/**
* _filter_xss_split private method
* @param string $m string to split
* @param boolean $store store elemnts into static $allowed html
* @return string string
*/
private static function _filter_xss_split($m, $store = FALSE)
{
static $allowed_html;
if ($store) {
$m = explode("|", $m);
$allowed_html = array_flip($m);
return;
}
$string = $m[1];
if (substr($string, 0, 1) != '<') {
// We matched a lone ">" character
return '>';
} else {
if (strlen($string) == 1) {
// We matched a lone "<" character
return '<';
}
}
if (!preg_match('%^<\\s*(/\\s*)?([a-zA-Z0-9]+)([^>]*)>?$%', $string, $matches)) {
// Seriously malformed
return '';
}
$slash = trim($matches[1]);
$elem =& $matches[2];
$attrlist =& $matches[3];
if (!isset($allowed_html[strtolower($elem)])) {
// Disallowed HTML element
return '';
}
if ($slash != '') {
return "</{$elem}>";
}
// Is there a closing XHTML slash at the end of the attributes?
// In PHP 5.1.0+ we could count the changes, currently we need a separate match
$xhtml_slash = preg_match('%\\s?/\\s*$%', $attrlist) ? ' /' : '';
$attrlist = preg_replace('%(\\s?)/\\s*$%', '\\1', $attrlist);
// Clean up attributes
$attr2 = implode(' ', cs_form::_filter_xss_attributes($attrlist));
$attr2 = preg_replace('/[<>]/', '', $attr2);
$attr2 = strlen($attr2) ? ' ' . $attr2 : '';
return "<{$elem}{$attr2}{$xhtml_slash}>";
}
