/** * getRequestVars * * build an array of request variables * @param string $action Adds ID to returned array if set to 'remove' * return array Merged get and post * **/ public function getRequestVars($action = '', $checkExpectedPostFields = true, $checkExpectedGetParams = true) { // Expected vars $expectedPostFields = array_flip($this->explodeAndClean($this->options['expectedPostFields'])); $potentialGetParams = array_flip($this->explodeAndClean($this->options['potentialGetParams'])); $get = modX::sanitize($_GET, $this->modx->sanitizePatterns); if ($checkExpectedGetParams) { $get = array_intersect_key($get, $potentialGetParams); } if (empty($_POST) || $_SERVER['CONTENT_TYPE'] === 'application/json') { // we may have raw post data as JSON string $post = file_get_contents('php://input'); if (empty($post)) { return false; } $post = $this->modx->fromJSON($post); } else { $post = $_POST; } $post = modX::sanitize($post, $this->modx->sanitizePatterns); if ($checkExpectedPostFields) { $post = array_intersect_key($post, $expectedPostFields); } if ($action === 'remove') { $post['id'] = ''; } return array_merge($get, $post); }
/** * Parses search string and removes any potential security risks in the search string * * @param string $str The string to parse. * @return string The parsed and cleansed string. */ public function parseSearchString($str = '') { $minChars = $this->modx->getOption('minChars', $this->config, 4); $this->searchArray = explode(' ', $str); $this->searchArray = $this->modx->sanitize($this->searchArray, $this->modx->sanitizePatterns); $reserved = array('AND', 'OR', 'IN', 'NOT'); foreach ($this->searchArray as $key => $term) { $this->searchArray[$key] = strip_tags($term); if (strlen($term) < $minChars && !in_array($term, $reserved)) { unset($this->searchArray[$key]); } } $this->searchString = implode(' ', $this->searchArray); // one last pass to filter for modx tags $this->searchString = str_replace(array('[[', ']]'), array('[[', ']]'), $this->searchString); return $this->searchString; }
/** * Harden GPC variables by removing any MODX tags, Javascript, or entities. */ public function sanitizeRequest() { $modxtags = array_values($this->modx->sanitizePatterns); modX::sanitize($_GET, $modxtags); if ($this->modx->getOption('allow_tags_in_post', null, true)) { modX::sanitize($_POST); } else { modX::sanitize($_POST, $modxtags); } modX::sanitize($_COOKIE, $modxtags); modX::sanitize($_REQUEST, $modxtags); $rAlias = $this->modx->getOption('request_param_alias', null, 'q'); if (isset($_GET[$rAlias])) { $_GET[$rAlias] = preg_replace("/[^A-Za-z0-9_\\-\\.\\/]/", "", $_GET[$rAlias]); } }
/** * fdspaApi * * DESCRIPTION * * This Snippet gets more content from the supplied resource * given in the "data-id" on click. * * * * USAGE: * * [[!fdspaApi]] * */ $get = modX::sanitize($_GET, $modx->sanitizePatterns); $res_id = urldecode($get['fdspaid']); if (!empty($res_id) && is_numeric($res_id)) { //$output = "id given"; $output = array(); $page = $modx->getObject('modResource', $res_id); $title = array("pagetitle" => $page->get('pagetitle')); $thumb = $page->getTVValue('fdspa-thumb'); $tArray = array("image" => $thumb); $content = array("content" => $page->get('content')); $output["result"] = array_merge($title, $content, $tArray); return $modx->toJSON($output); } else { $output = "There is was no ID given."; return $output; }
/** * Sanitize values of an array using regular expression patterns. * * @static * @param array $target The target array to sanitize. * @param array|string $patterns A regular expression pattern, or array of * regular expression patterns to apply to all values of the target. * @param integer $depth The maximum recursive depth to sanitize if the * target contains values that are arrays. * @return array The sanitized array. */ public static function sanitize(array &$target, array $patterns = array(), $depth = 3, $nesting = 10) { while (list($key, $value) = each($target)) { if (is_array($value) && $depth > 0) { modX::sanitize($value, $patterns, $depth - 1); } elseif (is_string($value)) { if (!empty($patterns)) { foreach ($patterns as $pattern) { $nesting = (int) $nesting ? (int) $nesting : 10; $iteration = 1; while ($iteration <= $nesting && preg_match($pattern, $value)) { $value = preg_replace($pattern, '', $value); $iteration++; } } } if (get_magic_quotes_gpc()) { $target[$key] = stripslashes($value); } else { $target[$key] = $value; } } } return $target; }
* This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more * details. * * You should have received a copy of the GNU General Public License along with * this program; if not, write to the Free Software Foundation, Inc., 59 Temple * Place, Suite 330, Boston, MA 02111-1307 USA **/ // Paths $oauth2Path = $modx->getOption('oauth2server.core_path', null, $modx->getOption('core_path') . 'components/oauth2server/'); $oauth2Path .= 'model/oauth2server/'; // Get Class if (file_exists($oauth2Path . 'oauth2server.class.php')) { $oauth2 = $modx->getService('oauth2server', 'OAuth2Server', $oauth2Path, $scriptProperties); } if (!$oauth2 instanceof OAuth2Server) { $modx->log(modX::LOG_LEVEL_ERROR, '[grantOAuth2Tokens] could not load the required class!'); return; } // We need these $server = $oauth2->createServer(); $request = $oauth2->createRequest(); $response = $oauth2->createResponse(); if (!$server || !$request || !$response) { $modx->log(modX::LOG_LEVEL_WARN, '[verifyOAuth2]: could not create the required OAuth2 Server objects.'); return; } // Handle Token Requests $post = modX::sanitize($_POST, $modx->sanitizePatterns); $server->handleTokenRequest($request)->send();
/** * Sanitize values of an array using regular expression patterns. * * @static * @param array $target The target array to sanitize. * @param array|string $patterns A regular expression pattern, or array of * regular expression patterns to apply to all values of the target. * @param integer $depth The maximum recursive depth to sanitize if the * target contains values that are arrays. * @param integer $nesting The maximum nesting level in which to dive * @return array The sanitized array. */ public static function sanitize(array &$target, array $patterns = array(), $depth = 99, $nesting = 10) { foreach ($target as $key => &$value) { if (is_array($value) && $depth > 0) { modX::sanitize($value, $patterns, $depth - 1); } elseif (is_string($value)) { if (!empty($patterns)) { $iteration = 1; $nesting = (int) $nesting ? (int) $nesting : 10; while ($iteration <= $nesting) { $matched = false; foreach ($patterns as $pattern) { $patternIterator = 1; $patternMatches = preg_match($pattern, $value); if ($patternMatches > 0) { $matched = true; while ($patternMatches > 0 && $patternIterator <= $nesting) { $value = preg_replace($pattern, '', $value); $patternMatches = preg_match($pattern, $value); } } } if (!$matched) { break; } $iteration++; } } if (get_magic_quotes_gpc()) { $target[$key] = stripslashes($value); } else { $target[$key] = $value; } } } return $target; }
/** * Sanitizes MODX tags from $string. * * @param $string * @return string */ public function stripMODXTags($string) { $targets = array($string); $targets = modX::sanitize($targets, array('@\\[\\[(.[^\\[\\[]*?)\\]\\]@si')); return $targets[0]; }