/** * Processes a string of HTML attributes. * * @return * Cleaned up version of the HTML attributes. */ function _filter_xss_attributes($attr) { $attrarr = array(); $mode = 0; $attrname = ''; while (strlen($attr) != 0) { // Was the last operation successful? $working = 0; switch ($mode) { case 0: // Attribute name, href for instance if (preg_match('/^([-a-zA-Z]+)/', $attr, $match)) { $attrname = strtolower($match[1]); $skip = $attrname == 'style' || substr($attrname, 0, 2) == 'on'; $working = $mode = 1; $attr = preg_replace('/^[-a-zA-Z]+/', '', $attr); } break; case 1: // Equals sign or valueless ("selected") if (preg_match('/^\\s*=\\s*/', $attr)) { $working = 1; $mode = 2; $attr = preg_replace('/^\\s*=\\s*/', '', $attr); break; } if (preg_match('/^\\s+/', $attr)) { $working = 1; $mode = 0; if (!$skip) { $attrarr[] = $attrname; } $attr = preg_replace('/^\\s+/', '', $attr); } break; case 2: // Attribute value, a URL after href= for instance if (preg_match('/^"([^"]*)"(\\s+|$)/', $attr, $match)) { $thisval = filter_xss_bad_protocol($match[1]); if (!$skip) { $attrarr[] = "{$attrname}=\"{$thisval}\""; } $working = 1; $mode = 0; $attr = preg_replace('/^"[^"]*"(\\s+|$)/', '', $attr); break; } if (preg_match("/^'([^']*)'(\\s+|\$)/", $attr, $match)) { $thisval = filter_xss_bad_protocol($match[1]); if (!$skip) { $attrarr[] = "{$attrname}='{$thisval}'"; } $working = 1; $mode = 0; $attr = preg_replace("/^'[^']*'(\\s+|\$)/", '', $attr); break; } if (preg_match("%^([^\\s\"']+)(\\s+|\$)%", $attr, $match)) { $thisval = filter_xss_bad_protocol($match[1]); if (!$skip) { $attrarr[] = "{$attrname}=\"{$thisval}\""; } $working = 1; $mode = 0; $attr = preg_replace("%^[^\\s\"']+(\\s+|\$)%", '', $attr); } break; } if ($working == 0) { // not well formed, remove and try again $attr = preg_replace('/ ^ ( "[^"]*("|$) # - a string that starts with a double quote, up until the next double quote or the end of the string | # or \'[^\']*(\'|$)| # - a string that starts with a quote, up until the next quote or the end of the string | # or \\S # - a non-whitespace character )* # any number of the above three \\s* # any number of whitespaces /x', '', $attr); $mode = 0; } } // the attribute list ends with a valueless attribute like "selected" if ($mode == 1) { $attrarr[] = $attrname; } return $attrarr; }
/** * Gera uma URL interna ou externa. * * Quando criar links nos modulos, considere usar _l() pode ser melhor alternativa que url() * * @param $path * O caminho interno ou Externo que será lincado, como por exemplo "node/34" ou * "http://example.com/foo". Notas: * - Se você fornecer uma URL completa, será considerada uma URL externa. * - Se você fornecer apenas o camiho (ex. "node/34"), sera considerado * um link interno. neste caso, pode ser uma URL de sistema e será * subistittuida por seu atalho, se existir. Argumentos de query adicionais * devem ser declarados em $options['query'], não incluidos na URL. * - Se for fornecido um caminho interno e $options['alias'] estiver definido como TRUE, * este será assumido como o atalho correto para o caminho, e o atalho não será checado. * - A string especial '<front>' gera um link para a pagina principal do site. * - Se sua URL externa possuir uma query (ex. http://example.com/foo?a=b), * então voc~e pode decodificar as chaves e os valores por conta propria e inclui-la no $path, * ou usar em $options['query'] e deixar a função decodificar sua URL. * * @param $options * An associative array of additional options, with the following elements: * - 'query': A URL-encoded query string to append to the link, or an array of * query key/value-pairs without any URL-encoding. * - 'fragment': A fragment identifier (named anchor) to append to the URL. * Do not include the leading '#' character. * - 'absolute' (default FALSE): Whether to force the output to be an absolute * link (beginning with http:). Useful for links that will be displayed * outside the site, such as in an RSS feed. * - 'alias' (default FALSE): Whether the given path is a URL alias already. * - 'external': Whether the given path is an external URL. * - 'language': An optional language object. Used to build the URL to link * to and look up the proper alias for the link. * - 'base_url': Only used internally, to modify the base URL when a language * dependent URL requires so. * - 'prefix': Only used internally, to modify the path when a language * dependent URL requires so. * * @return * A string containing a URL to the given path. */ function url($path = NULL, $options = array()) { // Merge in defaults. $options += array('fragment' => '', 'query' => '', 'absolute' => FALSE, 'alias' => FALSE, 'prefix' => ''); if (!isset($options['external'])) { // Return an external link if $path contains an allowed absolute URL. // Only call the slow filter_xss_bad_protocol if $path contains a ':' before // any / ? or #. $colonpos = strpos($path, ':'); $options['external'] = $colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path); } // May need language dependent rewriting if language.inc is present. if (function_exists('language_url_rewrite')) { language_url_rewrite($path, $options); } if ($options['fragment']) { $options['fragment'] = '#' . $options['fragment']; } if (is_array($options['query'])) { $options['query'] = query_string_encode($options['query']); } if ($options['external']) { // Split off the fragment. if (strpos($path, '#') !== FALSE) { list($path, $old_fragment) = explode('#', $path, 2); if (isset($old_fragment) && !$options['fragment']) { $options['fragment'] = '#' . $old_fragment; } } // Append the query. if ($options['query']) { $path .= (strpos($path, '?') !== FALSE ? '&' : '?') . $options['query']; } // Reassemble. return $path . $options['fragment']; } global $cfg; static $script = null; if (!isset($script)) { // On some web servers, such as IIS, we can't omit "index.php". So, we // generate "index.php?q=foo" instead of "?q=foo" on anything that is not // Apache. $script = strpos($_SERVER['SERVER_SOFTWARE'], 'Apache') === FALSE ? 'index.php' : ''; } if (!isset($options['base_url'])) { // The base_url might be rewritten from the language rewrite in domain mode. $options['base_url'] = $cfg['base_url']; } // Preserve the original path before aliasing. $original_path = $path; // The special path '<front>' links to the default front page. if ($path == '<front>') { $path = ''; } elseif (!empty($path) && !$options['alias']) { $path = get_path_alias($path, isset($options['language']) ? $options['language']->language : ''); } /* * @todo verificar necessidade * if (function_exists('custom_url_rewrite_outbound')) { // Modules may alter outbound links by reference. custom_url_rewrite_outbound($path, $options, $original_path); }*/ $base = $options['absolute'] ? $options['base_url'] . '/' : $cfg['base_path']; $prefix = empty($path) ? rtrim($options['prefix'], '/') : $options['prefix']; $path = SB_urlencode($prefix . $path); if (variable_get('clean_url', '0')) { // With Clean URLs. if ($options['query']) { return $base . $path . '?' . $options['query'] . $options['fragment']; } else { return $base . $path . $options['fragment']; } } else { // Without Clean URLs. $variables = array(); if (!empty($path)) { $variables[] = 'q=' . $path; } if (!empty($options['query'])) { $variables[] = $options['query']; } $query = join('&', $variables); if (isset($query)) { return $base . $script . '?' . $query . $options['fragment']; } else { return $base . $options['fragment']; } } }