function kses_bad_protocol_once2($string, $allowed_protocols)
{
$string2 = preg_replace('/\\s/', '', $string);
$string2 = kses_decode_entities($string2);
$string2 = kses_no_null($string2);
$string2 = strtolower($string2);
$allowed = false;
foreach ($allowed_protocols as $one_protocol) {
if (strtolower($one_protocol) == $string2) {
$allowed = true;
break;
}
}
if ($allowed) {
return "{$string2}:";
} else {
return '';
}
}
/**
* This function takes a string with an html tag and strips out any unallowed
* protocols e.g. javascript:
*
* It calls ancillary functions in kses which are prefixed by kses
*
* @global object
* @global string
* @param array $htmlArray An array from {@link cleanAttributes()}, containing in its 1st
* element the html to be cleared
* @return string
*/
function cleanAttributes2($htmlArray)
{
global $CFG, $ALLOWED_PROTOCOLS;
require_once $CFG->libdir . '/kses.php';
$htmlTag = $htmlArray[1];
if (substr($htmlTag, 0, 1) != '<') {
return '>';
//a single character ">" detected
}
if (!preg_match('%^<\\s*(/\\s*)?([a-zA-Z0-9]+)([^>]*)>?$%', $htmlTag, $matches)) {
return '';
// It's seriously malformed
}
$slash = trim($matches[1]);
//trailing xhtml slash
$elem = $matches[2];
//the element name
$attrlist = $matches[3];
// the list of attributes as a string
$attrArray = kses_hair($attrlist, $ALLOWED_PROTOCOLS);
$attStr = '';
foreach ($attrArray as $arreach) {
$arreach['name'] = strtolower($arreach['name']);
if ($arreach['name'] == 'style') {
$value = $arreach['value'];
while (true) {
$prevvalue = $value;
$value = kses_no_null($value);
$value = preg_replace("/\\/\\*.*\\*\\//Us", '', $value);
$value = kses_decode_entities($value);
$value = preg_replace('/(&#[0-9]+)(;?)/', "\\1;", $value);
$value = preg_replace('/(&#x[0-9a-fA-F]+)(;?)/', "\\1;", $value);
if ($value === $prevvalue) {
$arreach['value'] = $value;
break;
}
}
$arreach['value'] = preg_replace("/j\\s*a\\s*v\\s*a\\s*s\\s*c\\s*r\\s*i\\s*p\\s*t/i", "Xjavascript", $arreach['value']);
$arreach['value'] = preg_replace("/v\\s*b\\s*s\\s*c\\s*r\\s*i\\s*p\\s*t/i", "Xvbscript", $arreach['value']);
$arreach['value'] = preg_replace("/e\\s*x\\s*p\\s*r\\s*e\\s*s\\s*s\\s*i\\s*o\\s*n/i", "Xexpression", $arreach['value']);
$arreach['value'] = preg_replace("/b\\s*i\\s*n\\s*d\\s*i\\s*n\\s*g/i", "Xbinding", $arreach['value']);
} else {
if ($arreach['name'] == 'href') {
//Adobe Acrobat Reader XSS protection
$arreach['value'] = preg_replace('/(\\.(pdf|fdf|xfdf|xdp|xfd)[^#]*)#.*$/i', '$1', $arreach['value']);
}
}
$attStr .= ' ' . $arreach['name'] . '="' . $arreach['value'] . '"';
}
$xhtml_slash = '';
if (preg_match('%/\\s*$%', $attrlist)) {
$xhtml_slash = ' /';
}
return '<' . $slash . $elem . $attStr . $xhtml_slash . '>';
}
function kses_bad_protocol_once2($matches)
{
//Zenphoto:preg_replace with the "e" modifier is deprecated, this is the callback
global $_allowed_protocols;
$allowed_protocols = $_allowed_protocols;
$string2 = kses_decode_entities($matches[1]);
$string2 = preg_replace('/\\s/', '', $string2);
$string2 = kses_no_null($string2);
$string2 = preg_replace('/\\xad+/', '', $string2);
# deals with Opera "feature"
$string2 = strtolower($string2);
$allowed = false;
foreach ($allowed_protocols as $one_protocol) {
if (strtolower($one_protocol) == $string2) {
$allowed = true;
break;
}
}
if ($allowed) {
return "{$string2}:";
} else {
return '';
}
}
function kses_bad_protocol_once2($matches)
{
###############################################################################
# This function processes URL protocols, checks to see if they're in the white-
# list or not, and returns different data depending on the answer.
###############################################################################
//update// preg_replace with the "e" modifier is deprecated, this is the callback
global $_allowed_protocols;
$allowed_protocols = $_allowed_protocols;
$string2 = kses_decode_entities($matches[1]);
$string2 = preg_replace('/\\s/', '', $string2);
$string2 = kses_no_null($string2);
$string2 = preg_replace('/\\xad+/', '', $string2);
# deals with Opera "feature"
$string2 = strtolower($string2);
$allowed = false;
foreach ($allowed_protocols as $one_protocol) {
if (strtolower($one_protocol) == $string2) {
$allowed = true;
break;
}
}
if ($allowed) {
return "{$string2}:";
} else {
return '';
}
}
