/** * This function removes all attributes, if none are allowed for this element. * * If some are allowed it calls kses_hair() to split them further, and then * it builds up new HTML code from the data that kses_hair() returns. It also * removes "<" and ">" characters, if there are any left. One more thing it does * is to check if the tag has a closing XHTML slash, and if it does, it puts one * in the returned code as well. * * @param string $element HTML element/tag * @param string $attr HTML attributes from HTML element to closing HTML element tag * @param array $allowed_html Allowed HTML elements * @param array $allowed_protocols Allowed protocols to keep * @return string Sanitized HTML element */ function kses_attr($element, $attr, $allowed_html, $allowed_protocols) { // Is there a closing XHTML slash at the end of the attributes? $xhtml_slash = ''; if (preg_match('%\\s*/\\s*$%', $attr)) { $xhtml_slash = ' /'; } // Are any attributes allowed at all for this element? if (@count($allowed_html[strtolower($element)]) == 0) { return "<{$element}{$xhtml_slash}>"; } // Split it $attrarr = kses_hair($attr, $allowed_protocols); // Go through $attrarr, and save the allowed attributes for this element // in $attr2 $attr2 = ''; foreach ($attrarr as $arreach) { if (!@isset($allowed_html[strtolower($element)][strtolower($arreach['name'])])) { continue; } // the attribute is not allowed $current = $allowed_html[strtolower($element)][strtolower($arreach['name'])]; if ($current == '') { continue; } // the attribute is not allowed if (!is_array($current)) { $attr2 .= ' ' . $arreach['whole']; } else { // there are some checks $ok = true; foreach ($current as $currkey => $currval) { if (!kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) { $ok = false; break; } } if (strtolower($arreach['name']) == 'style') { $orig_value = $arreach['value']; $value = kses_safecss_filter_attr($orig_value); if (empty($value)) { continue; } $arreach['value'] = $value; $arreach['whole'] = str_replace($orig_value, $value, $arreach['whole']); } if ($ok) { $attr2 .= ' ' . $arreach['whole']; } // it passed them } // if !is_array($current) } // foreach // Remove any "<" or ">" characters $attr2 = preg_replace('/[<>]/', '', $attr2); return "<{$element}{$attr2}{$xhtml_slash}>"; }
function kses_attr($element, $attr, $allowed_html, $allowed_protocols) { # Is there a closing XHTML slash at the end of the attributes? $xhtml_slash = ''; if (preg_match('%\\s/\\s*$%', $attr)) { $xhtml_slash = ' /'; } # Are any attributes allowed at all for this element? if (@count($allowed_html[strtolower($element)]) == 0) { return "<{$element}{$xhtml_slash}>"; } # Split it $attrarr = kses_hair($attr, $allowed_protocols); # Go through $attrarr, and save the allowed attributes for this element # in $attr2 $attr2 = ''; foreach ($attrarr as $arreach) { if (!@isset($allowed_html[strtolower($element)][strtolower($arreach['name'])])) { continue; } # the attribute is not allowed $current = $allowed_html[strtolower($element)][strtolower($arreach['name'])]; if (!is_array($current)) { $attr2 .= ' ' . $arreach['whole']; } else { # there are some checks $ok = true; foreach ($current as $currkey => $currval) { if (!kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) { $ok = false; break; } } if ($ok) { $attr2 .= ' ' . $arreach['whole']; } # it passed them } # if !is_array($current) } # foreach # Remove any "<" or ">" characters $attr2 = preg_replace('/[<>]/', '', $attr2); return "<{$element}{$attr2}{$xhtml_slash}>"; }
function kses_attr($element, $attr, $allowed_html, $allowed_protocols) { ############################################################################### # This function removes all attributes, if none are allowed for this element. # If some are allowed it calls kses_hair() to split them further, and then it # builds up new HTML code from the data that kses_hair() returns. It also # removes "<" and ">" characters, if there are any left. One more thing it # does is to check if the tag has a closing XHTML slash, and if it does, # it puts one in the returned code as well. ############################################################################### # Is there a closing XHTML slash at the end of the attributes? $xhtml_slash = ''; if (preg_match('%\\s/\\s*$%', $attr)) { $xhtml_slash = ' /'; } # Are any attributes allowed at all for this element? if (@count($allowed_html[strtolower($element)]) == 0) { return "<{$element}{$xhtml_slash}>"; } # Split it $attrarr = kses_hair($attr, $allowed_protocols); # Go through $attrarr, and save the allowed attributes for this element # in $attr2 $attr2 = ''; foreach ($attrarr as $arreach) { if (!@isset($allowed_html[strtolower($element)][strtolower($arreach['name'])])) { continue; } # the attribute is not allowed $current = $allowed_html[strtolower($element)][strtolower($arreach['name'])]; if (!is_array($current)) { $attr2 .= ' ' . $arreach['whole']; } else { # there are some checks $ok = true; foreach ($current as $currkey => $currval) { if (!kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) { $ok = false; break; } } if ($ok) { $attr2 .= ' ' . $arreach['whole']; } # it passed them } # if !is_array($current) } # foreach # Remove any "<" or ">" characters $attr2 = preg_replace('/[<>]/', '', $attr2); return "<{$element}{$attr2}{$xhtml_slash}>"; }