); $config = HTMLPurifier_Config::createDefault(); //$config->set('Core.Encoding', 'ISO-8859-15'); $config->set('HTML.Doctype', 'XHTML 1.0 Strict'); $purifier = new HTMLPurifier($config); $cont = $purifier->purify($Contenu); $cible = $purifier->purify($Cib); $cont = mysqli_real_escape_string($dbc, $cont); } $cible = $_POST['cibl']; $rq = "UPDATE onglets SET postit='{$cont}' WHERE id_prof='{$cible}'";
function shRedirect( $url, $msg='', $redirKind = '301', $msgType='message' ) { $mainframe = JFactory::getApplication(); $sefConfig = & Sh404sefFactory::getConfig(); // specific filters if (class_exists('InputFilter')) { $iFilter = new InputFilter(); $url = $iFilter->process( $url ); if (!empty($msg)) { $msg = $iFilter->process( $msg ); } if ($iFilter->badAttributeValue( array( 'href', $url ))) { $url = Sh404sefFactory::getPageInfo()->getDefaultLiveSite(); } } // If the message exists, enqueue it if (JString::trim( $msg )) { $mainframe->enqueueMessage($msg, $msgType); } // Persist messages if they exist $queue = $mainframe->getMessageQueue(); if (count($queue)) { $session = JFactory::getSession(); $session->set('application.queue', $queue); } $document = JFactory::getDocument(); @ob_end_clean(); // clear output buffer if (headers_sent()) { echo '<html><head><meta http-equiv="content-type" content="text/html; charset='.$document->getCharset().'" /><script>document.location.href=\''.$url.'\';</script></head><body></body></html>'; } else { switch ($redirKind) { case '302': $redirHeader ='HTTP/1.1 302 Moved Temporarily'; break; case '303': $redirHeader ='HTTP/1.1 303 See Other'; break; default: $redirHeader = 'HTTP/1.1 301 Moved Permanently'; break; } header( 'Cache-Control: no-cache'); // prevent Firefox5+ and IE9+ to consider this a cacheable redirect header( $redirHeader ); header( 'Location: ' . $url ); header( 'Content-Type: text/html; charset='.$document->getCharset()); } $mainframe->close(); }
//Iterate through each language, and make sure there is a quota message for it $errorstring = ''; foreach ($langs as $lang) { if (!$_POST['quotals_message_' . $lang]) { $errorstring .= GetLanguageNameFromCode($lang, false) . "\\n"; } } if ($errorstring != '') { $quotasoutput .= "<script type=\"text/javascript\">\n<!--\n alert(\"" . $clang->gT("Quota could not be added.\\n\\nIt is missing a quota message for the following languages", "js") . ":\\n" . $errorstring . "\")\n //-->\n</script>\n"; } else { require_once "../classes/inputfilter/class.inputfilter_clean.php"; $myFilter = new InputFilter('', '', 1, 1, 1); foreach ($langs as $lang) { //Clean XSS if ($filterxsshtml) { $_POST['quotals_message_' . $lang] = $myFilter->process($_POST['quotals_message_' . $lang]); } else { $_POST['quotals_message_' . $lang] = html_entity_decode($_POST['quotals_message_' . $lang], ENT_QUOTES, "UTF-8"); } // Fix bug with FCKEditor saving strange BR types $_POST['quotals_message_' . $lang] = fix_FCKeditor_text($_POST['quotals_message_' . $lang]); //Check to see if a matching language exists, and if not, INSERT one (no update possible) $query = "SELECT * FROM " . db_table_name('quota_languagesettings') . "\n WHERE quotals_quota_id = " . db_quote($_POST['quota_id'], true) . "\n AND quotals_language = '{$lang}'"; $result = db_execute_assoc($query) or safe_die($connect->ErrorMsg()); if ($result->RecordCount() > 0) { //Now save the language to the database: $query = "UPDATE " . db_table_name('quota_languagesettings') . "\n SET quotals_name='" . db_quote($_POST['quota_name'], true) . "',\n quotals_message='" . db_quote($_POST['quotals_message_' . $lang], true) . "'\n WHERE quotals_quota_id =" . db_quote($_POST['quota_id'], true) . "\n AND quotals_language = '{$lang}'"; $connect->Execute($query) or safe_die($connect->ErrorMsg()); } else { /* If there is no matching record for this language, create one */ $query = "INSERT INTO " . db_table_name('quota_languagesettings') . "\n (quotals_quota_id,quotals_language,quotals_name,quotals_message,quotals_url,quotals_urldescrip)\n VALUES ('" . db_quote($_POST['quota_id']) . "', '{$lang}', '" . db_quote($_POST['quota_name'], true) . "',\n '" . db_quote($_POST['quotals_message_' . $lang], true) . "', '" . QUEXS_URL . "rs_quota_end.php" . "',\n '" . QUEXS_URL . "rs_quota_end.php" . "')";
/** * Sanitize $var for XSS, JS, and HTML. * * @param Mixed $var - variable to sanitize * @return a sanitized variable filtered for XSS and any blacklisted javascript/html tags */ public static function Filter($var) { $filter = new InputFilter(); return $filter->process(self::cleaned($var)); }
/** * Gets the value of a user state variable * @param string The name of the user state variable * @param string The name of the variable passed in a request * @param string The default value for the variable if not found */ function getUserStateFromRequest($var_name, $req_name, $var_default = null) { if (is_array($this->_userstate)) { if (isset($_REQUEST[$req_name])) { $this->setUserState($var_name, $_REQUEST[$req_name]); } else { if (!isset($this->_userstate[$var_name])) { $this->setUserState($var_name, $var_default); } } // filter input $iFilter = new InputFilter(); $this->_userstate[$var_name] = $iFilter->process($this->_userstate[$var_name]); return $this->_userstate[$var_name]; } else { return null; } }
//anti Cache pour HTTP/1.0 header("Pragma: no-cache"); if (isset($_POST['coursmod']) && isset($_POST['afmod']) && isset($_POST['cibl'])) { if (get_magic_quotes_gpc()) { require_once "/usr/share/lcs/Plugins/Cdt/Includes/class.inputfilter_clean.php"; } else { require_once '../Includes/htmlpur/library/HTMLPurifier.auto.php'; } // Connexion a la base de donnees require_once '../Includes/config.inc.php'; if (get_magic_quotes_gpc()) { $Contenucours = htmlentities($_POST['coursmod']); $Contenuaf = htmlentities($_POST['afmod']); $Cib = htmlentities($_POST['cibl']); $oMyFilter = new InputFilter($aAllowedTags, $aAllowedAttr, 0, 0, 1); $cont1 = $oMyFilter->process($Contenucours); $cont2 = $oMyFilter->process($Contenuaf); $cible = $oMyFilter->process($Cib); } else { // htlmpurifier $Contenucours = $_POST['coursmod']; $Contenuaf = $_POST['afmod']; $Cib = addSlashes($_POST['cibl']); $config = HTMLPurifier_Config::createDefault(); //$config->set('Core.Encoding', 'ISO-8859-15'); $config->set('HTML.Doctype', 'XHTML 1.0 Strict'); $purifier = new HTMLPurifier($config); //$Cours = addSlashes($Cours); $cont1 = $purifier->purify($Contenucours); $cont1 = utf8_decode(mysqli_real_escape_string($dbc, $cont1)); $cont2 = $purifier->purify($Contenuaf);
/** * Test the process() method */ public function testProcess() { // Trivial case, nothing to clean @new InputFilter(); $this->assertEquals(InputFilter::process('foo'), 'foo'); $this->assertEquals(InputFilter::process(array('foo', 'bar')), array('foo', 'bar')); // Default constructor removes all tags $this->assertEquals(InputFilter::process('<ok>foobar</ok>'), 'foobar'); // Allow all but blacklisted tags and attributes @new InputFilter(array(), array(), 1, 1, 1); // Irregular tag names are always filtered out $this->assertEquals(InputFilter::process('foo<#$>bar</#$>mumble'), 'foobarmumble'); // $xssAuto=1 filters blacklisted tags and attributes $this->assertEquals(InputFilter::process('<body>foobar</body>'), 'foobar'); $this->assertEquals(InputFilter::process('<ok action="yes">foobar</ok>'), '<ok>foobar</ok>'); // With $xssAuto off, blacklisted tags and attributes are allowed @new InputFilter(array(), array(), 1, 1, 0); $this->assertEquals(InputFilter::process('<body>foobar</body>'), '<body>foobar</body>'); $this->assertEquals(InputFilter::process('<ok action="yes">foobar</ok>'), '<ok action="yes">foobar</ok>'); // tagMethod=1 permits all but listed tags @new InputFilter(array('foo'), array(), 1, 1, 0); $this->assertEquals(InputFilter::process('<foo>mumble</foo><bar>grumble</bar>'), 'mumble<bar>grumble</bar>'); // tagMethod=0 permits only listed tags @new InputFilter(array('foo'), array(), 0, 1, 0); $this->assertEquals(InputFilter::process('<foo>mumble</foo><bar>grumble</bar>'), '<foo>mumble</foo>grumble'); // attrMethod=1 permits all but listed attributes @new InputFilter(array(), array('dangerous'), 1, 1, 0); $this->assertEquals(InputFilter::process('<foo safe="1" dangerous="1">mumble</foo>'), '<foo safe="1">mumble</foo>'); // attrMethod=0 permits only listed tags @new InputFilter(array(), array('dangerous'), 1, 0, 0); $this->assertEquals(InputFilter::process('<foo safe="1" dangerous="1">mumble</foo>'), '<foo dangerous="1">mumble</foo>'); // accept only know safe tags @new InputFilter(array('div', 'span', 'strong', 'em'), array('id', 'class'), 0, 0, 0); $this->assertEquals(InputFilter::process('<body class="full">mumble<span class="error" color="red">' . 'grumble</span>burfl</body>'), 'mumble<span class="error">grumble</span>burfl'); }
/** * Removes illegal tags and attributes from html input */ function inputFilter($html) { $filter = new InputFilter(array(), array(), 1, 1); return $filter->process($html); }