コード例 #1
0
 /**
  * Clean out any markup that may provide foothold for a cross-site scripting (XSS) attack. * This includes Javascript, frames, etc. This method calls the other stripping methods
  * such as stripJS() and stripFrames(), etc and the only method needed for stripping
  * all XSS-related markup.
  * 
  * @return void
  * @access public
  * @since 12/6/07
  */
 public function cleanXSS()
 {
     $this->clean();
     $safeHtml = new SafeHTML();
     // Add on any special protocals
     foreach ($this->safeProtocals as $protocal) {
         $safeHtml->whiteProtocols[] = $protocal;
     }
     $this->_string = $safeHtml->parse($this->_string);
 }
コード例 #2
0
/**
* ready HTML output
* <br />
* Gets a variable, cleaning it up such that the text is
* shown exactly as expected, except for allowed HTML tags which
* are allowed through
* @author Xaraya development team
* @param var variable to prepare
* @param ...
* @return string/array prepared variable if only one variable passed
* in, otherwise an array of prepared variables
*/
function pnVarPrepHTMLDisplay()
{
    // This search and replace finds the text 'x@y' and replaces
    // it with HTML entities, this provides protection against
    // email harvesters
    //
    // Note that the use of \024 and \022 are needed to ensure that
    // this does not break HTML tags that might be around either
    // the username or the domain name
    static $search = array('/([^\\024])@([^\\022])/se');
    static $replace = array('"&#" .
                            sprintf("%03d", ord("\\1")) .
                            ";&#064;&#" .
                            sprintf("%03d", ord("\\2")) . ";";');
    static $allowedtags = NULL;
    if (!isset($allowedtags)) {
        $allowedhtml = array();
        foreach (pnConfigGetVar('AllowableHTML') as $k => $v) {
            if ($k == '!--') {
                if ($v != 0) {
                    $allowedhtml[] = "{$k}.*?--";
                }
            } else {
                switch ($v) {
                    case 0:
                        break;
                    case 1:
                        $allowedhtml[] = "/?{$k}\\s*/?";
                        break;
                    case 2:
                        // intelligent regex to deal with > in parameters, bug #1782
                        // credits to jln
                        $allowedhtml[] = "/?\\s*{$k}" . "(\\s+[\\w:]+\\s*=\\s*(\"[^\"]*\"|'[^']*'))*" . '\\s*/?';
                        // original version
                        // $allowedhtml[] = "/?$k(\s+[^>]*)?/?";
                        break;
                }
            }
        }
        if (count($allowedhtml) > 0) {
            // 2nd part of bugfix #1782
            $allowedtags = '~<\\s*(' . join('|', $allowedhtml) . ')\\s*>~is';
        } else {
            $allowedtags = '';
        }
    }
    $usesh = pnConfigGetVar('safehtml');
    if ($usesh == '1') {
        // prepare safehtml class
        static $safehtml;
        if (!isset($safehtml)) {
            $safehtml = new SafeHTML();
            $safehtml->attributes = array('dynsrc');
            // removes id and name from the attributes
        }
    }
    $resarray = array();
    foreach (func_get_args() as $var) {
        if ($usesh == '1') {
            static $parsed = array();
            $shakey = sha1($var);
            if (isset($parsed[$shakey])) {
                $var = $parsed[$shakey];
            } else {
                $safehtml->clear();
                $var = $safehtml->parse($var);
                $parsed[$shakey] = $var;
            }
        }
        // Preparse var to mark the HTML that we want
        if (!empty($allowedtags)) {
            $var = preg_replace($allowedtags, "\\1", $var);
        }
        // Prepare var
        $var = htmlspecialchars($var);
        // scramble mailadress
        $var = preg_replace($search, $replace, $var);
        // Fix the HTML that we want
        $var = preg_replace_callback('/\\022([^\\024]*)\\024/', 'pnVarPrepHTMLDisplay__callback', $var);
        // Fix entities if required
        if (pnConfigGetVar('htmlentities')) {
            $var = preg_replace('/&amp;([a-z#0-9]+);/i', "&\\1;", $var);
        }
        // Add to array
        array_push($resarray, $var);
    }
    // Return vars
    if (func_num_args() == 1) {
        return $resarray[0];
    } else {
        return $resarray;
    }
}