/** * Clean _GET _POST value * * @access public * @param string Input * @param bool Also run postParseCleanValue * @return string Cleaned Input * @since 2.1 */ public static function parseCleanValue($val, $postParse = true) { if ($val == "") { return ""; } $val = str_replace(" ", " ", IPSText::stripslashes($val)); # Convert all carriage return combos $val = str_replace(array("\r\n", "\n\r", "\r"), "\n", $val); $val = str_replace("&", "&", $val); $val = str_replace("<!--", "<!--", $val); $val = str_replace("-->", "-->", $val); $val = str_ireplace("<script", "<script", $val); $val = str_replace(">", ">", $val); $val = str_replace("<", "<", $val); $val = str_replace('"', """, $val); $val = str_replace("\n", "<br />", $val); // Convert literal newlines $val = str_replace("\$", "$", $val); $val = str_replace("!", "!", $val); $val = str_replace("'", "'", $val); // IMPORTANT: It helps to increase sql query safety. if (IPS_ALLOW_UNICODE) { $val = preg_replace("/&#([0-9]+);/s", "&#\\1;", $val); //----------------------------------------- // Try and fix up HTML entities with missing ; //----------------------------------------- $val = preg_replace("/&#(\\d+?)([^\\d;])/i", "&#\\1;\\2", $val); } //----------------------------------------- // Shortcut to auto run other cleaning //----------------------------------------- if ($postParse) { $val = IPSText::postParseCleanValue($val); } return $val; }