public function index() { $this->load->helper('security'); if (isset($_POST['search_btn'])) { $len = mb_strlen($_POST['search_text']); if (isset($_POST['search_text']) and $len > 2) { $search_text = encode_php_tags($this->input->post('search_text', TRUE)); $this->load->model('search_m'); $search_text = mysql_real_escape_string($search_text); $count = $this->search_m->search_text($search_text); $data['search_text'] = $search_text; if ($count['count'] != 0) { //echo "<script>alert('".$count['count']."')</script>"; /* pager */ $this->load->library('pager'); $tmp = $this->input->get('page'); if ($tmp != '') { $current_page_value = $this->input->get('page'); } else { $current_page_value = 1; } $config['base_url'] = base_url() . "search"; $config['total_rows'] = $count['count']; $config['per_page'] = 10; $config['current_page'] = $current_page_value; $this->pager->initializer($config); $data['pager'] = $this->pager->create_links(); $data['result'] = $search_result = $this->search_m->search_text($search_text, $config['per_page'], $this->pager->requested_page()); //$data['content'] = $this->commerce_m->get_catalog($category,$subcategory,$config['per_page'],$this->pager->requested_page()); if ($search_text != NULL) { $data['content'] = $this->load->view('search/search_v.php', $data, true); } else { $data['content'] = $this->load->view('search/search_notext_v.php', $data, true); } } else { $data['content'] = $this->load->view('search/search_no_results_v', $data, true); } } else { $search_text = NULL; echo "<script>alert('Поисковая строка не может быть короче трех символов')</script>"; echo "<script>window.history.back()</script>"; } } else { $data['content'] = $this->load->view('search/search_notext_v', '', true); } // Получаем меню для сайдбара $this->load->model('commerce/commerce_m'); $data['subcategory'] = $this->commerce_m->get_all_subcategories(); $data['category'] = $this->commerce_m->get_all_categories(); /* Блок авторизации */ $data['auth_form'] = $this->load->module('auth')->auth_block_generator(); /* Метатэги */ $data['seo_title'] = 'Поиск по сайту'; $data['seo_description'] = 'Поиск по сайту'; $data['seo_keywords'] = 'Поиск по сайту'; $this->load->view('main/index_v', $data); }
function acceptData($value) { foreach ($value as $key => $val) { $data[$val] = $this->SV->input->post($val, TRUE); if (!is_array($data[$val])) { $data[$val] = strip_image_tags($data[$val]); $data[$val] = quotes_to_entities($data[$val]); $data[$val] = encode_php_tags($data[$val]); $data[$val] = trim($data[$val]); } } return $data; }
/** * Typographic parser * * Note: The processing order is very important in this function so don't change it! * * @param string * @param array */ public function parse_type($str, $prefs = '') { if ($this->parse_images === TRUE) { $this->file_paths = ee()->functions->fetch_file_paths(); } // In the future, we might think about caching all of this processing, ya know. // Do an md5 of the content, process it, store it, retrieve it, et cetera. // Not sure how the clearing of it out would go, and if we stored it in the database // that does add yet another query. Hmmmm. -Paul if ($str == '') { return; } // ------------------------------------------- // 'typography_parse_type_start' hook. // - Modify string prior to all other typography processing // if (ee()->extensions->active_hook('typography_parse_type_start') === TRUE) { $str = ee()->extensions->call('typography_parse_type_start', $str, $this, $prefs); } // // ------------------------------------------- /** ------------------------------------- /** Set up our preferences /** -------------------------------------*/ if (is_array($prefs)) { if (isset($prefs['text_format'])) { if ($prefs['text_format'] == 'none') { $this->text_format = 'none'; } else { if (in_array($prefs['text_format'], $this->text_fmt_types)) { $this->text_format = $prefs['text_format']; } else { if (isset($this->text_fmt_plugins[$prefs['text_format']]) && (file_exists(PATH_PI . 'pi.' . $prefs['text_format'] . '.php') or file_exists(PATH_THIRD . $prefs['text_format'] . '/pi.' . $prefs['text_format'] . '.php'))) { $this->text_format = $prefs['text_format']; } } } } if (isset($prefs['html_format']) and in_array($prefs['html_format'], $this->html_fmt_types)) { $this->html_format = $prefs['html_format']; } if (isset($prefs['auto_links']) and in_array($prefs['auto_links'], $this->yes_no_syntax)) { $this->auto_links = $prefs['auto_links']; } if (isset($prefs['allow_img_url']) and in_array($prefs['allow_img_url'], $this->yes_no_syntax)) { $this->allow_img_url = $prefs['allow_img_url']; } } // If we're dealing with a separate parser (e.g. Markdown) $separate_parser = $this->text_format == 'markdown' ? TRUE : FALSE; /** ------------------------------------- /** Encode PHP tags /** -------------------------------------*/ // Before we do anything else, we'll convert PHP tags into character entities. // This is so that PHP submitted in channel entries, comments, etc. won't get parsed. // Since you can enable templates to parse PHP, it would open up a security // hole to leave PHP submitted in entries and comments intact. // // If we're dealing with a separate parser, don't encode now in case of // code snippets ee()->load->helper('security'); if (!$separate_parser) { $str = encode_php_tags($str); } /** ------------------------------------- /** Encode EE tags /** -------------------------------------*/ // Next, we need to encode EE tags contained in entries, comments, etc. so that they don't get parsed. $str = ee()->functions->encode_ee_tags($str, $this->convert_curly); /** ------------------------------------- /** Are single lines considered paragraphs? /** -------------------------------------*/ if ($this->single_line_pgfs != TRUE) { if ($this->text_format == 'xhtml' and strpos($str, "\r") === FALSE and strpos($str, "\n") === FALSE) { $this->text_format = 'lite'; } } // Fix emoticon bug $str = str_replace(array('>:-(', '>:('), array(':angry:', ':mad:'), $str); /** ------------------------------------- /** Highlight text within [code] tags /** -------------------------------------*/ // If highlighting is enabled, we'll highlight <pre> tags as well. if ($this->highlight_code == TRUE) { $str = str_replace(array('[pre]', '[/pre]'), array('[code]', '[/code]'), $str); } // We don't want BBCode parsed if it's within code examples so we'll convert the brackets $str = $this->_protect_bbcode($str); // Strip IMG tags if not allowed if ($this->allow_img_url == 'n') { $str = $this->strip_images($str); } // Format HTML $str = $this->format_html($str); // Auto-link URLs and email addresses if ($this->auto_links == 'y' && !$separate_parser) { $str = $this->auto_linker($str); } // Parse file paths (in images) $str = $this->parse_file_paths($str); /** --------------------------------------- /** Convert HTML links in CP to BBCode /** ---------------------------------------*/ // Forces HTML links output in the control panel to BBCode so they will be formatted // as redirects, to prevent the control panel address from showing up in referrer logs // except when sending emails, where we don't want created links piped through the site if (REQ == 'CP' && ee()->input->get('M') != 'send_email' && strpos($str, 'href=') !== FALSE) { $str = preg_replace("#<a\\s+(.*?)href=(\"|')([^\\2]*?)\\2(.*?)\\>(.*?)</a>#si", "[url=\"\\3\"\\1\\4]\\5[/url]", $str); } // Decode BBCode $str = $this->decode_bbcode($str); /** ------------------------------------- /** Format text /** -------------------------------------*/ switch ($this->text_format) { case 'none': break; case 'xhtml': $str = $this->auto_typography($str); break; case 'markdown': $str = $this->markdown($str, $prefs); break; case 'lite': $str = $this->format_characters($str); // Used with channel entry titles break; case 'br': $str = $this->nl2br_except_pre($str); break; default: // Plugin of some sort if (!class_exists('EE_Template')) { require APPPATH . 'libraries/Template.php'; ee()->TMPL = new EE_Template(); } $plugin = ucfirst($this->text_format); if (!class_exists($plugin)) { if (in_array($this->text_format, ee()->core->native_plugins)) { require_once PATH_PI . 'pi.' . $this->text_format . '.php'; } else { require_once PATH_THIRD . $this->text_format . '/pi.' . $this->text_format . '.php'; } } if (class_exists($plugin)) { $PLG = new $plugin($str); if (isset($PLG->return_data)) { $str = $PLG->return_data; } } break; } // Encode PHP post-Markdown parsing if ($separate_parser) { $str = encode_php_tags($str); } // Parse emoticons $str = $this->emoticon_replace($str); // Parse censored words if ($this->word_censor === TRUE && count($this->censored_words > 0)) { ee()->load->helper('text'); $str = word_censor($str, $this->censored_words, $this->censored_replace); } /** ------------------------------------------ /** Decode and spam-protect email addresses /** ------------------------------------------*/ // {encode="*****@*****.**" title="Click Me"} // Note: We only do this here if it's a CP request since the // template parser handles this for page requets if (REQ == 'CP' && strpos($str, '{encode=') !== FALSE) { if (preg_match_all("/\\{encode=(.+?)\\}/i", $str, $matches)) { for ($j = 0; $j < count($matches['0']); $j++) { $str = str_replace($matches['0'][$j], ee()->functions->encode_email($matches['1'][$j]), $str); } } } // Standard email addresses $str = $this->decode_emails($str); // Insert the cached code tags $str = $this->_convert_code_markers($str); // ------------------------------------------- // 'typography_parse_type_end' hook. // - Modify string after all other typography processing // if (ee()->extensions->active_hook('typography_parse_type_end') === TRUE) { $str = ee()->extensions->call('typography_parse_type_end', $str, $this, $prefs); } // // ------------------------------------------- return $str; }
/** * Encode PHP Tags (prep) * * Convert PHP tags to entities. * This replaces the version in CI_Form_validation. * * @ignore */ protected function _encode_php_tags($field) { $this->{$field} = encode_php_tags($this->{$field}); }
function parse_type($str, $prefs = '') { if ($this->parse_images === TRUE) { $this->file_paths = $this->EE->functions->fetch_file_paths(); } // In the future, we might think about caching all of this processing, ya know. // Do an md5 of the content, process it, store it, retrieve it, et cetera. // Not sure how the clearing of it out would go, and if we stored it in the database // that does add yet another query. Hmmmm. -Paul if ($str == '') { return; } // ------------------------------------------- // 'typography_parse_type_start' hook. // - Modify string prior to all other typography processing // if ($this->EE->extensions->active_hook('typography_parse_type_start') === TRUE) { $str = $this->EE->extensions->call('typography_parse_type_start', $str, $this, $prefs); } // // ------------------------------------------- /** ------------------------------------- /** Encode PHP tags /** -------------------------------------*/ // Before we do anything else, we'll convert PHP tags into character entities. // This is so that PHP submitted in channel entries, comments, etc. won't get parsed. // Since you can enable templates to parse PHP, it would open up a security // hole to leave PHP submitted in entries and comments intact. $this->EE->load->helper('security'); $str = encode_php_tags($str); /** ------------------------------------- /** Encode EE tags /** -------------------------------------*/ // Next, we need to encode EE tags contained in entries, comments, etc. so that they don't get parsed. $str = $this->EE->functions->encode_ee_tags($str, $this->convert_curly); /** ------------------------------------- /** Set up our preferences /** -------------------------------------*/ if (is_array($prefs)) { if (isset($prefs['text_format'])) { if ($prefs['text_format'] != 'none') { if (in_array($prefs['text_format'], $this->text_fmt_types)) { $this->text_format = $prefs['text_format']; } else { if (isset($this->text_fmt_plugins[$prefs['text_format']]) and (file_exists(PATH_PI . 'pi.' . $prefs['text_format'] . EXT) or file_exists(PATH_THIRD . $prefs['text_format'] . '/pi.' . $prefs['text_format'] . EXT))) { $this->text_format = $prefs['text_format']; } } } else { $this->text_format = 'none'; } } if (isset($prefs['html_format']) and in_array($prefs['html_format'], $this->html_fmt_types)) { $this->html_format = $prefs['html_format']; } if (isset($prefs['auto_links']) and in_array($prefs['auto_links'], $this->yes_no_syntax)) { $this->auto_links = $prefs['auto_links']; } if (isset($prefs['allow_img_url']) and in_array($prefs['allow_img_url'], $this->yes_no_syntax)) { $this->allow_img_url = $prefs['allow_img_url']; } } /** ------------------------------------- /** Are single lines considered paragraphs? /** -------------------------------------*/ if ($this->single_line_pgfs != TRUE) { if ($this->text_format == 'xhtml' and strpos($str, "\r") === FALSE and strpos($str, "\n") === FALSE) { $this->text_format = 'lite'; } } // Fix emoticon bug $str = str_replace(array('>:-(', '>:('), array(':angry:', ':mad:'), $str); /** ------------------------------------- /** Highlight text within [code] tags /** -------------------------------------*/ // If highlighting is enabled, we'll highlight <pre> tags as well. if ($this->highlight_code == TRUE) { $str = str_replace(array('[pre]', '[/pre]'), array('[code]', '[/code]'), $str); } // We don't want BBCode parsed if it's within code examples so we'll convert the brackets if (strpos($str, '[code]') !== FALSE) { if (preg_match_all("/\\[code\\](.+?)\\[\\/code\\]/si", $str, $matches)) { for ($i = 0; $i < count($matches['1']); $i++) { $temp = str_replace(array('[', ']'), array('[', ']'), $matches['1'][$i]); $str = str_replace($matches['0'][$i], '[code]' . $temp . '[/code]', $str); } } if ($this->highlight_code == TRUE) { $str = $this->text_highlight($str); } else { $str = str_replace(array('[code]', '[/code]'), array('<code>', '</code>'), $str); } } // Strip IMG tags if not allowed if ($this->allow_img_url == 'n') { $str = $this->strip_images($str); } // Format HTML $str = $this->format_html($str); // Auto-link URLs and email addresses if ($this->auto_links == 'y' and $this->html_format != 'none') { $str = $this->auto_linker($str); } // Parse file paths (in images) $str = $this->parse_file_paths($str); /** --------------------------------------- /** Convert HTML links in CP to BBCode /** ---------------------------------------*/ // Forces HTML links output in the control panel to BBCode so they will be formatted // as redirects, to prevent the control panel address from showing up in referrer logs // except when sending emails, where we don't want created links piped through the site if (REQ == 'CP' && $this->EE->input->get('M') != 'send_email' && strpos($str, 'href=') !== FALSE) { $str = preg_replace("#<a\\s+(.*?)href=(\"|')([^\\2]*?)\\2(.*?)\\>(.*?)</a>#si", "[url=\"\\3\"\\1\\4]\\5[/url]", $str); } // Decode BBCode $str = $this->decode_bbcode($str); /** ------------------------------------- /** Format text /** -------------------------------------*/ switch ($this->text_format) { case 'none': break; case 'xhtml': $str = $this->xhtml_typography($str); break; case 'lite': $str = $this->format_characters($str); // Used with channel entry titles break; case 'br': $str = $this->nl2br_except_pre($str); break; default: if (!class_exists('EE_Template')) { require APPPATH . 'libraries/Template' . EXT; $this->EE->TMPL = new EE_Template(); } $plugin = ucfirst($prefs['text_format']); if (!class_exists($plugin)) { if (in_array($prefs['text_format'], $this->EE->core->native_plugins)) { require_once PATH_PI . 'pi.' . $prefs['text_format'] . EXT; } else { require_once PATH_THIRD . $prefs['text_format'] . '/pi.' . $prefs['text_format'] . EXT; } } if (class_exists($plugin)) { $PLG = new $plugin($str); if (isset($PLG->return_data)) { $str = $PLG->return_data; } } break; } // Parse emoticons $str = $this->emoticon_replace($str); // Parse censored words if ($this->word_censor === TRUE && count($this->censored_words > 0)) { $this->EE->load->helper('text'); $str = word_censor($str, $this->censored_words, $this->censored_replace); } /** ------------------------------------------ /** Decode and spam-protect email addresses /** ------------------------------------------*/ // {encode="*****@*****.**" title="Click Me"} // Note: We only do this here if it's a CP request since the // template parser handles this for page requets if (REQ == 'CP' && strpos($str, '{encode=') !== FALSE) { if (preg_match_all("/\\{encode=(.+?)\\}/i", $str, $matches)) { for ($j = 0; $j < count($matches['0']); $j++) { $str = str_replace($matches['0'][$j], $this->EE->functions->encode_email($matches['1'][$j]), $str); } } } // Standard email addresses $str = $this->decode_emails($str); /** ------------------------------------------ /** Insert the cached code tags /** ------------------------------------------*/ // The hightlight function called earlier converts the original code strings into markers // so that the auth_xhtml function doesn't attempt to process the highlighted code chunks. // Here we convert the markers back to their correct state. if (count($this->code_chunks) > 0) { foreach ($this->code_chunks as $key => $val) { if ($this->text_format == 'legacy_typography') { // First line takes care of the line break that might be there, which should // be a line break because it is just a simple break from the [code] tag. $str = str_replace('<div class="codeblock">{' . $key . 'yH45k02wsSdrp}</div>' . "\n<br />", '</p><div class="codeblock">' . $val . '</div><p>', $str); $str = str_replace('<div class="codeblock">{' . $key . 'yH45k02wsSdrp}</div>', '</p><div class="codeblock">' . $val . '</div><p>', $str); } else { $str = str_replace('{' . $key . 'yH45k02wsSdrp}', $val, $str); } } $this->code_chunks = array(); } // ------------------------------------------- // 'typography_parse_type_end' hook. // - Modify string after all other typography processing // if ($this->EE->extensions->active_hook('typography_parse_type_end') === TRUE) { $str = $this->EE->extensions->call('typography_parse_type_end', $str, $this, $prefs); } // // ------------------------------------------- return $str; }
function test_encode_php_tags() { $this->assertEquals('<? echo $foo; ?>', encode_php_tags('<? echo $foo; ?>')); }
/** * Typographic parser * * Note: The processing order is very important in this function so don't change it! * * @param string * @param array */ public function parse_type($str, $prefs = '') { if ($str == '') { return; } // ------------------------------------------- // 'typography_parse_type_start' hook. // - Modify string prior to all other typography processing // if (ee()->extensions->active_hook('typography_parse_type_start') === TRUE) { $str = ee()->extensions->call('typography_parse_type_start', $str, $this, $prefs); } // // ------------------------------------------- // Set up preferences $this->_set_preferences($prefs); // Parser-specific pre_process if ($this->separate_parser && method_exists($this, $this->text_format . '_pre_process')) { $str = $this->{$this->text_format . '_pre_process'}($str); } // Handle single line paragraphs if ($this->single_line_pgfs != TRUE) { if ($this->text_format == 'xhtml' and strpos($str, "\r") === FALSE and strpos($str, "\n") === FALSE) { $this->text_format = 'lite'; } } // Fix emoticon bug $str = str_replace(array('>:-(', '>:('), array(':angry:', ':mad:'), $str); // Highlight text within [code] tags // If highlighting is enabled, we'll highlight <pre> tags as well. if ($this->highlight_code == TRUE) { $str = str_replace(array('[pre]', '[/pre]'), array('[code]', '[/code]'), $str); } // We don't want BBCode parsed if it's within code examples so we'll // convert the brackets $str = $this->_protect_bbcode($str); // Strip IMG tags if not allowed if ($this->allow_img_url == 'n') { $str = $this->strip_images($str); } // Format HTML $str = $this->format_html($str); // Auto-link URLs and email addresses if ($this->auto_links == 'y' && !$this->separate_parser) { $str = $this->auto_linker($str); } // Parse file paths (in images) $str = $this->parse_file_paths($str); // Convert HTML links in CP to BBCode // // Forces HTML links output in the control panel to BBCode so they will // be formatted as redirects, to prevent the control panel address from // showing up in referrer logs except when sending emails, where we // don't want created links piped through the site if (REQ == 'CP' && $this->bbencode_links && strpos($str, 'href=') !== FALSE) { $str = preg_replace("#<a\\s+(.*?)href=(\"|')([^\\2]*?)\\2(.*?)\\>(.*?)</a>#si", "[url=\"\\3\"\\1\\4]\\5[/url]", $str); } // Decode BBCode $str = $this->decode_bbcode($str); // Format text switch ($this->text_format) { case 'none': break; case 'xhtml': $str = $this->auto_typography($str); break; case 'markdown': $str = $this->markdown($str, $prefs); break; case 'lite': // Used with channel entry titles $str = $this->format_characters($str); break; case 'br': $str = $this->nl2br_except_pre($str); break; default: // Plugin of some sort $str = $this->parse_plugin($str); break; } // Parse emoticons $str = $this->emoticon_replace($str); // Parse censored words if ($this->word_censor === TRUE && count($this->censored_words > 0)) { ee()->load->helper('text'); $str = word_censor($str, $this->censored_words, $this->censored_replace); } // Decode {encode=...} only in the CP since the template parser handles // this for page requets if (REQ == 'CP' && strpos($str, '{encode=') !== FALSE) { ee()->load->library('template', NULL, 'TMPL'); $str = ee()->TMPL->parse_encode_email($str); } // Standard email addresses $str = $this->decode_emails($str); // Insert the cached code tags $str = $this->_convert_code_markers($str); // ------------------------------------------- // 'typography_parse_type_end' hook. // - Modify string after all other typography processing // if (ee()->extensions->active_hook('typography_parse_type_end') === TRUE) { $str = ee()->extensions->call('typography_parse_type_end', $str, $this, $prefs); } // // ------------------------------------------- // Encode PHP Tags ee()->load->helper('security'); $str = encode_php_tags($str); // Encode EE Tags $str = ee()->functions->encode_ee_tags($str, $this->convert_curly); return $str; }
public function security_clean($q) { $this->load->helper('security'); //$this->load->library('security'); $q = str_replace("", "", $q); $q = str_replace('\\0', "", $q); $q = xss_clean($q); //$q = $this->security->xss_clean($q); $q = strip_image_tags($q); $q = encode_php_tags($q); $q = preg_replace(array("/select/si", "/delete/si", "/update/si", "/insert/si", "/from/si", "/alert/si", "/\\[removed\\]/si", "/script/si", "/\\*/si"), "", $q); return $q; }