/** * Set the URI String * * @access private * @param string * @return string */ private function _set_uri_string($str) { // Filter out control characters $str = remove_invisible_characters($str, FALSE); // If the URI contains only a slash we'll kill it $this->uri_string = $str == '/' ? '' : $str; }
/** * Filename Security * * @param string * @return string */ public function sanitize_filename($str, $relative_path = FALSE) { $bad = array("../", "<!--", "-->", "<", ">", "'", '"', '&', '$', '#', '{', '}', '[', ']', '=', ';', '?', "%20", "%22", "%3c", "%253c", "%3e", "%0e", "%28", "%29", "%2528", "%26", "%24", "%3f", "%3b", "%3d"); if (!$relative_path) { $bad[] = './'; $bad[] = '/'; } $str = remove_invisible_characters($str, FALSE); return stripslashes(str_replace($bad, '', $str)); }
public function common_functions() { echo is_php('5.3'); echo is_really_writable('file.php'); echo config_item('key'); echo set_status_header('200', 'text'); echo remove_invisible_characters('Java\\0script'); echo html_escape(array()); echo get_mimes(); echo is_https(); echo is_cli(); echo function_usable('eval'); }
/** * Escape String * * @access public * @param string * @param bool whether or not the string will be used in a LIKE condition * @return string */ function escape_str($str, $like = FALSE) { if (is_array($str)) { foreach ($str as $key => $val) { $str[$key] = $this->escape_str($val, $like); } return $str; } // Escape single quotes $str = str_replace("'", "''", remove_invisible_characters($str)); // escape LIKE condition wildcards if ($like === TRUE) { $str = str_replace(array($this->_like_escape_chr, '%', '_'), array($this->_like_escape_chr . $this->_like_escape_chr, $this->_like_escape_chr . '%', $this->_like_escape_chr . '_'), $str); } return $str; }
/** * Clean Input Data * * Internal method that aids in escaping data and * standardizing newline characters to PHP_EOL. * * @param string|string[] $str Input string(s) * @return string */ protected function _clean_input_data($str) { if (is_array($str)) { $new_array = array(); foreach (array_keys($str) as $key) { $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($str[$key]); } return $new_array; } /* We strip slashes if magic quotes is on to keep things consistent NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and it will probably not exist in future versions at all. */ if (!is_php('5.4') && get_magic_quotes_gpc()) { $str = stripslashes($str); } // Clean UTF-8 if supported if (UTF8_ENABLED === TRUE) { $str = $this->uni->clean_string($str); } // Remove control characters $str = remove_invisible_characters($str, FALSE); // Standardize newlines if needed if ($this->_standardize_newlines === TRUE) { return preg_replace('/(?:\\r\\n|[\\r\\n])/', PHP_EOL, $str); } return $str; }
/** * Set URI String * * @param string $str * @return void */ protected function _set_uri_string($str) { // Filter out control characters and trim slashes $this->uri_string = trim(remove_invisible_characters($str, FALSE), '/'); if ($this->uri_string !== '') { // Remove the URL suffix, if present if (($suffix = (string) $this->config->item('url_suffix')) !== '') { $slen = strlen($suffix); if (substr($this->uri_string, -$slen) === $suffix) { $this->uri_string = substr($this->uri_string, 0, -$slen); } } $this->segments[0] = NULL; // Populate the segments array foreach (explode('/', trim($this->uri_string, '/')) as $val) { $val = trim($val); // Filter segments for security $this->filter_uri($val); if ($val !== '') { $this->segments[] = $val; } } unset($this->segments[0]); } }
/** * Sanitize Filename * * @param string $str Input file name * @param bool $relative_path Whether to preserve paths * @return string */ public function sanitize_filename($str, $relative_path = FALSE) { $bad = $this->filename_bad_chars; if (!$relative_path) { $bad[] = './'; $bad[] = '/'; } $str = remove_invisible_characters($str, FALSE); do { $old = $str; $str = str_replace($bad, '', $str); } while ($old !== $str); return stripslashes($str); }
/** * Remove ASCII control characters * * Removes all ASCII control characters except horizontal tabs, * line feeds, and carriage returns, as all others can cause * problems in XML * * @access public * @param string * @return string */ function safe_ascii_for_xml($str) { return remove_invisible_characters($str, FALSE); }
/** * 处理输入的值 * sanitizeGlobals() 方法调用 * @access private * @param string * @return string */ private function cleanInputData($str) { if (is_array($str)) { $new_array = array(); foreach ($str as $key => $val) { $new_array[$this->cleanInputKeys($key)] = $this->cleanInputData($val); } return $new_array; } if (!is_php_version('5.4') && get_magic_quotes_gpc()) { $str = stripslashes($str); } // 移除不可见字符 $str = remove_invisible_characters($str); // 移除xss字符 if ($this->enableXss === TRUE) { $str = Secure::xssClean($str); } // 替换换行符为当前系统换行符 if ($this->standardizeNewlines == TRUE) { if (strpos($str, "\r") !== FALSE) { $str = str_replace(array("\r\n", "\r", "\r\n\n"), PHP_EOL, $str); } } return $str; }
public function xss_clean($str, $is_image = FALSE) { /* * Is the string an array? * */ if (is_array($str)) { while (list($key) = each($str)) { $str[$key] = $this->xss_clean($str[$key]); } return $str; } /* * Remove Invisible Characters */ $str = remove_invisible_characters($str); // Validate Entities in URLs $str = $this->_validate_entities($str); /* * URL Decode * * Just in case stuff like this is submitted: * * <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a> * * Note: Use rawurldecode() so it does not remove plus signs * */ $str = rawurldecode($str); /* * Convert character entities to ASCII * * This permits our tests below to work reliably. * We only convert entities that are within tags since * these are the ones that will pose security problems. * */ $str = preg_replace_callback("/[a-z]+=([\\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str); $str = preg_replace_callback("/<\\w+.*?(?=>|<|\$)/si", array($this, '_decode_entity'), $str); /* * Remove Invisible Characters Again! */ $str = remove_invisible_characters($str); /* * Convert all tabs to spaces * * This prevents strings like this: ja vascript * NOTE: we deal with spaces between characters later. * NOTE: preg_replace was found to be amazingly slow here on * large blocks of data, so we use str_replace. */ if (strpos($str, "\t") !== FALSE) { $str = str_replace("\t", ' ', $str); } /* * Capture converted string for later comparison */ $converted_string = $str; // Remove Strings that are never allowed $str = $this->_do_never_allowed($str); /* * Makes PHP tags safe * * Note: XML tags are inadvertently replaced too: * * <?xml * * But it doesn't seem to pose a problem. */ if ($is_image === TRUE) { // Images have a tendency to have the PHP short opening and // closing tags every so often so we skip those and only // do the long opening tags. $str = preg_replace('/<\\?(php)/i', "<?\\1", $str); } else { $str = str_replace(array('<?', '?' . '>'), array('<?', '?>'), $str); } /* * Compact any exploded words * * This corrects words like: j a v a s c r i p t * These words are compacted back to their correct state. */ $words = array('javascript', 'expression', 'vbscript', 'script', 'base64', 'applet', 'alert', 'document', 'write', 'cookie', 'window'); foreach ($words as $word) { $temp = ''; for ($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++) { $temp .= substr($word, $i, 1) . "\\s*"; } // We only want to do this when it is followed by a non-word character // That way valid stuff like "dealer to" does not become "dealerto" $str = preg_replace_callback('#(' . substr($temp, 0, -3) . ')(\\W)#is', array($this, '_compact_exploded_words'), $str); } /* * Remove disallowed Javascript in links or img tags * We used to do some version comparisons and use of stripos for PHP5, * but it is dog slow compared to these simplified non-capturing * preg_match(), especially if the pattern exists in the string */ // EDIT: 设定是否存在 img标签 $have_img = FALSE; do { $original = $str; if (preg_match("/<a/i", $str)) { $str = preg_replace_callback("#<a\\s+([^>]*?)(>|\$)#si", array($this, '_js_link_removal'), $str); } if (preg_match("/<img/i", $str)) { $str = preg_replace_callback("#<img\\s+([^>\t]*?)(\\s?/?>|\$)#si", array($this, '_js_img_removal'), $str); $have_img = TRUE; } if (preg_match("/script/i", $str) or preg_match("/xss/i", $str)) { $str = preg_replace("#<(/*)(script|xss)(.*?)\\>#si", '[removed]', $str); } } while ($original != $str); unset($original); // Remove evil attributes such as style, onclick and xmlns $str = $this->_remove_evil_attributes($str, $is_image, $have_img); /* * Sanitize naughty HTML elements * * If a tag containing any of the words in the list * below is found, the tag gets converted to entities. * * So this: <blink> * Becomes: <blink> */ // 过滤规则 // $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|script|textarea|title|video|xml|xss'; $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|script|textarea|title|video|xml|xss'; $str = preg_replace_callback('#<(/*\\s*)(' . $naughty . ')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str); /* * Sanitize naughty scripting elements * * Similar to above, only instead of looking for * tags it looks for PHP and JavaScript commands * that are disallowed. Rather than removing the * code, it simply converts the parenthesis to entities * rendering the code un-executable. * * For example: eval('some code') * Becomes: eval('some code') */ $str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\\s*)\\((.*?)\\)#si', "\\1\\2(\\3)", $str); // Final clean up // This adds a bit of extra precaution in case // something got through the above filters $str = $this->_do_never_allowed($str); /* * Images are Handled in a Special Way * - Essentially, we want to know that after all of the character * conversion is done whether any unwanted, likely XSS, code was found. * If not, we return TRUE, as the image is clean. * However, if the string post-conversion does not matched the * string post-removal of XSS, then it fails, as there was unwanted XSS * code found and removed/changed during processing. */ if ($is_image === TRUE) { return $str == $converted_string ? TRUE : FALSE; } log_message('debug', "XSS Filtering completed"); return $str; }
/** * Remove ASCII control characters. * * Removes all ASCII control characters except horizontal tabs, * line feeds, and carriage returns, as all others can cause * problems in XML * * @param string * * @return string */ public function safe_ascii_for_xml($str) { return remove_invisible_characters($str, false); }
/** * Set URI String * * @param string $str * @return void */ protected function _set_uri_string($str) { // Filter out control characters and trim slashes $this->uri_string = trim(remove_invisible_characters($str, FALSE), '/'); }
/** * Platform-dependant string escape * * @param string * @return string */ protected function _escape_str($str) { return $this->conn_id->escapeString(remove_invisible_characters($str)); }
/** * Prep data * * Prep all data we need to create an entry * * @access private * @param mixed * @param mixed * @return void */ function _prepare_data(&$data, &$mod_data, $autosave = FALSE) { $this->instantiate('channel_categories'); ee()->api_channel_categories->initialize(array('categories' => array(), 'cat_parents' => array(), 'cat_array' => array())); // Category parents - we toss the rest if (isset($data['category']) and is_array($data['category'])) { foreach ($data['category'] as $cat_id) { ee()->api_channel_categories->cat_parents[] = $cat_id; } if (ee()->api_channel_categories->assign_cat_parent == TRUE) { ee()->api_channel_categories->fetch_category_parents($data['category']); } } // Remove invisible characters from entry title if (isset($data['title'])) { $data['title'] = remove_invisible_characters($data['title']); } unset($data['category']); // Prep y / n values $data['allow_comments'] = isset($data['allow_comments']) && $data['allow_comments'] == 'y' ? 'y' : 'n'; if (isset($data['cp_call']) && $data['cp_call'] == TRUE) { $data['allow_comments'] = ($data['allow_comments'] !== 'y' or $this->c_prefs['comment_system_enabled'] == 'n') ? 'n' : 'y'; } if ($this->c_prefs['enable_versioning'] == 'n') { $data['versioning_enabled'] = 'y'; } else { if (isset($data['versioning_enabled'])) { $data['versioning_enabled'] = 'y'; } else { $data['versioning_enabled'] = 'n'; // In 1.6, this happened right before inserting new revisions, // but it makes more sense here. $this->c_prefs['enable_versioning'] = 'n'; } } $this->instantiate('channel_fields'); $result_array = $this->_get_custom_fields(); foreach ($result_array as $row) { $field_name = 'field_id_' . $row['field_id']; // @todo remove in 2.1.2 // backwards compatible for some incorrect code noticed in a few third party modules. // Will be removed in 2.1.2, and a note to that effect is in the 2.1.1 update notes // $this->field_id should be used instead as documented // http://ellislab.com/expressionengine/user-guide/development/fieldtypes.html#class-variables ee()->api_channel_fields->settings[$row['field_id']]['field_id'] = $row['field_id']; if (isset($data[$field_name]) or isset($mod_data[$field_name])) { ee()->api_channel_fields->setup_handler($row['field_id']); ee()->api_channel_fields->apply('_init', array(array('content_id' => $this->entry_id))); // Break out module fields here if (isset($data[$field_name])) { if (!$autosave) { $data[$field_name] = ee()->api_channel_fields->apply('save', array($data[$field_name])); } } elseif (isset($mod_data[$field_name])) { if (!$autosave) { $mod_data[$field_name] = ee()->api_channel_fields->apply('save', array($mod_data[$field_name])); } } } } }
/** * Escape String * * @access public * @param string * @param bool whether or not the string will be used in a LIKE condition * @return string */ public function escape_str($str, $like = FALSE) { if (is_array($str)) { foreach ($str as $key => $val) { $str[$key] = $this->escape_str($val, $like); } return $str; } $str = remove_invisible_characters($str); if ($like === TRUE) { $str = str_replace(array('%', '_', $this->_like_escape_chr), array($this->_like_escape_chr . '%', $this->_like_escape_chr . '_', $this->_like_escape_chr . $this->_like_escape_chr), $str); } return $str; }
function _clean_input_data($str) { if (is_array($str)) { $new_array = array(); foreach ($str as $key => $val) { $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); } return $new_array; } if (!is_php('5.4') && get_magic_quotes_gpc()) { $str = stripslashes($str); } if (UTF8_ENABLED === TRUE) { $str = $this->uni->clean_string($str); } $str = remove_invisible_characters($str); if ($this->_enable_xss === TRUE) { $str = $this->security->xss_clean($str); } if ($this->_standardize_newlines == TRUE) { if (strpos($str, "\r") !== FALSE) { $str = str_replace(array("\r\n", "\r", "\r\n\n"), PHP_EOL, $str); } } return $str; }
/** * Escape String. * * @param string * @param bool whether or not the string will be used in a LIKE condition * * @return string */ public function escape_str($str, $like = false) { if (is_array($str)) { foreach ($str as $key => $val) { $str[$key] = $this->escape_str($val, $like); } return $str; } // ODBC doesn't require escaping $str = remove_invisible_characters($str); // escape LIKE condition wildcards if ($like === true) { $str = str_replace(['%', '_', $this->_like_escape_chr], [$this->_like_escape_chr . '%', $this->_like_escape_chr . '_', $this->_like_escape_chr . $this->_like_escape_chr], $str); } return $str; }
/** * XSS Clean * * Sanitizes data so that Cross Site Scripting Hacks can be * prevented. This function does a fair amount of work but * it is extremely thorough, designed to prevent even the * most obscure XSS attempts. Nothing is ever 100% foolproof, * of course, but I haven't been able to get anything passed * the filter. * * Note: This function should only be used to deal with data * upon submission. It's not something that should * be used for general runtime processing. * * This function was based in part on some code and ideas I * got from Bitflux: http://channel.bitflux.ch/wiki/XSS_Prevention * * To help develop this script I used this great list of * vulnerabilities along with a few other hacks I've * harvested from examining vulnerabilities in other programs: * http://ha.ckers.org/xss.html * * @access public * @param mixed string or array * @return string */ public function xss_clean($str, $is_image = FALSE) { /* * Is the string an array? * */ if (is_array($str)) { while (list($key) = each($str)) { $str[$key] = $this->xss_clean($str[$key]); } return $str; } /* * Remove Invisible Characters */ $str = remove_invisible_characters($str); /* * Protect GET variables in URLs */ // 901119URL5918AMP18930PROTECT8198 $str = preg_replace('|\\&([a-z\\_0-9\\-]+)\\=([a-z\\_0-9\\-]+)|i', $this->xss_hash() . "\\1=\\2", $str); /* * Validate standard character entities * * Add a semicolon if missing. We do this to enable * the conversion of entities to ASCII later. * */ $str = preg_replace('#(&\\#?[0-9a-z]{2,})([\\x00-\\x20])*;?#i', "\\1;\\2", $str); /* * Validate UTF16 two byte encoding (x00) * * Just as above, adds a semicolon if missing. * */ $str = preg_replace('#(&\\#x?)([0-9A-F]+);?#i', "\\1\\2;", $str); /* * Un-Protect GET variables in URLs */ $str = str_replace($this->xss_hash(), '&', $str); /* * URL Decode * * Just in case stuff like this is submitted: * * <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a> * * Note: Use rawurldecode() so it does not remove plus signs * */ $str = rawurldecode($str); /* * Convert character entities to ASCII * * This permits our tests below to work reliably. * We only convert entities that are within tags since * these are the ones that will pose security problems. * */ $str = preg_replace_callback("/[a-z]+=([\\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str); $str = preg_replace_callback("/<\\w+.*?(?=>|<|\$)/si", array($this, '_decode_entity'), $str); /* * Remove Invisible Characters Again! */ $str = remove_invisible_characters($str); /* * Convert all tabs to spaces * * This prevents strings like this: ja vascript * NOTE: we deal with spaces between characters later. * NOTE: preg_replace was found to be amazingly slow here on large blocks of data, * so we use str_replace. * */ if (strpos($str, "\t") !== FALSE) { $str = str_replace("\t", ' ', $str); } /* * Capture converted string for later comparison */ $converted_string = $str; /* * Not Allowed Under Any Conditions */ foreach ($this->never_allowed_str as $key => $val) { $str = str_replace($key, $val, $str); } foreach ($this->never_allowed_regex as $key => $val) { $str = preg_replace("#" . $key . "#i", $val, $str); } /* * Makes PHP tags safe * * Note: XML tags are inadvertently replaced too: * * <?xml * * But it doesn't seem to pose a problem. * */ if ($is_image === TRUE) { // Images have a tendency to have the PHP short opening and closing tags every so often // so we skip those and only do the long opening tags. $str = preg_replace('/<\\?(php)/i', "<?\\1", $str); } else { $str = str_replace(array('<?', '?' . '>'), array('<?', '?>'), $str); } /* * Compact any exploded words * * This corrects words like: j a v a s c r i p t * These words are compacted back to their correct state. * */ $words = array('javascript', 'expression', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window'); foreach ($words as $word) { $temp = ''; for ($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++) { $temp .= substr($word, $i, 1) . "\\s*"; } // We only want to do this when it is followed by a non-word character // That way valid stuff like "dealer to" does not become "dealerto" $str = preg_replace_callback('#(' . substr($temp, 0, -3) . ')(\\W)#is', array($this, '_compact_exploded_words'), $str); } /* * Remove disallowed Javascript in links or img tags * We used to do some version comparisons and use of stripos for PHP5, but it is dog slow compared * to these simplified non-capturing preg_match(), especially if the pattern exists in the string */ do { $original = $str; if (preg_match("/<a/i", $str)) { $str = preg_replace_callback("#<a\\s+([^>]*?)(>|\$)#si", array($this, '_js_link_removal'), $str); } if (preg_match("/<img/i", $str)) { $str = preg_replace_callback("#<img\\s+([^>]*?)(\\s?/?>|\$)#si", array($this, '_js_img_removal'), $str); } if (preg_match("/script/i", $str) or preg_match("/xss/i", $str)) { $str = preg_replace("#<(/*)(script|xss)(.*?)\\>#si", '[removed]', $str); } } while ($original != $str); unset($original); /* * Remove JavaScript Event Handlers * * Note: This code is a little blunt. It removes * the event handler and anything up to the closing >, * but it's unlikely to be a problem. * */ $event_handlers = array('[^a-z_\\-]on\\w*', 'xmlns'); if ($is_image === TRUE) { /* * Adobe Photoshop puts XML metadata into JFIF images, including namespacing, * so we have to allow this for images. -Paul */ unset($event_handlers[array_search('xmlns', $event_handlers)]); } $str = preg_replace("#<([^><]+?)(" . implode('|', $event_handlers) . ")(\\s*=\\s*[^><]*)([><]*)#i", "<\\1\\4", $str); /* * Sanitize naughty HTML elements * * If a tag containing any of the words in the list * below is found, the tag gets converted to entities. * * So this: <blink> * Becomes: <blink> * */ $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss'; $str = preg_replace_callback('#<(/*\\s*)(' . $naughty . ')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str); /* * Sanitize naughty scripting elements * * Similar to above, only instead of looking for * tags it looks for PHP and JavaScript commands * that are disallowed. Rather than removing the * code, it simply converts the parenthesis to entities * rendering the code un-executable. * * For example: eval('some code') * Becomes: eval('some code') * */ $str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\\s*)\\((.*?)\\)#si', "\\1\\2(\\3)", $str); /* * Final clean up * * This adds a bit of extra precaution in case * something got through the above filters * */ foreach ($this->never_allowed_str as $key => $val) { $str = str_replace($key, $val, $str); } foreach ($this->never_allowed_regex as $key => $val) { $str = preg_replace("#" . $key . "#i", $val, $str); } /* * Images are Handled in a Special Way * - Essentially, we want to know that after all of the character conversion is done whether * any unwanted, likely XSS, code was found. If not, we return TRUE, as the image is clean. * However, if the string post-conversion does not matched the string post-removal of XSS, * then it fails, as there was unwanted XSS code found and removed/changed during processing. */ if ($is_image === TRUE) { if ($str == $converted_string) { return TRUE; } else { return FALSE; } } log_message('debug', "XSS Filtering completed"); return $str; }
/** * Set the URI String * * @access public * @param string * @return string */ function _set_uri_string($str) { // Filter out control characters $str = remove_invisible_characters($str, FALSE); // var_dump($GLOBALS['REQUEST']->server['path_info'],$str); // If the URI contains only a slash we'll kill it $this->uri_string = $str == '/' ? '' : $str; }
/** * Clean Input Data * * This is a helper function. It escapes data and * standardizes newline characters to \n * * @access private * @param string * @return string */ function _clean_input_data($str) { if (is_array($str)) { $new_array = array(); foreach ($str as $key => $val) { $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); } return $new_array; } // We strip slashes if magic quotes is on to keep things consistent if (get_magic_quotes_gpc()) { $str = stripslashes($str); } // Clean UTF-8 if supported if (UTF8_ENABLED === TRUE) { $str = $this->uni->clean_string($str); } // Remove control characters $str = remove_invisible_characters($str); // Should we filter the input data? if ($this->_enable_xss === TRUE) { $str = $this->security->xss_clean($str); } // Standardize newlines if needed if ($this->_standardize_newlines == TRUE) { if (strpos($str, "\r") !== FALSE) { $str = str_replace(array("\r\n", "\r"), "\n", $str); } } return $str; }
public function _set_uri_string($str) { // Filter out control characters and trim slashes $this->uri_string = trim(remove_invisible_characters($str, FALSE), '/'); // Removed by Ivan Tcholakov, 19-JAN-2014. // TODO: This is for supporting HMVC library, resolve at first chance. //if ($this->uri_string !== '') //{ // // Remove the URL suffix, if present // if (($suffix = (string) $this->config->item('url_suffix')) !== '') // { // $slen = strlen($suffix); // // if (substr($this->uri_string, -$slen) === $suffix) // { // $this->uri_string = substr($this->uri_string, 0, -$slen); // } // } // // $this->segments[0] = NULL; // // Populate the segments array // foreach (explode('/', trim($this->uri_string, '/')) as $val) // { // $val = trim($val); // // Filter segments for security // $this->filter_uri($val); // // if ($val !== '') // { // $this->segments[] = $val; // } // } // // unset($this->segments[0]); //} // }
/** * Filename Security. * * @param string * @param bool * * @return string */ public function sanitize_filename($str, $relative_path = false) { $bad = ['../', '<!--', '-->', '<', '>', "'", '"', '&', '$', '#', '{', '}', '[', ']', '=', ';', '?', '%20', '%22', '%3c', '%253c', '%3e', '%0e', '%28', '%29', '%2528', '%26', '%24', '%3f', '%3b', '%3d']; if (!$relative_path) { $bad[] = './'; $bad[] = '/'; } $str = remove_invisible_characters($str, false); return stripslashes(str_replace($bad, '', $str)); }
/** * Platform-dependant string escape * * @param string * @return string */ protected function _escape_str($str) { return remove_invisible_characters($str); }
/** * Clean Input Data * * This is a helper function. It escapes data and * standardizes newline characters to \n * * @access private * @param string * @return string */ function _clean_input_data($str) { if (is_array($str)) { $new_array = array(); foreach ($str as $key => $val) { $new_array[$this->{$key}] = $this->_clean_input_data($val); } return $new_array; } // Clean UTF-8 if supported if (UTF8_ENABLED === TRUE) { $str = $this->uni->clean_string($str); } // Remove control characters $str = remove_invisible_characters($str); // Should we filter the input data? if ($this->_enable_xss === TRUE) { $str = $this->security->xss_clean($str); } // Standardize newlines if needed if ($this->_standardize_newlines == TRUE) { if (strpos($str, "\r") !== FALSE) { $str = str_replace(array("\r\n", "\r", "\r\n\n"), PHP_EOL, $str); } } return $str; }
/** * Platform-dependant string escape * * @param string * @return string */ protected function _escape_str($str) { return str_replace("'", "''", remove_invisible_characters($str)); }
/** * Extend _sanitize_globals to allow css * * For action requests we need to fully allow GET variables, so we set * an exception in EE_Config. For css, we only need that one and it's a * path, so we'll do some stricter cleaning. * * @param string * @return string */ function _sanitize_globals() { $_css = $this->get('css'); parent::_sanitize_globals(); if ($_css) { $_GET['css'] = remove_invisible_characters($_css); } }
/** * Clean Input Data * * This is a helper function. It escapes data and * standardizes newline characters to \n * * @access private * @param string * @return string */ function _clean_input_data($str) { if (is_array($str)) { $new_array = array(); foreach ($str as $key => $val) { $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); } return $new_array; } /* We strip slashes if magic quotes is on to keep things consistent NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and it will probably not exist in future versions at all. */ if (!is_php('5.4') && get_magic_quotes_gpc()) { $str = stripslashes($str); } // Clean UTF-8 if supported if (UTF8_ENABLED === TRUE) { $str = $this->uni->clean_string($str); } // Remove control characters $str = remove_invisible_characters($str); // Should we filter the input data? if ($this->_enable_xss === TRUE) { $str = $this->security->xss_clean($str); } // Standardize newlines if needed if ($this->_standardize_newlines == TRUE) { if (strpos($str, "\r") !== FALSE) { $str = str_replace(array("\r\n", "\r", "\r\n\n"), PHP_EOL, $str); } } return $str; }
function _set_uri_string($str) { $str = remove_invisible_characters($str, FALSE); $this->uri_string = $str == '/' ? '' : $str; }
/** * Sanitize Filename * * @param string $str Input file name * @param bool $relative_path Whether to preserve paths * @return string */ public function sanitize_filename($str, $relative_path = FALSE) { $bad = array('../', '<!--', '-->', '<', '>', "'", '"', '&', '$', '#', '{', '}', '[', ']', '=', ';', '?', '%20', '%22', '%3c', '%253c', '%3e', '%0e', '%28', '%29', '%2528', '%26', '%24', '%3f', '%3b', '%3d'); if (!$relative_path) { $bad[] = './'; $bad[] = '/'; } $str = remove_invisible_characters($str, FALSE); do { $old = $str; $str = str_replace($bad, '', $str); } while ($old !== $str); return stripslashes($str); }
private function direction_check($str) { $r = remove_invisible_characters($str); $r = html_escape($r); return strip_tags($r); }