function HTMLFilter($body, $trans_image_path, $block_external_images = false) { $tag_list = array(false, "object", "meta", "html", "head", "base", "link", "frame", "iframe", "plaintext", "marquee"); $rm_tags_with_content = array("script", "applet", "embed", "title", "frameset", "xmp", "xml"); $self_closing_tags = array("img", "br", "hr", "input", "outbind"); $force_tag_closing = true; $rm_attnames = array("/.*/" => array("/^on.*/i", "/^dynsrc/i", "/^data.*/i", "/^lowsrc.*/i")); $bad_attvals = array("/.*/" => array("/^src|background/i" => array(array("/^([\\'\"])\\s*\\S+script\\s*:.*([\\'\"])/si", "/^([\\'\"])\\s*mocha\\s*:*.*([\\'\"])/si", "/^([\\'\"])\\s*about\\s*:.*([\\'\"])/si"), array("\\1{$trans_image_path}\\2", "\\1{$trans_image_path}\\2", "\\1{$trans_image_path}\\2", "\\1{$trans_image_path}\\2")), "/^href|action/i" => array(array("/^([\\'\"])\\s*\\S+script\\s*:.*([\\'\"])/si", "/^([\\'\"])\\s*mocha\\s*:*.*([\\'\"])/si", "/^([\\'\"])\\s*about\\s*:.*([\\'\"])/si"), array("\\1#\\1", "\\1#\\1", "\\1#\\1", "\\1#\\1")), "/^style/i" => array(array("/expression/i", "/binding/i", "/behaviou*r/i", "/include-source/i", "/position\\s*:\\s*absolute/i", "/url\\s*\\(\\s*([\\'\"])\\s*\\S+script\\s*:.*([\\'\"])\\s*\\)/si", "/url\\s*\\(\\s*([\\'\"])\\s*mocha\\s*:.*([\\'\"])\\s*\\)/si", "/url\\s*\\(\\s*([\\'\"])\\s*about\\s*:.*([\\'\"])\\s*\\)/si", "/(.*)\\s*:\\s*url\\s*\\(\\s*([\\'\"]*)\\s*\\S+script\\s*:.*([\\'\"]*)\\s*\\)/si"), array("idiocy", "idiocy", "idiocy", "idiocy", "", "url(\\1#\\1)", "url(\\1#\\1)", "url(\\1#\\1)", "url(\\1#\\1)", "url(\\1#\\1)", "\\1:url(\\2#\\3)")))); if ($block_external_images) { array_push($bad_attvals['/.*/']['/^src|background/i'][0], '/^([\'\\"])\\s*https*:.*([\'\\"])/si'); array_push($bad_attvals['/.*/']['/^src|background/i'][1], "\\1{$trans_image_path}\\1"); array_push($bad_attvals['/.*/']['/^style/i'][0], '/url\\(([\'\\"])\\s*https*:.*([\'\\"])\\)/si'); array_push($bad_attvals['/.*/']['/^style/i'][1], "url(\\1{$trans_image_path}\\1)"); } $add_attr_to_tag = array("/^a\$/i" => array('target' => '"_blank"')); $trusted = tln_sanitize($body, $tag_list, $rm_tags_with_content, $self_closing_tags, $force_tag_closing, $rm_attnames, $bad_attvals, $add_attr_to_tag); return $trusted; }
function HTMLFilter($body, $trans_image_path, $block_external_images = false) { $tag_list = [false, 'object', 'meta', 'html', 'head', 'base', 'link', 'frame', 'iframe', 'plaintext', 'marquee']; $rm_tags_with_content = ['script', 'applet', 'embed', 'title', 'frameset', 'xmp', 'xml']; $self_closing_tags = ['img', 'br', 'hr', 'input', 'outbind']; $force_tag_closing = true; $rm_attnames = ['/.*/' => ['/^on.*/i', '/^dynsrc/i', '/^data.*/i', '/^lowsrc.*/i']]; $bad_attvals = ['/.*/' => ['/^src|background/i' => [['/^([\'"])\\s*\\S+script\\s*:.*([\'"])/si', '/^([\'"])\\s*mocha\\s*:*.*([\'"])/si', '/^([\'"])\\s*about\\s*:.*([\'"])/si'], ["\\1{$trans_image_path}\\2", "\\1{$trans_image_path}\\2", "\\1{$trans_image_path}\\2", "\\1{$trans_image_path}\\2"]], '/^href|action/i' => [['/^([\'"])\\s*\\S+script\\s*:.*([\'"])/si', '/^([\'"])\\s*mocha\\s*:*.*([\'"])/si', '/^([\'"])\\s*about\\s*:.*([\'"])/si'], ['\\1#\\1', '\\1#\\1', '\\1#\\1', '\\1#\\1']], '/^style/i' => [['/expression/i', '/binding/i', '/behaviou*r/i', '/include-source/i', '/position\\s*:\\s*absolute/i', '/url\\s*\\(\\s*([\'"])\\s*\\S+script\\s*:.*([\'"])\\s*\\)/si', '/url\\s*\\(\\s*([\'"])\\s*mocha\\s*:.*([\'"])\\s*\\)/si', '/url\\s*\\(\\s*([\'"])\\s*about\\s*:.*([\'"])\\s*\\)/si', '/(.*)\\s*:\\s*url\\s*\\(\\s*([\'"]*)\\s*\\S+script\\s*:.*([\'"]*)\\s*\\)/si'], ['idiocy', 'idiocy', 'idiocy', 'idiocy', '', 'url(\\1#\\1)', 'url(\\1#\\1)', 'url(\\1#\\1)', 'url(\\1#\\1)', 'url(\\1#\\1)', '\\1:url(\\2#\\3)']]]]; if ($block_external_images) { array_push($bad_attvals['/.*/']['/^src|background/i'][0], '/^([\'\\"])\\s*https*:.*([\'\\"])/si'); array_push($bad_attvals['/.*/']['/^src|background/i'][1], "\\1{$trans_image_path}\\1"); array_push($bad_attvals['/.*/']['/^style/i'][0], '/url\\(([\'\\"])\\s*https*:.*([\'\\"])\\)/si'); array_push($bad_attvals['/.*/']['/^style/i'][1], "url(\\1{$trans_image_path}\\1)"); } $add_attr_to_tag = ['/^a$/i' => ['target' => '"_blank"']]; $trusted = tln_sanitize($body, $tag_list, $rm_tags_with_content, $self_closing_tags, $force_tag_closing, $rm_attnames, $bad_attvals, $add_attr_to_tag); return $trusted; }