/** * @param MyTextSanitizer $ts * @param string $text * @param bool $force * @return mixed */ public function load(MyTextSanitizer &$ts, $text, $force = false) { $xoops = Xoops::getInstance(); if (empty($force) && $xoops->userIsAdmin) { return $text; } // Built-in fitlers for XSS scripts // To be improved $text = $ts->filterXss($text); if (XoopsLoad::load("purifier", "framework")) { $text = XoopsPurifier::purify($text); return $text; } $tags = array(); $search = array(); $replace = array(); $config = parent::loadConfig(__DIR__); if (!empty($config["patterns"])) { foreach ($config["patterns"] as $pattern) { if (empty($pattern['search'])) { continue; } $search[] = $pattern['search']; $replace[] = $pattern['replace']; } } if (!empty($config["tags"])) { $tags = array_map("trim", $config["tags"]); } // Set embedded tags $tags[] = "SCRIPT"; $tags[] = "VBSCRIPT"; $tags[] = "JAVASCRIPT"; foreach ($tags as $tag) { $search[] = "/<" . $tag . "[^>]*?>.*?<\\/" . $tag . ">/si"; $replace[] = " [!" . strtoupper($tag) . " FILTERED!] "; } // Set meta refresh tag $search[] = "/<META[^>\\/]*HTTP-EQUIV=(['\"])?REFRESH(\\1)[^>\\/]*?\\/>/si"; $replace[] = ""; // Sanitizing scripts in IMG tag //$search[]= "/(<IMG[\s]+[^>\/]*SOURCE=)(['\"])?(.*)(\\2)([^>\/]*?\/>)/si"; //$replace[]=""; // Set iframe tag $search[] = "/<IFRAME[^>\\/]*SRC=(['\"])?([^>\\/]*)(\\1)[^>\\/]*?\\/>/si"; $replace[] = " [!IFRAME FILTERED! \\2] "; $search[] = "/<IFRAME[^>]*?>([^<]*)<\\/IFRAME>/si"; $replace[] = " [!IFRAME FILTERED! \\1] "; // action $text = preg_replace($search, $replace, $text); return $text; }