/**
* Clean out any markup that may provide foothold for a cross-site scripting (XSS) attack. * This includes Javascript, frames, etc. This method calls the other stripping methods
* such as stripJS() and stripFrames(), etc and the only method needed for stripping
* all XSS-related markup.
*
* @return void
* @access public
* @since 12/6/07
*/
public function cleanXSS()
{
$this->clean();
$safeHtml = new SafeHTML();
// Add on any special protocals
foreach ($this->safeProtocals as $protocal) {
$safeHtml->whiteProtocols[] = $protocal;
}
$this->_string = $safeHtml->parse($this->_string);
}
/**
* ready HTML output
* <br />
* Gets a variable, cleaning it up such that the text is
* shown exactly as expected, except for allowed HTML tags which
* are allowed through
* @author Xaraya development team
* @param var variable to prepare
* @param ...
* @return string/array prepared variable if only one variable passed
* in, otherwise an array of prepared variables
*/
function pnVarPrepHTMLDisplay()
{
// This search and replace finds the text 'x@y' and replaces
// it with HTML entities, this provides protection against
// email harvesters
//
// Note that the use of \024 and \022 are needed to ensure that
// this does not break HTML tags that might be around either
// the username or the domain name
static $search = array('/([^\\024])@([^\\022])/se');
static $replace = array('"&#" .
sprintf("%03d", ord("\\1")) .
";@&#" .
sprintf("%03d", ord("\\2")) . ";";');
static $allowedtags = NULL;
if (!isset($allowedtags)) {
$allowedhtml = array();
foreach (pnConfigGetVar('AllowableHTML') as $k => $v) {
if ($k == '!--') {
if ($v != 0) {
$allowedhtml[] = "{$k}.*?--";
}
} else {
switch ($v) {
case 0:
break;
case 1:
$allowedhtml[] = "/?{$k}\\s*/?";
break;
case 2:
// intelligent regex to deal with > in parameters, bug #1782
// credits to jln
$allowedhtml[] = "/?\\s*{$k}" . "(\\s+[\\w:]+\\s*=\\s*(\"[^\"]*\"|'[^']*'))*" . '\\s*/?';
// original version
// $allowedhtml[] = "/?$k(\s+[^>]*)?/?";
break;
}
}
}
if (count($allowedhtml) > 0) {
// 2nd part of bugfix #1782
$allowedtags = '~<\\s*(' . join('|', $allowedhtml) . ')\\s*>~is';
} else {
$allowedtags = '';
}
}
$usesh = pnConfigGetVar('safehtml');
if ($usesh == '1') {
// prepare safehtml class
static $safehtml;
if (!isset($safehtml)) {
$safehtml = new SafeHTML();
$safehtml->attributes = array('dynsrc');
// removes id and name from the attributes
}
}
$resarray = array();
foreach (func_get_args() as $var) {
if ($usesh == '1') {
static $parsed = array();
$shakey = sha1($var);
if (isset($parsed[$shakey])) {
$var = $parsed[$shakey];
} else {
$safehtml->clear();
$var = $safehtml->parse($var);
$parsed[$shakey] = $var;
}
}
// Preparse var to mark the HTML that we want
if (!empty($allowedtags)) {
$var = preg_replace($allowedtags, "\\1", $var);
}
// Prepare var
$var = htmlspecialchars($var);
// scramble mailadress
$var = preg_replace($search, $replace, $var);
// Fix the HTML that we want
$var = preg_replace_callback('/\\022([^\\024]*)\\024/', 'pnVarPrepHTMLDisplay__callback', $var);
// Fix entities if required
if (pnConfigGetVar('htmlentities')) {
$var = preg_replace('/&([a-z#0-9]+);/i', "&\\1;", $var);
}
// Add to array
array_push($resarray, $var);
}
// Return vars
if (func_num_args() == 1) {
return $resarray[0];
} else {
return $resarray;
}
}