/** * Sanitizes a username, stripping out unsafe characters. * * Removes tags, octets, entities, and if strict is enabled, will only keep * alphanumeric, _, space, ., -, @. After sanitizing, it passes the username, * raw username (the username in the parameter), and the value of $strict as * parameters for the 'sanitize_user' filter. * * @param string $username The username to be sanitized. * @param bool $strict If set limits $username to specific characters. Default false. * @return string The sanitized username, after passing through filters. */ function sanitize_user($username, $strict = false) { $raw_username = $username; $username = strip_all_tags($username); // Kill octets $username = preg_replace('|%([a-fA-F0-9][a-fA-F0-9])|', '', $username); $username = preg_replace('/&.+?;/', '', $username); // Kill entities // If strict, reduce to ASCII for max portability. if ($strict) { $username = preg_replace('|[^a-z0-9 _.\\-@]|i', '', $username); } $username = trim($username); // Consolidate contiguous whitespace $username = preg_replace('|\\s+|', ' ', $username); return $raw_username; }
switch ($action) { case 'delete': delete_lh($lh); cm_redirect(admin_url("lecture-edit.php")); break; case 'edit': $editing = true; $lh = get_lh_to_edit($lh); setup_lhdata($lh); $title = __("Chỉnh sửa giảng đường - ") . get_lh_name(); require_once 'template-loader.php'; break; case 'update': $new_lh_data['name'] = strip_all_tags($_POST['lh_name']); $new_lh_data['address'] = strip_all_tags($_POST['lh_address']); $redirect = admin_url("lecture-hall.php?action=edit&lh={$lh}"); $cmdb->update($cmdb->lecture_hall, $new_lh_data, array("lh_id" => $lh)); cm_redirect($redirect); break; case 'new': //$lh=0; $new_lh_data['name'] = strip_all_tags($_POST['lh_name']); $new_lh_data['address'] = strip_all_tags($_POST['lh_address']); $cmdb->insert($cmdb->lecture_hall, $new_lh_data); if ($redirect_to) { $redirect = urldecode($redirect_to); } else { $redirect = admin_url("lecture-edit.php"); } cm_redirect($redirect); }
function trim_word($text, $limit = 45, $more = '...') { $text = strip_all_tags($text); $array = preg_split("/[\n\r\t ]+/", $text, $limit + 1, PREG_SPLIT_NO_EMPTY); array_pop($array); $text = implode(' ', $array); return $text . $more; }
function html_excerpt($str, $count, $more = null) { //function taken from Wordpress if (null === $more) { $more = ''; } $str = strip_all_tags($str, true); $excerpt = mb_substr($str, 0, $count); // remove part of an entity at the end $excerpt = preg_replace('/&[^;\\s]{0,6}$/', '', $excerpt); if ($str != $excerpt) { $excerpt = trim($excerpt) . $more; } return $excerpt; }
function processReport($rmoVers, $url, $problem_type, $description, $behind_login, $platform, $oscpu, $gecko, $product, $useragent, $buildconfig, $language, $email, $sysid, $screenshot = null, $screenshot_format = null, $charset = null) { global $config; if ($config['service_active'] == false) { return new serverReturn(false, 'SERVER', 'The service is currently unavailable. Please try again in a few minutes.'); } /********** * Sanitize and Validate **********/ // Remove any HTML tags and whitespace $rmoVers = trim(strip_all_tags($rmoVers)); $url = trim(strip_all_tags($url)); $problem_type = trim(strip_all_tags($problem_type)); $description = trim(strip_all_tags($description)); $behind_login = trim(strip_all_tags($behind_login)); $platform = trim(strip_all_tags($platform)); $oscpu = trim(strip_all_tags($oscpu)); $gecko = trim(strip_all_tags($gecko)); $product = trim(strip_all_tags($product)); $useragent = trim(strip_all_tags($useragent)); $buildconfig = trim(strip_all_tags($buildconfig)); $language = trim(strip_all_tags($language)); $email = trim(strip_all_tags($email)); $sysid = trim(strip_all_tags($sysid)); $screenshot_format = trim(strip_all_tags($screenshot_format)); $screenshot_width = trim(strip_all_tags($screenshot_width)); $screenshot_height = trim(strip_all_tags($screenshot_height)); $charset = trim(strip_all_tags($charset)); // check verison if ($rmoVers < $config['min_vers']) { return new serverReturn(false, 'CLIENT', 'Your product is out of date, please upgrade. Visit http://www.getfirefox.com for a newer version', $rmoVers); } $parsedUrl = parse_url($url); if (!$url || !$parsedUrl['host']) { return new serverReturn(false, 'CLIENT', 'url must use a valid URL syntax http://mozilla.com/page', $url); } if (!$problem_type || $problem_type == -1 || $problem_type == "0") { } if ($behind_login != 1 && $behind_login != 0) { return new serverReturn(false, 'CLIENT', 'behind_login must be type bool int', $behind_login); } if (!$platform) { return new serverReturn(false, 'CLIENT', 'Invalid Platform Type', $platform); } if (!$product) { return new serverReturn(false, 'CLIENT', 'Invalid Product', $product); } if (!$language) { return new serverReturn(false, 'CLIENT', 'Invalid Localization', $language); } /* We don't explicity require this since some older clients may not return this. if (!$gecko) { return new serverReturn(false, 'CLIENT', 'Invalid Gecko ID', $gecko); } */ if (!$oscpu) { return new serverReturn(false, 'CLIENT', 'Invalid OS CPU', $oscpu); } if (!$useragent) { return new serverReturn(false, 'CLIENT', 'Invalid User Agent', $useragent); } if (!$buildconfig) { return new serverReturn(false, 'CLIENT', 'Invalid Build Config', $buildconfig); } if (!$sysid) { return new serverReturn(false, 'CLIENT', 'No SysID Entered', $sysid); } // Image Validation if ($screenshot != null) { // If no format specified, it's invalid if ($screenshot_format == null) { return new serverReturn(false, 'CLIENT', 'Invalid Screenshot', $screenshot_format); } // Must be in our list of approved formats. if (!in_array($screenshot_format, $config['screenshot_imageTypes'])) { return new serverReturn(false, 'CLIENT', 'Invalid Screenshot Format', $screenshot_format); } } // create report_id. We just use a timestamp, because we don't need people counting reports, since it's inaccurate. // we can have dup's, so it's not a good thing for people to be saying 'mozilla.org reports 500,000 incompatable sites' $id = str_replace(".", "", array_sum(explode(' ', microtime()))); // Make sure it's always 14 chars long $idlen = strlen($id); if ($idlen < 14) { for ($i = $idlen; $i < 14; $i++) { $id = '0' . $id; } } unset($idlen); $report_id = 'RMO' . $id; unset($id); /********** * Open DB **********/ $db = openDB(); /********** * Check for valid sysid **********/ $sysIdQuery = $db->Execute("SELECT sysid.sysid_id\n FROM sysid\n WHERE sysid.sysid_id = " . $db->quote($sysid)); if (!$sysIdQuery) { return new serverReturn(false, 'SERVER', 'Database Error SR1'); } if ($sysIdQuery->RecordCount() != 1) { return new serverReturn(false, 'CLIENT', 'Invalid SysID'); } /********** * Check Hostname **********/ $hostnameQuery = $db->Execute("SELECT host.host_id\n FROM host\n WHERE host.host_hostname = " . $db->quote($parsedUrl['host'])); if (!$hostnameQuery) { return new serverReturn(false, 'SERVER', 'Database Error SR2'); } /********** * Add Host **********/ if ($hostnameQuery->RecordCount() <= 0) { // generate hash $host_id = md5($parsedUrl['host'] . microtime()); // We add the URL $addUrlQuery = $db->Execute("INSERT INTO host (host.host_id, host.host_hostname, host.host_date_added)\n VALUES (\n " . $db->quote($host_id) . ",\n " . $db->quote($parsedUrl['host']) . ",\n now()\n )"); if (!$addUrlQuery) { return new serverReturn(false, 'SERVER', 'Database Error SR3'); } } else { if ($hostnameQuery->RecordCount() == 1) { // pull the hash from DB $host_id = $hostnameQuery->fields['host_id']; } else { return new serverReturn(false, 'SERVER', 'Host Exception Error'); } } /********** * Add Report **********/ $addReportQuery = $db->Execute("INSERT INTO report (\n report.report_id,\n report.report_url,\n report.report_host_id,\n report.report_problem_type,\n report.report_description,\n report.report_behind_login,\n report.report_charset,\n report.report_useragent,\n report.report_platform,\n report.report_oscpu,\n report.report_language,\n report.report_gecko,\n report.report_buildconfig,\n report.report_product,\n report.report_email,\n report.report_ip,\n report.report_file_date,\n report.report_sysid\n )\n VALUES (\n " . $db->quote($report_id) . ",\n " . $db->quote($url) . ",\n " . $db->quote($host_id) . ",\n " . $db->quote($problem_type) . ",\n " . $db->quote($description) . ",\n " . $db->quote($behind_login) . ",\n " . $db->quote($charset) . ",\n " . $db->quote($useragent) . ",\n " . $db->quote($platform) . ",\n " . $db->quote($oscpu) . ",\n " . $db->quote($language) . ",\n " . $db->quote($gecko) . ",\n " . $db->quote($buildconfig) . ",\n " . $db->quote($product) . ",\n " . $db->quote($email) . ",\n " . $db->quote($_SERVER['REMOTE_ADDR']) . ",\n now(),\n " . $db->quote($sysid) . "\n );"); if (!$addReportQuery) { return new serverReturn(false, 'SERVER', 'Database Error SR4'); } /********** * Process Screenshot **********/ if ($screenshot != null) { // Screenshots come in base64 encoded, so we need to decode. $screenshot = base64_decode($screenshot); // Note we addslashes() not quote() the image, because quote() is not // binary compatible and has ugly consequences. $insertSsQuery = $db->Execute("INSERT screenshot(\n screenshot.screenshot_report_id,\n screenshot.screenshot_data,\n screenshot.screenshot_format\n )\n VALUES (" . $db->quote($report_id) . ",\n '" . addslashes($screenshot) . "',\n " . $db->quote($screenshot_format) . "\n );\n "); if (!$insertSsQuery) { return new serverReturn(false, 'SERVER', 'Database Error SR5'); } // If we got this far, the screenshot was successfully added! } /********** * Disconnect (optional really) **********/ $db->disconnect(); return new serverReturn(true, 'SERVER', array('reportId' => $report_id)); }