/** overloaded check function */
function check()
{
// filter malicious code
$ignoreList = array('params');
$this->filter($ignoreList);
// specific filters
$iFilter = new InputFilter();
if ($iFilter->badAttributeValue(array('href', $this->url))) {
$this->_error = 'Please provide a valid URL';
return false;
}
/** check for valid name */
if (trim($this->title) == '') {
$this->_error = _WEBLINK_TITLE;
return false;
}
if (!(preg_match('http://', $this->url) || preg_match('https://', $this->url) || preg_match('ftp://', $this->url))) {
$this->url = 'http://' . $this->url;
}
/** check for existing name */
$query = "SELECT id" . "\n FROM #__weblinks " . "\n WHERE title = " . $this->_db->Quote($this->title) . "\n AND catid = " . (int) $this->catid;
$this->_db->setQuery($query);
$xid = intval($this->_db->loadResult());
if ($xid && $xid != intval($this->id)) {
$this->_error = _WEBLINK_EXIST;
return false;
}
return true;
}
/**
* Utility function redirect the browser location to another url
*
* Can optionally provide a message.
* @param string The file system path
* @param string A filter for the names
*/
function extRedirect($url, $msg = '')
{
global $mainframe;
// specific filters
$iFilter = new InputFilter();
$url = $iFilter->process($url);
if (!empty($msg)) {
$msg = $iFilter->process($msg);
}
if ($iFilter->badAttributeValue(array('href', $url))) {
$url = $GLOBALS['home_dir'];
}
if (trim($msg)) {
if (strpos($url, '?')) {
$url .= '&extmsg=' . urlencode($msg);
} else {
$url .= '?extmsg=' . urlencode($msg);
}
}
if (headers_sent()) {
echo "<script>document.location.href='{$url}';</script>\n";
} else {
@ob_end_clean();
// clear output buffer
header('HTTP/1.1 301 Moved Permanently');
header("Location: " . $url);
}
exit;
}
/**
* Internal method to strip a tag of certain attributes
*
* @access protected
* @param array $attrSet Array of attribute pairs to filter
* @return array $newSet Filtered array of attribute pairs
*/
function filterAttr($attrSet)
{
/*
* Initialize variables
*/
$newSet = array();
/*
* Iterate through attribute pairs
*/
for ($i = 0; $i < count($attrSet); $i++) {
/*
* Skip blank spaces
*/
if (!$attrSet[$i]) {
continue;
}
/*
* Split into name/value pairs
*/
$attrSubSet = explode('=', trim($attrSet[$i]), 2);
list($attrSubSet[0]) = explode(' ', $attrSubSet[0]);
/*
* Remove all "non-regular" attribute names
* AND blacklisted attributes
*/
if (!eregi("^[a-z]*\$", $attrSubSet[0]) || $this->xssAuto && (in_array(strtolower($attrSubSet[0]), $this->attrBlacklist) || substr($attrSubSet[0], 0, 2) == 'on')) {
continue;
}
/*
* XSS attribute value filtering
*/
if ($attrSubSet[1]) {
// strips unicode, hex, etc
$attrSubSet[1] = str_replace('&#', '', $attrSubSet[1]);
// strip normal newline within attr value
$attrSubSet[1] = preg_replace('/\\s+/', '', $attrSubSet[1]);
// strip double quotes
$attrSubSet[1] = str_replace('"', '', $attrSubSet[1]);
// [requested feature] convert single quotes from either side to doubles (Single quotes shouldn't be used to pad attr value)
if (substr($attrSubSet[1], 0, 1) == "'" && substr($attrSubSet[1], strlen($attrSubSet[1]) - 1, 1) == "'") {
$attrSubSet[1] = substr($attrSubSet[1], 1, strlen($attrSubSet[1]) - 2);
}
// strip slashes
$attrSubSet[1] = stripslashes($attrSubSet[1]);
}
/*
* Autostrip script tags
*/
if (InputFilter::badAttributeValue($attrSubSet)) {
continue;
}
/*
* Is our attribute in the user input array?
*/
$attrFound = in_array(strtolower($attrSubSet[0]), $this->attrArray);
/*
* If the tag is allowed lets keep it
*/
if (!$attrFound && $this->attrMethod || $attrFound && !$this->attrMethod) {
/*
* Does the attribute have a value?
*/
if ($attrSubSet[1]) {
$newSet[] = $attrSubSet[0] . '="' . $attrSubSet[1] . '"';
} elseif ($attrSubSet[1] == "0") {
/*
* Special Case
* Is the value 0?
*/
$newSet[] = $attrSubSet[0] . '="0"';
} else {
$newSet[] = $attrSubSet[0] . '="' . $attrSubSet[0] . '"';
}
}
}
return $newSet;
}
function shRedirect($url, $msg = '', $redirKind = '301', $msgType = 'message')
{
global $mainframe;
$sefConfig =& shRouter::shGetConfig();
// specific filters
if (class_exists('InputFilter')) {
$iFilter = new InputFilter();
$url = $iFilter->process($url);
if (!empty($msg)) {
$msg = $iFilter->process($msg);
}
if ($iFilter->badAttributeValue(array('href', $url))) {
$url = $GLOBALS['shConfigLiveSite'];
}
}
// If the message exists, enqueue it
if (JString::trim($msg)) {
$mainframe->enqueueMessage($msg, $msgType);
}
// Persist messages if they exist
if (count($mainframe->_messageQueue)) {
$session =& JFactory::getSession();
$session->set('application.queue', $mainframe->_messageQueue);
}
if (headers_sent()) {
echo "<script>document.location.href='{$url}';</script>\n";
} else {
@ob_end_clean();
// clear output buffer
switch ($redirKind) {
case '302':
$redirHeader = 'HTTP/1.1 302 Moved Temporarily';
break;
case '303':
$redirHeader = 'HTTP/1.1 303 See Other';
break;
default:
$redirHeader = 'HTTP/1.1 301 Moved Permanently';
break;
}
header($redirHeader);
header("Location: " . $url);
}
$mainframe->close();
}
function shRedirect( $url, $msg='', $redirKind = '301', $msgType='message' ) {
$mainframe = JFactory::getApplication();
$sefConfig = & Sh404sefFactory::getConfig();
// specific filters
if (class_exists('InputFilter')) {
$iFilter = new InputFilter();
$url = $iFilter->process( $url );
if (!empty($msg)) {
$msg = $iFilter->process( $msg );
}
if ($iFilter->badAttributeValue( array( 'href', $url ))) {
$url = Sh404sefFactory::getPageInfo()->getDefaultLiveSite();
}
}
// If the message exists, enqueue it
if (JString::trim( $msg )) {
$mainframe->enqueueMessage($msg, $msgType);
}
// Persist messages if they exist
$queue = $mainframe->getMessageQueue();
if (count($queue)) {
$session = JFactory::getSession();
$session->set('application.queue', $queue);
}
$document = JFactory::getDocument();
@ob_end_clean(); // clear output buffer
if (headers_sent()) {
echo '<html><head><meta http-equiv="content-type" content="text/html; charset='.$document->getCharset().'" /><script>document.location.href=\''.$url.'\';</script></head><body></body></html>';
} else {
switch ($redirKind) {
case '302':
$redirHeader ='HTTP/1.1 302 Moved Temporarily';
break;
case '303':
$redirHeader ='HTTP/1.1 303 See Other';
break;
default:
$redirHeader = 'HTTP/1.1 301 Moved Permanently';
break;
}
header( 'Cache-Control: no-cache'); // prevent Firefox5+ and IE9+ to consider this a cacheable redirect
header( $redirHeader );
header( 'Location: ' . $url );
header( 'Content-Type: text/html; charset='.$document->getCharset());
}
$mainframe->close();
}
/**
* Internal method to strip a tag of certain attributes
*
* @access protected
* @param array $attrSet Array of attribute pairs to filter
* @return array $newSet Filtered array of attribute pairs
*/
function filterAttr($attrSet)
{
/*
* Initialize variables
*/
$newSet = array();
/*
* Iterate through attribute pairs
*/
for ($i = 0; $i < count($attrSet); $i++) {
/*
* Skip blank spaces
*/
if (!$attrSet[$i]) {
continue;
}
/*
* Split into name/value pairs
*/
$attrSubSet = explode('=', trim($attrSet[$i]), 2);
list($attrSubSet[0]) = explode(' ', $attrSubSet[0]);
/*
* Remove all "non-regular" attribute names
* AND blacklisted attributes
*/
if (!preg_match("/^[a-z]*\$/", $attrSubSet[0]) || $this->xssAuto && (in_array(strtolower($attrSubSet[0]), $this->attrBlacklist) || substr(strtolower($attrSubSet[0]), 0, 2) == 'on')) {
continue;
/*
* XSS attribute value filtering
*/
if ($attrSubSet[1]) {
// strips unicode, hex, etc
$attrSubSet[1] = str_replace('&#', '', $attrSubSet[1]);
// strip normal newline within attr value
$attrSubSet[1] = preg_replace('/\\s+/', '', $attrSubSet[1]);
// strip double quotes
$attrSubSet[1] = str_replace('"', '', $attrSubSet[1]);
// [requested feature] convert single quotes from either side to doubles (Single quotes shouldn't be used to pad attr value)
if (substr($attrSubSet[1], 0, 1) == "'" && substr($attrSubSet[1], strlen($attrSubSet[1]) - 1, 1) == "'") {
$attrSubSet[1] = substr($attrSubSet[1], 1, strlen($attrSubSet[1]) - 2);
}
// strip slashes
$attrSubSet[1] = stripslashes($attrSubSet[1]);
}
/*
* Autostrip script tags
*/
if (InputFilter::badAttributeValue($attrSubSet)) {
continue;
}
/*
* Is our attribute in the user input array?
*/
$attrFound = in_array(strtolower($attrSubSet[0]), $this->attrArray);
/*
* If the tag is allowed lets keep it
*/
if (!$attrFound && $this->attrMethod || $attrFound && !$this->attrMethod) {
/*
* Does the attribute have a value?
*/
if ($attrSubSet[1]) {
$newSet[] = $attrSubSet[0] . '="' . $attrSubSet[1] . '"';
} elseif ($attrSubSet[1] == "0") {
/*
* Special Case
* Is the value 0?
*/
$newSet[] = $attrSubSet[0] . '="0"';
} else {
$newSet[] = $attrSubSet[0] . '="' . $attrSubSet[0] . '"';
}
}
}
return $newSet;
}
/**
* Try to convert to plaintext
*
* @access protected
* @param string $source
* @return string Plaintext string
*/
/**
* Method to be called by another php script. Processes for SQL injection
*
* @access public
* @param mixed $source input string/array-of-string to be 'cleaned'
* @param resource $connection - An open MySQL connection
* @return string 'cleaned' version of input parameter
*/
function safeSQL($source, &$connection)
{
// clean all elements in this array
if (is_array($source)) {
foreach ($source as $key => $value) {
// filter element for SQL injection
if (is_string($value)) {
$source[$key] = $this->quoteSmart($this->decode($value), $connection);
}
}
return $source;
// clean this string
} else {
if (is_string($source)) {
// filter source for SQL injection
if (is_string($source)) {
return $this->quoteSmart($this->decode($source), $connection);
}
// return parameter as given
} else {
return $source;
}
}
}
/**
* Method to escape a string
*
* @author Chris Tobin
* @author Daniel Morris
*
* @access protected
* @param string $source
* @param resource $connection An open MySQL connection
* @return string Escaped string
*/
function quoteSmart($source, &$connection)
{
/*
* Strip escaping slashes if necessary
*/
if (get_magic_quotes_gpc()) {
$source = stripslashes($source);
}
/*
* Escape numeric and text values
*/
$source = $this->escapeString($source, $connection);
return $source;
}
/**
* @author Chris Tobin
* @author Daniel Morris
*
* @access protected
* @param string $source
* @param resource $connection An open MySQL connection
* @return string Escaped string
*/
function escapeString($string, &$connection)
{
/*
* Use the appropriate escape string depending upon which version of php
* you are running
*/
if (version_compare(phpversion(), '4.3.0', '<')) {
$string = mysql_escape_string($string);
} else {
$string = mysql_real_escape_string($string);
}
return $string;
}
}
/**
* Internal method to strip a tag of certain attributes
* @access protected
* @param Array $attrSet
* @return Array $newSet
*/
function filterAttr($attrSet)
{
$newSet = array();
// process attributes
for ($i = 0; $i < count($attrSet); $i++) {
// skip blank spaces in tag
if (!$attrSet[$i]) {
continue;
}
// split into attr name and value
$attrSubSet = explode('=', trim($attrSet[$i]), 2);
list($attrSubSet[0]) = explode(' ', $attrSubSet[0]);
// removes all "non-regular" attr names AND also attr blacklisted
if (!eregi("^[a-z]*\$", $attrSubSet[0]) || $this->xssAuto && (in_array(strtolower($attrSubSet[0]), $this->attrBlacklist) || substr($attrSubSet[0], 0, 2) == 'on')) {
continue;
}
// xss attr value filtering
if ($attrSubSet[1]) {
// strips unicode, hex, etc
$attrSubSet[1] = str_replace('&#', '', $attrSubSet[1]);
// strip normal newline within attr value
$attrSubSet[1] = preg_replace('/\\s+/', '', $attrSubSet[1]);
// strip double quotes
$attrSubSet[1] = str_replace('"', '', $attrSubSet[1]);
// [requested feature] convert single quotes from either side to doubles (Single quotes shouldn't be used to pad attr value)
if (substr($attrSubSet[1], 0, 1) == "'" && substr($attrSubSet[1], strlen($attrSubSet[1]) - 1, 1) == "'") {
$attrSubSet[1] = substr($attrSubSet[1], 1, strlen($attrSubSet[1]) - 2);
}
// strip slashes
$attrSubSet[1] = stripslashes($attrSubSet[1]);
}
// auto strip attr's with "javascript:
if (InputFilter::badAttributeValue($attrSubSet)) {
continue;
}
// if matches user defined array
$attrFound = in_array(strtolower($attrSubSet[0]), $this->attrArray);
// keep this attr on condition
if (!$attrFound && $this->attrMethod || $attrFound && !$this->attrMethod) {
// attr has value
if ($attrSubSet[1]) {
$newSet[] = $attrSubSet[0] . '="' . $attrSubSet[1] . '"';
} else {
if ($attrSubSet[1] == "0") {
$newSet[] = $attrSubSet[0] . '="0"';
} else {
$newSet[] = $attrSubSet[0] . '="' . $attrSubSet[0] . '"';
}
}
}
}
return $newSet;
}
/**
* Utility function redirect the browser location to another url
*
* Can optionally provide a message.
* @param string The file system path
* @param string A filter for the names
*/
function mosRedirect($url, $msg = '')
{
global $mainframe;
// specific filters
$iFilter = new InputFilter();
$url = $iFilter->process($url);
if (!empty($msg)) {
$msg = $iFilter->process($msg);
}
// Strip out any line breaks and throw away the rest
$url = preg_split("/[\r\n]/", $url);
$url = $url[0];
if ($iFilter->badAttributeValue(array('href', $url))) {
$url = $GLOBALS['mosConfig_live_site'];
}
if (trim($msg)) {
if (strpos($url, '?')) {
$url .= '&mosmsg=' . urlencode($msg);
} else {
$url .= '?mosmsg=' . urlencode($msg);
}
}
if (headers_sent()) {
echo "<script>document.location.href='{$url}';</script>\n";
} else {
@ob_end_clean();
// clear output buffer
header('HTTP/1.1 301 Movido permanentemente');
header("Location: " . $url);
}
exit;
}
