public static function xss($source, $bThrow = true) { $source = Xss::process($source); if ($bThrow && strstr($source, '--TAG NOT ALLOWED--')) { throw new Exception('Illegal tags found'); } return $source; }
/** * Filters HTML for XSS vulnerabilities and marks the result as safe. * * Calling this method unnecessarily will result in bloating the safe string * list and increases the chance of unintended side effects. * * If Twig receives a value that is not marked as safe then it will * automatically encode special characters in a plain-text string for display * as HTML. Therefore, SafeMarkup::xssFilter() should only be used when the * string might contain HTML that needs to be rendered properly by the * browser. * * If you need to filter for admin use, like Xss::filterAdmin(), then: * - If the string is used as part of a @link theme_render render array @endlink, * use #markup to allow the render system to filter by the admin tag list * automatically. * - Otherwise, use the SafeMarkup::xssFilter() with tag list provided by * Xss::getAdminTagList() instead. * * This method should only be used instead of Xss::filter() when the result is * being added to a render array that is constructed before rendering begins. * * In the rare instance that the caller does not want to filter strings that * are marked safe already, it needs to check SafeMarkup::isSafe() itself. * * @param $string * The string with raw HTML in it. It will be stripped of everything that * can cause an XSS attack. The string provided will always be escaped * regardless of whether the string is already marked as safe. * @param array $html_tags * (optional) An array of HTML tags. If omitted, it uses the default tag * list defined by \Drupal\Component\Utility\Xss::filter(). * * @return string * An XSS-safe version of $string, or an empty string if $string is not * valid UTF-8. The string is marked as safe. * * @ingroup sanitization * * @see \Drupal\Component\Utility\Xss::filter() * @see \Drupal\Component\Utility\Xss::filterAdmin() * @see \Drupal\Component\Utility\Xss::getAdminTagList() * @see \Drupal\Component\Utility\SafeMarkup::isSafe() */ public static function xssFilter($string, $html_tags = NULL) { if (is_null($html_tags)) { $string = Xss::filter($string); } else { $string = Xss::filter($string, $html_tags); } return static::set($string); }
/** * Applies a very permissive XSS/HTML filter for admin-only use. * * @param string $string * A string. * * @return string * The escaped string. If $string was already set as safe with * self::set(), it won't be escaped again. * * @see \Drupal\Component\Utility\Xss::filterAdmin() */ public static function checkAdminXss($string) { return static::isSafe($string) ? $string : Xss::filterAdmin($string); }
<?php App::before(function ($request) { Xss::globalXssClean(); }); App::after(function ($request, $response) { // }); App::error(function (Exception $exception, $code) { switch ($code) { case 403: return 'Access denied!'; /* case 404: #if(Page::where('seo_url','404')->exists()): # return spage::show('404',array('message'=>$exception->getMessage())); #else: # return View::make('error404', array('message'=>$exception->getMessage()), 404); #endif; */ } if (View::exists(Helper::layout($code))) { return Response::view(Helper::layout($code), array('message' => $exception->getMessage()), $code); } }); App::missing(function ($exception) { #Helper::classInfo('Route'); #Helper::dd(get_declared_classes()); $tpl = View::exists(Helper::layout('404')) ? Helper::layout('404') : 'error404'; return Response::view($tpl, array('message' => $exception->getMessage()), 404); });