function KHTMLNode($type, $name = '', $attr = '', $text = '', $cleanXSS = 0, $for_comments = 0, $safe_tags = null) { global $FUNCS; if ($name[0] == '/') { $this->is_end_tag = 1; $name = trim(substr($name, 1)); } elseif (substr($attr[0], -1) == '/') { $this->is_self_closing = 1; $attr[0] = substr($attr[0], 0, -1); } elseif (in_array($name, $this->self_closing_tags)) { $this->is_self_closing = 1; } $this->cleanXSS = $cleanXSS; $this->for_comments = $for_comments; if (is_array($safe_tags)) { $this->safe_tags = $safe_tags; } if ($this->cleanXSS) { if ($type == K_NODE_TYPE_TEXT) { $text = $FUNCS->escape_HTML($text); if ($this->for_comments == 1) { $text = $this->nl2br($text); } } elseif ($type == K_NODE_TYPE_CODE) { if (!in_array($name, $this->safe_tags)) { $this->escape_tag = 1; } if (strlen($attr[0])) { $val = $attr[0]; // normalize (decode) all entities before hunting for XSS elements $val = $this->normalize_entities($val); // sanitize $val = $this->sanitize($val); if ($this->escape_tag) { $val = $FUNCS->escape_HTML($val); } $attr[0] = $val; } // if tag being used within comments, strip off attributes (except href of 'a' tag) if ($this->for_comments) { if ($name == 'a') { $link = preg_match('@\\bhref\\s*=\\s*["\']([^"\']*)["\']@is', $attr[0], $matches) ? $matches[1] : ''; $attr[0] = 'rel="external nofollow" href="' . $link . '"'; } else { $attr[0] = ''; } } } } parent::KNode($type, $name, $attr, $text); }
function KHTMLNode($type, $name = '', $attr = '', $text = '', $cleanXSS = 0, $for_comments = 0, $safe_tags = null, $not_so_safe_tags = null) { global $FUNCS; if ($name[0] == '/') { $this->is_end_tag = 1; $name = trim(substr($name, 1)); } elseif (substr($attr[0], -1) == '/') { $this->is_self_closing = 1; $attr[0] = substr($attr[0], 0, -1); } elseif (in_array($name, $this->self_closing_tags)) { $this->is_self_closing = 1; } $this->cleanXSS = $cleanXSS; $this->for_comments = $for_comments; if (is_array($safe_tags)) { $this->safe_tags = $safe_tags; } if (is_array($not_so_safe_tags)) { $this->not_so_safe_tags = $not_so_safe_tags; } if ($this->cleanXSS) { if ($type == K_NODE_TYPE_TEXT) { $text = $FUNCS->escape_HTML($text); if ($this->for_comments == 1) { $text = $this->nl2br($text); } } elseif ($type == K_NODE_TYPE_CODE) { if (!in_array($name, $this->safe_tags)) { if (array_key_exists($name, $this->not_so_safe_tags)) { while (preg_match('/([^= ]+)=(["\'])(.*?)\\2/', $attr[0], $matches, PREG_OFFSET_CAPTURE, $offset)) { $offset = $matches[3][1]; foreach ($this->not_so_safe_tags[$name] as $tag_key => $tag_pattern) { if (strtolower($matches[1][0]) != $tag_key) { continue; } if (!preg_match($tag_pattern, $matches[3][0])) { $this->escape_tag = 1; break; } } if ($this->escape_tag) { break; } } } else { $this->escape_tag = 1; } } if (strlen($attr[0])) { $val = $attr[0]; // normalize (decode) all entities before hunting for XSS elements $val = $this->normalize_entities($val); // sanitize $val = $this->sanitize($val); if ($this->escape_tag) { $val = $FUNCS->escape_HTML($val); } $attr[0] = $val; } // if tag being used within comments, strip off attributes (except href of 'a' tag) if ($this->for_comments) { if ($name == 'a') { $link = preg_match('@\\bhref\\s*=\\s*["\']([^"\']*)["\']@is', $attr[0], $matches) ? $matches[1] : ''; $attr[0] = 'rel="external nofollow" href="' . $link . '"'; } else { $attr[0] = ''; } } } } parent::KNode($type, $name, $attr, $text); }