/** * This function runs various checks against the attributes. * * @param $tagname String with the name of the tag. * @param $attary Array with all tag attributes. * @param $rm_attnames See description for sq_sanitize * @param $bad_attvals See description for sq_sanitize * @param $add_attr_to_tag See description for sq_sanitize * @param $message message object * @param $id message id * @return Array with modified attributes. */ function sq_fixatts($tagname, $attary, $rm_attnames, $bad_attvals, $add_attr_to_tag, $message, $id, $mailbox) { $me = 'sq_fixatts'; while (list($attname, $attvalue) = each($attary)) { /** * See if this attribute should be removed. */ foreach ($rm_attnames as $matchtag => $matchattrs) { if (preg_match($matchtag, $tagname)) { foreach ($matchattrs as $matchattr) { if (preg_match($matchattr, $attname)) { unset($attary[$attname]); continue; } } } } /** * Remove any backslashes, entities, and extraneous whitespace. */ $attvalue = sq_unbackslash($attvalue); $attvalue = sq_deent($attvalue); $attvalue = sq_unspace($attvalue); /** * Remove \r \n \t \0 " " "\\" */ $attvalue = str_replace(array("\r", "\n", "\t", "", " ", "\\"), array('', '', '', '', '', ''), $attvalue); /** * Now let's run checks on the attvalues. * I don't expect anyone to comprehend this. If you do, * get in touch with me so I can drive to where you live and * shake your hand personally. :) */ foreach ($bad_attvals as $matchtag => $matchattrs) { if (preg_match($matchtag, $tagname)) { foreach ($matchattrs as $matchattr => $valary) { if (preg_match($matchattr, $attname)) { /** * There are two arrays in valary. * First is matches. * Second one is replacements */ list($valmatch, $valrepl) = $valary; $newvalue = preg_replace($valmatch, $valrepl, $attvalue); if ($newvalue != $attvalue) { $attary[$attname] = $newvalue; } } } } } /** * Turn cid: urls into http-friendly ones. */ if (preg_match("/^[\\'\"]\\s*cid:/si", $attvalue)) { $attary[$attname] = sq_cid2http($message, $id, $attvalue, $mailbox); } } /** * See if we need to append any attributes to this tag. */ foreach ($add_attr_to_tag as $matchtag => $addattary) { if (preg_match($matchtag, $tagname)) { $attary = array_merge($attary, $addattary); } } return $attary; }
/** * This function checks attribute values for entity-encoded values * and returns them translated into 8-bit strings so we can run * checks on them. * * @param $attvalue A string to run entity check against. * @return Nothing, modifies a reference value. */ function sq_defang(&$attvalue) { $me = 'sq_defang'; /** * Skip this if there aren't ampersands or backslashes. */ if (strpos($attvalue, '&') === false && strpos($attvalue, '\\') === false) { return; } $m = false; do { $m = false; $m = $m || sq_deent($attvalue, '/\\�*(\\d+);*/s'); $m = $m || sq_deent($attvalue, '/\\�*((\\d|[a-f])+);*/si', true); $m = $m || sq_deent($attvalue, '/\\\\(\\d+)/s', true); } while ($m == true); $attvalue = stripslashes($attvalue); }
/** * This function checks attribute values for entity-encoded values * and returns them translated into 8-bit strings so we can run * checks on them. * * @param $attvalue A string to run entity check against. * @return Nothing, modifies a reference value. */ function sq_defang(&$attvalue) { $me = 'sq_defang'; /** * Skip this if there aren't ampersands or backslashes. */ if (strpos($attvalue, '&') === false && strpos($attvalue, '\\') === false) { return; } $m = false; // before deent, translate the dangerous unicode characters and ... to safe values // otherwise the regular expressions do not match. do { $m = false; $m = $m || sq_deent($attvalue, '/\\�*(\\d+);*/s'); $m = $m || sq_deent($attvalue, '/\\�*((\\d|[a-f])+);*/si', true); $m = $m || sq_deent($attvalue, '/\\\\(\\d+)/s', true); } while ($m == true); $attvalue = stripslashes($attvalue); }