function JLMS_ProcessText_HardFilter($text) { $iFilter = new JLMS_InputFilter(null, null, 1, 1); $new_text = $iFilter->process($text); return $new_text; }
function filterAttr($attrSet) { /* * Initialize variables */ $newSet = array(); /* * Iterate through attribute pairs */ for ($i = 0; $i < count($attrSet); $i++) { /* * Skip blank spaces */ if (!$attrSet[$i]) { continue; } /* * Split into name/value pairs */ $attrSubSet = explode('=', trim($attrSet[$i]), 2); list($attrSubSet[0]) = explode(' ', $attrSubSet[0]); /* * Remove all "non-regular" attribute names * AND blacklisted attributes */ if (!preg_match("/^[a-z]*\$/i", $attrSubSet[0]) || $this->xssAuto && (in_array(strtolower($attrSubSet[0]), $this->attrBlacklist) || substr($attrSubSet[0], 0, 2) == 'on')) { continue; } /* * XSS attribute value filtering */ if ($attrSubSet[1]) { // strips unicode, hex, etc $attrSubSet[1] = str_replace('&#', '', $attrSubSet[1]); // strip normal newline within attr value //$attrSubSet[1] = preg_replace('/\s+/', '', $attrSubSet[1]); // 25 Jan 2008 - the line above is commented by DEN ! (to allow spaces in the attribute values) (also was added the line below - \n is newline break, but not a \s) $attrSubSet[1] = preg_replace('/\\n+/', '', $attrSubSet[1]); // strip double quotes $attrSubSet[1] = str_replace('"', '', $attrSubSet[1]); // [requested feature] convert single quotes from either side to doubles (Single quotes shouldn't be used to pad attr value) if (substr($attrSubSet[1], 0, 1) == "'" && substr($attrSubSet[1], strlen($attrSubSet[1]) - 1, 1) == "'") { $attrSubSet[1] = substr($attrSubSet[1], 1, strlen($attrSubSet[1]) - 2); } // strip slashes $attrSubSet[1] = stripslashes($attrSubSet[1]); } /* * Autostrip script tags */ if (JLMS_InputFilter::badAttributeValue($attrSubSet)) { continue; } /* * Is our attribute in the user input array? */ $attrFound = in_array(strtolower($attrSubSet[0]), $this->attrArray); /* * If the tag is allowed lets keep it */ if (!$attrFound && $this->attrMethod || $attrFound && !$this->attrMethod) { /* * Does the attribute have a value? */ if ($attrSubSet[1]) { $newSet[] = $attrSubSet[0] . '="' . $attrSubSet[1] . '"'; } elseif ($attrSubSet[1] == "0") { /* * Special Case * Is the value 0? */ $newSet[] = $attrSubSet[0] . '="0"'; } else { $newSet[] = $attrSubSet[0] . '="' . $attrSubSet[0] . '"'; } } } return $newSet; }