public static function xss($source, $bThrow = true)
{
$source = Xss::process($source);
if ($bThrow && strstr($source, '--TAG NOT ALLOWED--')) {
throw new Exception('Illegal tags found');
}
return $source;
}
/**
* Filters HTML for XSS vulnerabilities and marks the result as safe.
*
* Calling this method unnecessarily will result in bloating the safe string
* list and increases the chance of unintended side effects.
*
* If Twig receives a value that is not marked as safe then it will
* automatically encode special characters in a plain-text string for display
* as HTML. Therefore, SafeMarkup::xssFilter() should only be used when the
* string might contain HTML that needs to be rendered properly by the
* browser.
*
* If you need to filter for admin use, like Xss::filterAdmin(), then:
* - If the string is used as part of a @link theme_render render array @endlink,
* use #markup to allow the render system to filter by the admin tag list
* automatically.
* - Otherwise, use the SafeMarkup::xssFilter() with tag list provided by
* Xss::getAdminTagList() instead.
*
* This method should only be used instead of Xss::filter() when the result is
* being added to a render array that is constructed before rendering begins.
*
* In the rare instance that the caller does not want to filter strings that
* are marked safe already, it needs to check SafeMarkup::isSafe() itself.
*
* @param $string
* The string with raw HTML in it. It will be stripped of everything that
* can cause an XSS attack. The string provided will always be escaped
* regardless of whether the string is already marked as safe.
* @param array $html_tags
* (optional) An array of HTML tags. If omitted, it uses the default tag
* list defined by \Drupal\Component\Utility\Xss::filter().
*
* @return string
* An XSS-safe version of $string, or an empty string if $string is not
* valid UTF-8. The string is marked as safe.
*
* @ingroup sanitization
*
* @see \Drupal\Component\Utility\Xss::filter()
* @see \Drupal\Component\Utility\Xss::filterAdmin()
* @see \Drupal\Component\Utility\Xss::getAdminTagList()
* @see \Drupal\Component\Utility\SafeMarkup::isSafe()
*/
public static function xssFilter($string, $html_tags = NULL)
{
if (is_null($html_tags)) {
$string = Xss::filter($string);
} else {
$string = Xss::filter($string, $html_tags);
}
return static::set($string);
}
/**
* Applies a very permissive XSS/HTML filter for admin-only use.
*
* @param string $string
* A string.
*
* @return string
* The escaped string. If $string was already set as safe with
* self::set(), it won't be escaped again.
*
* @see \Drupal\Component\Utility\Xss::filterAdmin()
*/
public static function checkAdminXss($string)
{
return static::isSafe($string) ? $string : Xss::filterAdmin($string);
}
<?php
App::before(function ($request) {
Xss::globalXssClean();
});
App::after(function ($request, $response) {
//
});
App::error(function (Exception $exception, $code) {
switch ($code) {
case 403:
return 'Access denied!';
/*
case 404:
#if(Page::where('seo_url','404')->exists()):
# return spage::show('404',array('message'=>$exception->getMessage()));
#else:
# return View::make('error404', array('message'=>$exception->getMessage()), 404);
#endif;
*/
}
if (View::exists(Helper::layout($code))) {
return Response::view(Helper::layout($code), array('message' => $exception->getMessage()), $code);
}
});
App::missing(function ($exception) {
#Helper::classInfo('Route');
#Helper::dd(get_declared_classes());
$tpl = View::exists(Helper::layout('404')) ? Helper::layout('404') : 'error404';
return Response::view($tpl, array('message' => $exception->getMessage()), 404);
});
