/** * Method to be called by another php script. Processes for XSS and * specified bad code. * * @access public * @param mixed $source Input string/array-of-string to be 'cleaned' * @param string $type Return type for the variable (INT, FLOAT, BOOLEAN, WORD, ALNUM, CMD, BASE64, STRING, ARRAY, PATH, NONE) * @return mixed 'Cleaned' version of input parameter * @static */ function clean($source, $type = 'string') { // Handle the type constraint switch (strtoupper($type)) { case 'INT': case 'INTEGER': // Only use the first integer value preg_match('/-?[0-9]+/', (string) $source, $matches); $result = @(int) $matches[0]; break; case 'FLOAT': case 'DOUBLE': // Only use the first floating point value preg_match('/-?[0-9]+(\\.[0-9]+)?/', (string) $source, $matches); $result = @(double) $matches[0]; break; case 'BOOL': case 'BOOLEAN': $result = (bool) $source; break; case 'WORD': $result = (string) preg_replace('/[^A-Z_]/i', '', $source); break; case 'ALNUM': $result = (string) preg_replace('/[^A-Z0-9]/i', '', $source); break; case 'CMD': $result = (string) preg_replace('/[^A-Z0-9_\\.-]/i', '', $source); $result = ltrim($result, '.'); break; case 'BASE64': $result = (string) preg_replace('/[^A-Z0-9\\/+=]/i', '', $source); break; case 'STRING': // Check for static usage and assign $filter the proper variable if (isset($this) && is_a($this, 'Xmf_Filter_Input')) { $filter =& $this; } else { $filter =& Xmf_Filter_Input::getInstance(); } $result = (string) $filter->_remove($filter->_decode((string) $source)); break; case 'ARRAY': $result = (array) $source; break; case 'PATH': $pattern = '/^[A-Za-z0-9_-]+[A-Za-z0-9_\\.-]*([\\\\\\/][A-Za-z0-9_-]+[A-Za-z0-9_\\.-]*)*$/'; preg_match($pattern, (string) $source, $matches); $result = @(string) $matches[0]; break; case 'USERNAME': $result = (string) preg_replace('/[\\x00-\\x1F\\x7F<>"\'%&]/', '', $source); break; default: // Check for static usage and assign $filter the proper variable if (is_object($this) && get_class($this) == 'Xmf_Filter_Input') { $filter =& $this; } else { $filter =& Xmf_Filter_Input::getInstance(); } // Are we dealing with an array? if (is_array($source)) { foreach ($source as $key => $value) { // filter element for XSS and other 'bad' code etc. if (is_string($value)) { $source[$key] = $filter->_remove($filter->_decode($value)); } } $result = $source; } else { // Or a string? if (is_string($source) && !empty($source)) { // filter source for XSS and other 'bad' code etc. $result = $filter->_remove($filter->_decode($source)); } else { // Not an array or string.. return the passed parameter $result = $source; } } break; } return $result; }
/** * Clean up an input variable. * * @param mixed The input variable. * @param int Filter bit mask. 1=no trim: If this flag is cleared and the * input is a string, the string will have leading and trailing whitespace * trimmed. 2=allow_raw: If set, no more filtering is performed, higher bits * are ignored. 4=allow_html: HTML is allowed, but passed through a safe * HTML filter first. If set, no more filtering is performed. If no bits * other than the 1 bit is set, a strict filter is applied. * @param string The variable type {@see JFilterInput::clean()}. */ function _cleanVar($var, $mask = 0, $type = null) { // Static input filters for specific settings static $noHtmlFilter = null; static $safeHtmlFilter = null; // If the no trim flag is not set, trim the variable if (!($mask & 1) && is_string($var)) { $var = trim($var); } // Now we handle input filtering if ($mask & 2) { // If the allow raw flag is set, do not modify the variable $var = $var; } else { if ($mask & 4) { // If the allow html flag is set, apply a safe html filter to the variable if (is_null($safeHtmlFilter)) { $safeHtmlFilter =& Xmf_Filter_Input::getInstance(null, null, 1, 1); } $var = $safeHtmlFilter->clean($var, $type); } else { // Since no allow flags were set, we will apply the most strict filter to the variable if (is_null($noHtmlFilter)) { $noHtmlFilter =& Xmf_Filter_Input::getInstance(); } $var = $noHtmlFilter->clean($var, $type); } } return $var; }