public function getDisplaySanitizedValue() {
$this->load();
if ($this->akTextareaDisplayMode == 'text') {
return parent::getDisplaySanitizedValue();
}
return htmLawed(parent::getValue(), array('safe'=>1, 'deny_attribute'=>'style'));
}
public static function run($html)
{
include_once "htmLawed.php";
$config = array('tidy' => 1);
$html = htmLawed($html, $config);
return $html;
}
function processModel3d($data)
{
global $abort, $errorArray;
$data->type = 'model3d';
//Check name
if (isset($data->name)) {
$data->name = strip_tags($data->name);
} else {
$data->name = '3D Model';
}
//Check key
if (isset($data->key)) {
$re = "/^[a-z0-9]{10}\$/";
//Alphanumeric, and 10 characters
if (!preg_match($re, $data->key)) {
$abort = true;
$errorArray[] = "Invalid key for " . $data->name . " widget.";
}
}
//Check title
if (isset($data->title)) {
$data->title = strip_tags($data->title);
} else {
$data->title = '3D model title';
}
//Check description
if (isset($data->desc)) {
$data->desc = htmLawed($data->desc, array('safe' => 1, 'elements' => 'a', 'deny_attribute' => '* -href'));
$data->desc = str_replace(" />", ">", $data->desc);
} else {
$data->desc = "";
}
//Check if valid Sketchfab url source
if (!empty($data->url)) {
$pattern = "/(?:https?:)?(?:\\/\\/)?(?:www\\.)?(?:sketchfab\\.com\\/models\\/)([a-z0-9]+)(?:.+)?/";
//Get YouTube video ID
if (preg_match($pattern, $data->url)) {
$data->url = preg_replace($pattern, "https://sketchfab.com/models/\$1/embed", $data->url);
} else {
$abort = true;
$errorArray[] = "Sketchfab URL required for " . $data->name . " widget.";
}
} else {
$data->url = "";
}
$data = checkAlignment($data);
//From alignOptions.php
//Check index is a number
if (!empty($data->index)) {
if (!filter_var($data->index, FILTER_VALIDATE_INT) || $data->index < 0) {
unset($data->index);
}
} else {
//Index is optional
}
//Remove any invalid keys
$validKeys = (object) array('type' => '', 'name' => '', 'key' => '', 'title' => '', 'desc' => '', 'url' => '', 'align' => '', 'margin' => '', 'index' => '');
$data = (object) array_intersect_key(get_object_vars($data), get_object_vars($validKeys));
return $data;
}
public function Format($Html)
{
$Attributes = C('Garden.Html.BlockedAttributes', 'on*');
$Config = array('anti_link_spam' => array('`.`', ''), 'comment' => 1, 'cdata' => 3, 'css_expression' => 1, 'deny_attribute' => $Attributes, 'unique_ids' => 1, 'elements' => '*-applet-form-input-textarea-iframe-script-style-embed-object-select-option-button-fieldset-optgroup-legend', 'keep_bad' => 0, 'schemes' => 'classid:clsid; href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https', 'valid_xhtml' => 0, 'direct_list_nest' => 1, 'balance' => 1);
// Turn embedded videos into simple links (legacy workaround)
$Html = Gdn_Format::UnembedVideos($Html);
// We check the flag within Gdn_Format to see
// if htmLawed should place rel="nofollow" links
// within output or not.
// A plugin can set this flag (for example).
// The default is to show rel="nofollow" on all links.
if (Gdn_Format::$DisplayNoFollow) {
// display rel="nofollow" on all links.
$Config['anti_link_spam'] = array('`.`', '');
} else {
// never display rel="nofollow"
$Config['anti_link_spam'] = array('', '');
}
if ($this->SafeStyles) {
// Deny all class and style attributes.
// A lot of damage can be done by hackers with these attributes.
$Config['deny_attribute'] .= ',style';
// } else {
// $Config['hook_tag'] = 'HTMLawedHookTag';
}
// Block some IDs so you can't break Javascript
$GLOBALS['hl_Ids'] = array('Bookmarks' => 1, 'CommentForm' => 1, 'Content' => 1, 'Definitions' => 1, 'DiscussionForm' => 1, 'Foot' => 1, 'Form_Comment' => 1, 'Form_User_Password' => 1, 'Form_User_SignIn' => 1, 'Head' => 1, 'HighlightColor' => 1, 'InformMessageStack' => 1, 'Menu' => 1, 'PagerMore' => 1, 'Panel' => 1, 'Status' => 1);
$Spec = 'object=-classid-type, -codebase; embed=type(oneof=application/x-shockwave-flash); a=class(noneof=Hijack|Dismiss|MorePager/nomatch=%pop[in|up|down]|flyout|ajax%i)';
$Result = htmLawed($Html, $Config, $Spec);
return $Result;
}
function processVideo($data)
{
global $abort, $errorArray;
$data->type = 'video';
//Check name
if (isset($data->name)) {
$data->name = strip_tags($data->name);
} else {
$data->name = 'Video';
}
//Check key
if (isset($data->key)) {
$re = "/^[a-z0-9]{10}\$/";
//Alphanumeric, and 10 characters
if (!preg_match($re, $data->key)) {
$abort = true;
$errorArray[] = "Invalid key for " . $data->name . " widget.";
}
}
//Check title
if (isset($data->title)) {
$data->title = strip_tags($data->title);
} else {
$data->title = 'Sample title';
}
//Check description
if (isset($data->desc)) {
$data->desc = htmLawed($data->desc, array('safe' => 1, 'elements' => 'a', 'deny_attribute' => '* -href'));
$data->desc = str_replace(" />", ">", $data->desc);
} else {
$data->desc = "";
}
//Check if valid YouTube url source
if (!empty($data->url)) {
$pattern = "/(?:https?:)?(?:\\/\\/)?(?:www\\.)?(?:youtube\\.com|youtu\\.be)\\/(?:embed\\/)?(?:watch\\?v=)?([a-zA-Z0-9_-]+)(?:\\?.+)?(?:&.+)?\$/";
//Get YouTube video ID
if (preg_match($pattern, $data->url)) {
$data->url = preg_replace($pattern, "//www.youtube.com/embed/\$1?rel=0&showinfo=0", $data->url);
} else {
$abort = true;
$errorArray[] = "YouTube video URL required for " . $data->name . " widget.";
}
} else {
$data->url = "";
}
$data = checkAlignment($data);
//From alignOptions.php
//Check index is a number
if (!empty($data->index)) {
if (!filter_var($data->index, FILTER_VALIDATE_INT) || $data->index < 0) {
unset($data->index);
}
} else {
//Index is optional
}
//Remove any invalid keys
$validKeys = (object) array('type' => '', 'name' => '', 'key' => '', 'title' => '', 'desc' => '', 'url' => '', 'align' => '', 'margin' => '', 'index' => '');
$data = (object) array_intersect_key(get_object_vars($data), get_object_vars($validKeys));
return $data;
}
public function Format($Html)
{
$Config = array('anti_link_spam' => array('`.`', ''), 'comment' => 1, 'cdata' => 3, 'css_expression' => 1, 'deny_attribute' => 'on*', 'elements' => '*-applet-form-input-textarea-iframe-script-style', 'keep_bad' => 0, 'schemes' => 'classid:clsid; href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https', 'valid_xhtml' => 0, 'direct_list_nest' => 1, 'balance' => 1);
// We check the flag within Gdn_Format to see
// if htmLawed should place rel="nofollow" links
// within output or not.
// A plugin can set this flag (for example).
// The default is to show rel="nofollow" on all links.
if (Gdn_Format::$DisplayNoFollow) {
// display rel="nofollow" on all links.
$Config['anti_link_spam'] = array('`.`', '');
} else {
// never display rel="nofollow"
$Config['anti_link_spam'] = array('', '');
}
if ($this->SafeStyles) {
// Deny all class and style attributes.
// A lot of damage can be done by hackers with these attributes.
$Config['deny_attribute'] .= ',style';
// } else {
// $Config['hook_tag'] = 'HTMLawedHookTag';
}
$Spec = 'object=-classid-type, -codebase; embed=type(oneof=application/x-shockwave-flash)';
$Result = htmLawed($Html, $Config, $Spec);
return $Result;
}
function processImageWidget($data)
{
global $abort, $errorArray;
$data->type = 'imagewidget';
//Check name
if (isset($data->name)) {
$data->name = strip_tags($data->name);
} else {
$data->name = 'Image';
}
//Check key
if (isset($data->key)) {
$re = "/^[a-z0-9]{10}\$/";
//Alphanumeric, and 10 characters
if (!preg_match($re, $data->key)) {
$abort = true;
$errorArray[] = "Invalid key for " . $data->name . " widget.";
}
}
//Check title
if (isset($data->title)) {
$data->title = strip_tags($data->title);
} else {
$data->title = 'Sample title';
}
//Check description
if (isset($data->desc)) {
$data->desc = htmLawed($data->desc, array('safe' => 1, 'elements' => 'a', 'deny_attribute' => '* -href'));
$data->desc = str_replace(" />", ">", $data->desc);
} else {
$data->desc = "";
}
//Check image source
if (!empty($data->imgSrc)) {
if (!file_exists(ROOT_PATH . ltrim($data->imgSrc, '/')) && !file_exists($data->imgSrc)) {
$abort = true;
$errorArray[] = $data->name . " image source not found.";
}
} else {
$abort = true;
$errorArray[] = "Image source required for " . $data->name . " widget.";
}
$data = checkAlignment($data);
//From alignOptions.php
//Check index is a number
if (!empty($data->index)) {
if (!filter_var($data->index, FILTER_VALIDATE_INT) || $data->index < 0) {
unset($data->index);
}
} else {
//Index is optional
}
//Remove any invalid keys
$validKeys = (object) array('type' => '', 'name' => '', 'key' => '', 'title' => '', 'desc' => '', 'imgSrc' => '', 'align' => '', 'margin' => '', 'index' => '');
$data = (object) array_intersect_key(get_object_vars($data), get_object_vars($validKeys));
return $data;
}
public static function xssClean($value)
{
if (!is_array($value)) {
return htmLawed($value, array('safe' => 1, 'balanced' => 0));
}
foreach ($value as $k => $v) {
$value[$k] = $this->xss_clean($v);
}
return $value;
}
public static function xss_clean($value, array $options = array())
{
if (!is_array($value)) {
if (!function_exists('htmLawed')) {
require_once dirname(dirname(__FILE__)) . '/vendor/htmlawed.php';
}
return htmLawed($value, array_merge(array('safe' => 1, 'balanced' => 0), $options));
}
foreach ($value as $k => $v) {
$value[$k] = static::xss_clean($v);
}
return $value;
}
/**
* Fetch content from the given url and return a readable content.
*
* @param string $url
*
* @return array With keys html, title, url & summary
*/
public function fetchContent($url)
{
$infos = $this->doFetchContent($url);
$html = $infos['html'];
// filter xss?
if ($this->config['xss_filter']) {
$this->logger->log('debug', 'Filtering HTML to remove XSS');
$html = htmLawed($html, array('safe' => 1, 'deny_attribute' => 'style', 'comment' => 1, 'cdata' => 1));
}
// generate summary
$infos['summary'] = $this->getExcerpt($html);
return $infos;
}
public static function repairHtml($html, $config = array())
{
if (class_exists('tidy')) {
$config = array_merge(array('indent' => true, 'output-xhtml' => true, 'clean' => false, 'wrap' => '86', 'doctype' => 'omit', 'drop-proprietary-attributes' => true, 'drop-font-tags' => false, 'word-2000' => true, 'show-body-only' => true, 'bare' => true, 'enclose-block-text' => true, 'enclose-text' => true, 'join-styles' => false, 'join-classes' => false, 'logical-emphasis' => true, 'lower-literals' => true, 'literal-attributes' => false, 'indent-spaces' => 2, 'quote-nbsp' => true, 'output-bom' => false, 'char-encoding' => 'utf8', 'newline' => 'LF', 'uppercase-tags' => false), $config);
$tidy = new tidy();
$tidy->parseString($html, $config, 'utf8');
$tidy->cleanRepair();
$ret = $tidy->value;
} else {
require_once VENDOR_PATH . '/koala-framework/library-htmlawed/htmLawed.php';
$ret = htmLawed($html);
}
return $ret;
}
/**
* Filters a string of html with the htmLawed library.
*
* @param string $html The text to filter.
* @param array|null $config Config settings for the array.
* @param string|array|null $spec A specification to further limit the allowed attribute values in the html.
* @return string Returns the filtered html.
* @see http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm
*/
public static function filter($html, array $config = null, $spec = null)
{
require_once __DIR__ . '/htmLawed/htmLawed.php';
if ($config === null) {
$config = self::$defaultConfig;
}
if (isset($config['spec']) && !$spec) {
$spec = $config['spec'];
}
if ($spec === null) {
$spec = static::$defaultSpec;
}
return htmLawed($html, $config, $spec);
}
public function Format($Html)
{
$Config = array('anti_link_spam' => array('`.`', ''), 'comment' => 1, 'cdata' => 3, 'css_expression' => 1, 'deny_attribute' => 'on*', 'elements' => '*-applet-form-input-textarea-iframe-script-style', 'keep_bad' => 0, 'schemes' => 'classid:clsid; href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https', 'valid_xml' => 2);
if ($this->SafeStyles) {
// Deny all class and style attributes.
// A lot of damage can be done by hackers with these attributes.
$Config['deny_attribute'] .= ',style';
} else {
$Config['hook_tag'] = 'HTMLawedHookTag';
}
$Spec = 'object=-classid-type, -codebase; embed=type(oneof=application/x-shockwave-flash)';
$Result = htmLawed($Html, $Config, $Spec);
return $Result;
}
public function Format($String)
{
$String = str_replace(array('"', ''', ':', 'Â'), array('"', "'", ':', ''), $String);
$String = str_replace('<#EMO_DIR#>', 'default', $String);
$String = str_replace('<{POST_SNAPBACK}>', '<span class="SnapBack">»</span>', $String);
// There is an issue with using uppercase code blocks, so they're forced to lowercase here
$String = str_replace(array('[CODE]', '[/CODE]'), array('[code]', '[/code]'), $String);
/**
* IPB inserts line break markup tags at line breaks. They need to be removed in code blocks.
* The original newline/line break should be left intact, so whitespace will be preserved in the pre tag.
*/
$String = preg_replace_callback('/\\[code\\].*?\\[\\/code\\]/is', function ($CodeBlocks) {
return str_replace(array('<br />'), array(''), $CodeBlocks[0]);
}, $String);
/**
* IPB formats some quotes as HTML. They're converted here for the sake of uniformity in presentation.
* Attribute order seems to be standard. Spacing between the opening of the tag and the first attribute is variable.
*/
$String = preg_replace_callback('#<blockquote\\s+class="ipsBlockquote" data-author="([^"]+)" data-cid="(\\d+)" data-time="(\\d+)">(.*?)</blockquote>#is', function ($BlockQuotes) {
$Author = $BlockQuotes[1];
$Cid = $BlockQuotes[2];
$Time = $BlockQuotes[3];
$QuoteContent = $BlockQuotes[4];
// $Time will over as a timestamp. Convert it to a date string.
$Date = date('F j Y, g:i A', $Time);
return "[quote name=\"{$Author}\" url=\"{$Cid}\" date=\"{$Date}\"]{$QuoteContent}[/quote]";
}, $String);
// If there is a really long string, it could cause a stack overflow in the bbcode parser.
// Not much we can do except try and chop the data down a touch.
// 1. Remove html comments.
$String = preg_replace('/<!--(.*)-->/Uis', '', $String);
// 2. Split the string up into chunks.
$Strings = (array) $String;
$Result = '';
foreach ($Strings as $String) {
$Result .= $this->NBBC()->Parse($String);
}
// Linkify URLs in content
$Result = Gdn_Format::links($Result);
// Parsing mentions
$Result = Gdn_Format::mentions($Result);
// Handling emoji
$Result = Emoji::instance()->translateToHtml($Result);
// Make sure to clean filter the html in the end.
$Config = array('anti_link_spam' => array('`.`', ''), 'comment' => 1, 'cdata' => 3, 'css_expression' => 1, 'deny_attribute' => 'on*', 'elements' => '*-applet-form-input-textarea-iframe-script-style', 'keep_bad' => 0, 'schemes' => 'classid:clsid; href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https', 'valid_xml' => 2);
$Spec = 'object=-classid-type, -codebase; embed=type(oneof=application/x-shockwave-flash)';
$Result = htmLawed($Result, $Config, $Spec);
return $Result;
}
/**
* Clean display value deleting html tags
*
* @param $value string: string value
* @param $striptags bool: strip all html tags
* @param $keep_bad int:
* 1 : neutralize tag anb content,
* 2 : remove tag and neutralize content
* @return clean value
**/
static function clean($value, $striptags = true, $keep_bad = 2)
{
include_once GLPI_HTMLAWED;
$value = Html::entity_decode_deep($value);
// Clean MS office tags
$value = str_replace(array("<![if !supportLists]>", "<![endif]>"), '', $value);
if ($striptags) {
$specialfilter = array('@<div[^>]*?tooltip_picture[^>]*?>.*?</div[^>]*?>@si');
// Strip ToolTips
$value = preg_replace($specialfilter, '', $value);
$specialfilter = array('@<div[^>]*?tooltip_text[^>]*?>.*?</div[^>]*?>@si');
// Strip ToolTips
$value = preg_replace($specialfilter, '', $value);
$specialfilter = array('@<div[^>]*?tooltip_picture_border[^>]*?>.*?</div[^>]*?>@si');
// Strip ToolTips
$value = preg_replace($specialfilter, '', $value);
$specialfilter = array('@<div[^>]*?invisible[^>]*?>.*?</div[^>]*?>@si');
// Strip ToolTips
$value = preg_replace($specialfilter, '', $value);
$value = preg_replace("/<(p|br|div)( [^>]*)?" . ">/i", "\n", $value);
$value = preg_replace("/( | )+/", " ", $value);
$search = array('@<script[^>]*?>.*?</script[^>]*?>@si', '@<style[^>]*?>.*?</style[^>]*?>@si', '@<!DOCTYPE[^>]*?>@si');
$value = preg_replace($search, '', $value);
}
$value = htmLawed($value, array('elements' => $striptags ? 'none' : '', 'keep_bad' => $keep_bad, 'comment' => 1, 'cdata' => 1));
$value = str_replace(array('<', '>'), array('&lt;', '&gt;'), $value);
/*
$specialfilter = array('@<span[^>]*?x-hidden[^>]*?>.*?</span[^>]*?>@si'); // Strip ToolTips
$value = preg_replace($specialfilter, ' ', $value);
$search = array('@<script[^>]*?>.*?</script[^>]*?>@si', // Strip out javascript
'@<style[^>]*?>.*?</style[^>]*?>@si', // Strip style tags properly
'@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
'@<![\s\S]*?--[ \t\n\r]*>@'); // Strip multi-line comments including CDATA
$value = preg_replace($search, ' ', $value);
// nettoyer l'apostrophe curly qui pose probleme a certains rss-readers, lecteurs de mail...
$value = str_replace("’", "'", $value);
*/
// Problem with this regex : may crash
// $value = preg_replace("/ +/u", " ", $value);
// Revert back htmlawed & -> &
//$value = str_replace("&", "&", $value);
$value = str_replace(array("\r\n", "\r"), "\n", $value);
$value = preg_replace("/(\n[ ]*){2,}/", "\n\n", $value, -1);
return trim($value);
}
/**
* Sanitize HTML
*
* @param string $html the html to sanitize
* @param int $trusted -1, 0, or 1
* @return string sanitized html
*/
static function sanitizeHtml($html, $trusted = -1)
{
if ($trusted > 0) {
// Allow all (*) except -script and -iframe
$config = array('elements' => '*-script-iframe');
} elseif ($trusted < 0) {
// Paranoid mode, i.e. only allow a small subset of elements to pass
// Transform strike and u to span for better XHTML 1-strict compliance
$config = array('safe' => 1, 'elements' => 'a,em,strike,strong,u,p,br,img,li,ol,ul', 'make_tag_strict' => 1);
} else {
// Safe
$config = array('safe' => 1, 'deny_attribute' => 'style,class', 'comment' => 1);
}
require_once dirname(__FILE__) . '/symbionts/htmLawed/htmLawed.php';
return htmLawed($html, $config);
}
function SaveAlertContent($id, $content)
{
global $connection;
//filter HTML content with htmLawed
$content = urldecode($content);
include "../core/libs/htmLawed.php";
$content = htmLawed($content, array('safe' => 1));
//temporary htmLawed settings, move to configuration.php
$content = $connection->real_escape_string($content);
$request = "UPDATE alerts_content SET content='{$content}' WHERE id='{$id}'";
$connection->query($request);
if ($connection->error) {
die("failed");
} else {
echo "success";
}
}
function importActivityStream($user, $doc)
{
$feed = $doc->documentElement;
$entries = $feed->getElementsByTagNameNS(Activity::ATOM, 'entry');
for ($i = $entries->length - 1; $i >= 0; $i--) {
$entry = $entries->item($i);
$activity = new Activity($entry, $feed);
$object = $activity->objects[0];
if (!have_option('q', 'quiet')) {
print $activity->content . "\n";
}
$html = getTweetHtml($object->link);
$config = array('safe' => 1, 'deny_attribute' => 'class,rel,id,style,on*');
$html = htmLawed($html, $config);
$content = html_entity_decode(strip_tags($html), ENT_QUOTES, 'UTF-8');
$notice = Notice::saveNew($user->id, $content, 'importtwitter', array('uri' => $object->id, 'url' => $object->link, 'rendered' => $html, 'created' => common_sql_date($activity->time), 'replies' => array(), 'groups' => array()));
}
}
/**
* htmLawed filtering of tags, called on a plugin hook
*
* @param mixed $var Variable to filter
* @return mixed
*/
function htmlawed_filter_tags($hook, $entity_type, $returnvalue, $params)
{
$return = $returnvalue;
$var = $returnvalue;
if (include_once dirname(__FILE__) . "/vendors/htmLawed/htmLawed.php") {
global $CONFIG;
$htmlawed_config = $CONFIG->htmlawed_config;
if (!is_array($var)) {
$return = "";
$return = htmLawed($var, $htmlawed_config);
} else {
$return = array();
foreach ($var as $key => $el) {
$return[$key] = htmLawed($el, $htmlawed_config);
}
}
}
return $return;
}
public static function parse($str)
{
$state = ['newline'];
$result = '';
# Normalize newlines.
$str = trim($str);
$str = preg_replace(['/(\\r\\n?)/', '/\\n{3,}/', '/ *\\n */'], ["\n", "\n\n", "\n"], $str);
$str = htmlentities($str);
# Keep newline, use carriage return for split.
$str = str_replace("\n", "\n\r", $str);
$data = explode("\r", $str);
# Parse header and list first, line by line.
foreach ($data as $d) {
$result .= self::parseline($d, $state);
}
# Parse inline tags as a whole.
$result = self::parseinline($result);
# htmLawed ensures valid html output.
require_once Rails::root() . '/vendor/htmLawed/htmLawed.php';
return htmLawed($result);
}
/**
* Clean display value deleting html tags
*
* @param $value string: string value
* @param $striptags bool: strip all html tags
* @param $keep_bad int:
* 1 : neutralize tag anb content,
* 2 : remove tag and neutralize content
* @return clean value
**/
static function clean($value, $striptags = true, $keep_bad = 2)
{
$value = Html::entity_decode_deep($value);
// Clean MS office tags
$value = str_replace(array("<![if !supportLists]>", "<![endif]>"), '', $value);
if ($striptags) {
// Strip ToolTips
$specialfilter = array('@<div[^>]*?tooltip_picture[^>]*?>.*?</div[^>]*?>@si', '@<div[^>]*?tooltip_text[^>]*?>.*?</div[^>]*?>@si', '@<div[^>]*?tooltip_picture_border[^>]*?>.*?</div[^>]*?>@si', '@<div[^>]*?invisible[^>]*?>.*?</div[^>]*?>@si');
$value = preg_replace($specialfilter, '', $value);
$value = preg_replace("/<(p|br|div)( [^>]*)?" . ">/i", "\n", $value);
$value = preg_replace("/( | | )+/", " ", $value);
}
$search = array('@<script[^>]*?>.*?</script[^>]*?>@si', '@<style[^>]*?>.*?</style[^>]*?>@si', '@<title[^>]*?>.*?</title[^>]*?>@si', '@<!DOCTYPE[^>]*?>@si');
$value = preg_replace($search, '', $value);
// Neutralize not well formatted html tags
$value = preg_replace("/(<)([^>]*<)/", "<\$2", $value);
include_once GLPI_HTMLAWED;
$value = htmLawed($value, array('elements' => $striptags ? 'none' : '', 'keep_bad' => $keep_bad, 'comment' => 1, 'cdata' => 1));
$value = str_replace(array("\r\n", "\r"), "\n", $value);
$value = preg_replace("/(\n[ ]*){2,}/", "\n\n", $value, -1);
return trim($value);
}
function processTextBox($data)
{
$data->type = 'textBox';
if (isset($data->name)) {
$data->name = strip_tags($data->name);
} else {
$data->name = 'Text Box';
}
//Check key
if (isset($data->key)) {
$re = "/^[a-z0-9]{10}\$/";
//Alphanumeric, and 10 characters
if (!preg_match($re, $data->key)) {
$abort = true;
$errorArray[] = "Invalid key for " . $data->name . " widget.";
}
}
if (isset($data->text)) {
//$data->text = escapeMathML($data->text);
$data->text = htmLawed($data->text, array('safe' => 1, 'elements' => '*', 'deny_attribute' => ''), 'span=glossary-term, term-id, desc-index, reference, ref-ids, widget-reference, widget-id, widget-desc');
//$data->text = restoreMathML($data->text);
$data->text = str_replace(" />", ">", $data->text);
} else {
$data->text = "";
}
//Check index is a number
if (!empty($data->index)) {
if (!filter_var($data->index, FILTER_VALIDATE_INT) || $data->index < 0) {
unset($data->index);
}
} else {
//Index is optional
}
//Remove any invalid keys
$validKeys = (object) array('type' => '', 'name' => '', 'text' => '', 'index' => '', 'key' => '');
$data = (object) array_intersect_key(get_object_vars($data), get_object_vars($validKeys));
return $data;
}
function on_submit()
{
$footerContent = Url::get('content');
if (get_magic_quotes_gpc()) {
$footerContent = stripslashes($footerContent);
}
require_once ROOT_PATH . 'includes/htmLawed.php';
$config = array('safe' => 1, 'elements' => '*', 'deny_attribute' => 'class, id');
$spec = 'a = title, href;';
// The 'a' element can have only these attributes
$footerContent = htmLawed($footerContent, $config, $spec);
$footerContent = AZLib::clean_value($footerContent);
$this->checkFormInput('Nội dung', 'content', $footerContent, 'str', true);
if (!$this->errNum) {
if (isset(CGlobal::$configs['footer_content'])) {
DB::update('configs', array("conf_val" => $footerContent), "conf_key='footer_content'");
} else {
DB::insert('configs', array("conf_key" => 'footer_content', "conf_val" => $footerContent));
}
AZLib::get_config(0, 1);
AZLib::refreshParent();
}
}
/**
* Compliance with XHTML standards, rid cruft generated by word processors
*
* @param string $html
*
* @return string $html
*/
protected function tidy($html)
{
// Reduce the vulnerability for scripting attacks
// Make XHTML 1.1 strict using htmlLawed
$config = array('deny_attribute' => 'style', 'comment' => 1, 'safe' => 1, 'valid_xhtml' => 1, 'no_deprecated_attr' => 2, 'hook' => '\\Pressbooks\\Sanitize\\html5_to_xhtml11');
return htmLawed($html, $config);
}
private static function _htmLawed($str, $permissions)
{
global $_CONF, $_USER;
require_once $_CONF['path_system'] . 'classes/htmlawed/htmLawed.php';
// Sets config options for htmLawed. See http://www.bioinformatics.org/
// phplabware/internal_utilities/htmLawed/htmLawed_README.htm
$config = array('balance' => 1, 'comment' => 3, 'css_expression' => 1, 'keep_bad' => 0, 'tidy' => 0, 'unique_ids' => 1, 'valid_xhtml' => 1);
if (isset($_CONF['allowed_protocols']) && is_array($_CONF['allowed_protocols']) && count($_CONF['allowed_protocols']) > 0) {
$schemes = $_CONF['allowed_protocols'];
} else {
$schemes = array('http:', 'https:', 'ftp:');
}
$schemes = str_replace(':', '', implode(', ', $schemes));
$config['schemes'] = 'href: ' . $schemes . '; *: ' . $schemes;
if (empty($permissions) || !SEC_hasRights($permissions) || empty($_CONF['admin_html'])) {
$html = $_CONF['user_html'];
} else {
if ($_CONF['advanced_editor'] && $_USER['advanced_editor']) {
$html = array_merge_recursive($_CONF['user_html'], $_CONF['admin_html'], $_CONF['advanced_html']);
} else {
$html = array_merge_recursive($_CONF['user_html'], $_CONF['admin_html']);
}
}
foreach ($html as $tag => $attr) {
if (is_array($attr) && count($attr) > 0) {
$spec[] = $tag . '=' . implode(', ', array_keys($attr));
} else {
$spec[] = $tag . '=-*';
}
$elements[] = $tag;
}
$config['elements'] = implode(', ', $elements);
$spec = implode('; ', $spec);
$str = htmLawed($str, $config, $spec);
return $str;
}
if ($system->SETTINGS['usersauth'] == 'y') {
// hash and check the password
include $include_path . 'PasswordHash.php';
$phpass = new PasswordHash(8, false);
if (!$phpass->CheckPassword($_POST['password'], $user->user_data['password'])) {
$ERR = 'ERR_026';
}
}
if ($ERR != 'ERR_') {
$_SESSION['action'] = 2;
} else {
// clean up sell description
$conf = array();
$conf['safe'] = 1;
$conf['deny_attribute'] = 'style';
$_SESSION['SELL_description'] = htmLawed($_SESSION['SELL_description'], $conf);
$payment_text = implode(', ', $payment);
// set time back to GMT
$a_starts = empty($start_now) || $_SESSION['SELL_action'] == 'edit' ? $a_starts - $system->tdiff : time();
$a_ends = $a_starts + $duration * 24 * 60 * 60;
// get fee
$fee_data = get_fee($minimum_bid, false);
$fee = $fee_data[0];
$fee_data = $fee_data[1];
if ($_SESSION['SELL_action'] == 'edit') {
updateauction(1);
}
if ($_SESSION['SELL_action'] == 'relist') {
remove_bids($_SESSION['SELL_auction_id']);
// incase they've not already been removed
updateauction(2);
***/
if (isset($_POST) && count($_POST)) {
/*
Préparation des données : on crée un array contenant toutes les données, ce dernier sera ensuite parcouru pour créer la requête SQL qui sera préparée
*/
// Ce qui est propre aux edit et delete
if (($action == 'edit' || $action == 'delete') && isset($serviceInfo)) {
$sqlData['id'] = $serviceInfo['id'];
// Id du service
}
// Traitement du POST
if ($action == 'edit' || $action == 'add') {
foreach ($_POST as $key => $value) {
if ($key == 'nom') {
if ($value != '' && ($action == 'add' || $value != $serviceInfo[$key])) {
$sqlData[$key] = htmLawed($value);
}
}
if ($key == 'chef' && is_numeric($value) && count(checkUser($value, array())) == 0 && ($action == 'add' || $value != $serviceInfo[$key])) {
$sqlData[$key] = $value;
}
if ($key == 'hopital' && is_numeric($value) && count(checkHopital($value, array())) == 0 && ($action == 'add' || $value != $serviceInfo[$key])) {
$sqlData[$key] = $value;
}
if ($key == 'specialite' && is_numeric($value) && count(checkSpecialite($value, array())) == 0 && ($action == 'add' || $value != $serviceInfo[$key])) {
$sqlData[$key] = $value;
}
if ($key == 'certificat') {
$sqlAffectationData = array();
$currentCertificat = array();
if (isset($serviceInfo)) {
public static function xss_clean($value)
{
if (!is_array($value)) {
if (!function_exists('htmLawed')) {
import('htmlawed/htmlawed', 'vendor');
}
return htmLawed($value, array('safe' => 1, 'balanced' => 0));
}
foreach ($value as $k => $v) {
$value[$k] = static::xss_clean($v);
}
return $value;
}
/**
* processCCPCformData - Vérifie et traite les données retournées par le formulaire
*
* @category : eval_ccpc_functions
* @param array $formData Array contenant les données à traiter
* @param array $evaluationData Array contenant les informations relatives à l'évaluation
* @return array Array contenant les informations de formData après qu'elles aient été traités et les erreurs rencontrés lors de l'execution de la fonction
*
* @Author Ali Bellamine
*
* Contenu de l'array retourné :<br>
* ['erreur'][] => (array) Array contenant les erreurs<br>
* [nom du champs dans la base de donnée] => valeur fournie par l'utilisateur
*/
function processCCPCformData($formData, $evaluationData)
{
global $db;
$formResult = array();
$erreur = array();
// On parcours le fichier XML
if (is_file(PLUGIN_PATH . 'formulaire.xml')) {
if ($form = simplexml_load_file(PLUGIN_PATH . 'formulaire.xml')) {
foreach ($form->categorie as $categorie) {
foreach ($categorie->input as $input) {
if ($input['type'] == 'select') {
$allowedValue[] = array();
foreach ($input->option as $option) {
$allowedValue[] = $option['value'];
}
if (isset($formData[(string) $input['name']]) && in_array($formData[(string) $input['name']], $allowedValue)) {
$formResult[(string) $input['nomBDD']] = $formData[(string) $input['name']];
} else {
if (isset($input['required']) && $input['required'] == 1) {
$erreur['LANG_ERROR_CCPC_INCOMPLETEFORM'] = true;
} else {
$formResult[(string) $input['nomBDD']] = '';
}
}
} else {
if ($input['type'] == 'checkbox') {
foreach ($input->checkbox as $checkbox) {
if (isset($formData[(string) $input['name']]) && in_array((string) $checkbox["value"], $formData[(string) $input['name']])) {
$formResult[(string) $checkbox['nomBDD']] = 1;
} else {
$formResult[(string) $checkbox['nomBDD']] = 0;
}
}
} else {
if ($input['type'] == 'radio') {
$allowedValue[] = array();
foreach ($input->radio as $radio) {
$allowedValue[] = $radio['value'];
}
if (isset($formData[(string) $input['name']]) && in_array($formData[(string) $input['name']], $allowedValue)) {
$formResult[(string) $input['nomBDD']] = $formData[(string) $input['name']];
} else {
if (isset($input['required']) && $input['required'] == 1) {
$erreur['LANG_ERROR_CCPC_INCOMPLETEFORM'] = true;
} else {
$formResult[(string) $input['nomBDD']] = '';
}
}
} else {
if ($input['type'] == 'text') {
foreach ($input->text as $text) {
if (isset($text['required']) && $text['required'] == 1 && (!isset($formData[(string) $text['name']]) || $formData[(string) $text['name']] == '')) {
$erreur['LANG_ERROR_CCPC_INCOMPLETEFORM'] = true;
} else {
if (isset($formData[(string) $text['name']])) {
$formResult[(string) $text['nomBDD']] = htmLawed($formData[(string) $text['name']]);
} else {
$formResult[(string) $text['nomBDD']] = '';
}
}
}
} else {
if ($input['type'] == 'textarea') {
if (isset($input['required']) && $input['required'] == 1 && (!isset($formData[(string) $input['name']]) || $formData[(string) $input['name']] == '')) {
$erreur['LANG_ERROR_CCPC_INCOMPLETEFORM'] = true;
} else {
if (isset($formData[(string) $input['name']])) {
$formResult[(string) $input['nomBDD']] = htmLawed($formData[(string) $input['name']]);
} else {
$formResult[(string) $input['nomBDD']] = '';
}
}
}
}
}
}
}
}
}
}
}
/**
Récupération des données non incluses dans le formulaire (promotion, nb d'externe, service, etc...)
**/
if (count($erreur) == 0) {
$nonEvaluationData = eval_ccpc_getNoFormData($evaluationData, $erreur);
/*
On récupère la liste des services déjà évalués
*/
if (getEvaluationRegisterData() != '') {
$evaluateService = unserialize(getEvaluationRegisterData());
} else {
$evaluateService = array();
}
/*
On retire les services déjà évalués de la liste des services à évaluer
*/
foreach ($evaluateService as $service) {
if (isset($nonEvaluationData['data'][$service])) {
unset($nonEvaluationData['data'][$service]);
}
}
// On récupère les données qui ne sont pas d'évaluation
if (isset($nonEvaluationData['data']) && count($nonEvaluationData['data']) > 0) {
if (isset($formData['service']) && isset($nonEvaluationData['data'][$formData['service']])) {
$formResult = array_merge($formResult, $nonEvaluationData['data'][$formData['service']]);
// On récupère les données d'évaluation
} else {
$erreur['LANG_ERROR_CCPC_INCOMPLETEFORM'] = true;
}
}
// On récupère les erreurs
if (isset($nonEvaluationData['erreur']) && count($nonEvaluationData['erreur']) > 0) {
if (isset($formData['service']) && isset($nonEvaluationData['erreur'][$formData['service']])) {
$erreur = array_merge($erreur, $nonEvaluationData['erreur'][$formData['service']]);
// On récupère les données d'évaluation
}
}
}
$formResult['erreur'] = $erreur;
return $formResult;
}
$cfg['deny_attribute'] = isset($cfg['deny_attribute1'][0]) ? $cfg['deny_attribute1'] : 0;
}
unset($cfg['deny_attribute1']);
if (isset($cfg['tidy']) && $cfg['tidy'] == 2) {
$cfg['tidy'] = isset($cfg['tidy2'][0]) ? $cfg['tidy2'] : 0;
}
unset($cfg['tidy2']);
if (isset($cfg['unique_ids']) && $cfg['unique_ids'] == 2) {
$cfg['unique_ids'] = isset($cfg['unique_ids2'][0]) ? $cfg['unique_ids2'] : 1;
}
unset($cfg['unique_ids2']);
unset($cfg['and_mark']);
// disabling and_mark
$cfg['show_setting'] = 'hlcfg';
$st = microtime();
$out = htmLawed($_POST['text'], $cfg, $_POST['spec']);
$et = microtime();
echo '<br /><a href="htmLawedTest.php" title="[toggle visibility] syntax-highlighted" onclick="javascript:toggle(\'inputR\'); return false;"><span class="notice">Input code »</span></a> <span class="help" title="tags estimated as half of total > and < chars; values may be inaccurate for non-ASCII text"><small><big>', strlen($_POST['text']), '</big> chars, ~<big>', $tag = round((substr_count($_POST['text'], '>') + substr_count($_POST['text'], '<')) / 2), '</big> tag', $tag > 1 ? 's' : '', '</small> </span><div id="inputR" style="display: none;">', format($_POST['text']), '</div><script type="text/javascript">hl(\'inputR\');</script>', !isset($_POST['text'][$_hlimit]) ? ' <a href="htmLawedTest.php" title="[toggle visibility] hexdump; non-viewable characters like line-returns are shown as dots" onclick="javascript:toggle(\'inputD\'); return false;"><span class="notice">Input binary » </span></a><div id="inputD" style="display: none;">' . hexdump($_POST['text']) . '</div>' : '', ' <a href="htmLawedTest.php" title="[toggle visibility] finalized internal settings as interpreted by htmLawed; for developers" onclick="javascript:toggle(\'settingF\'); return false;"><span class="notice">Finalized internal settings » </span></a> <div id="settingF" style="display: none;">$config: ', str_replace(array(' ', "\t", ' '), array(' ', ' ', ' '), nl2br(htmlspecialchars(print_r($GLOBALS['hlcfg']['config'], true)))), '<br />$spec: ', str_replace(array(' ', "\t", ' '), array(' ', ' ', ' '), nl2br(htmlspecialchars(print_r($GLOBALS['hlcfg']['spec'], true)))), '</div><script type="text/javascript">hl(\'settingF\');</script>', '<br /><a href="htmLawedTest.php" title="[toggle visibility] suitable for copy-paste" onclick="javascript:toggle(\'outputF\'); return false;"><span class="notice">Output »</span></a> <span class="help" title="approx., server-specific value excluding the \'include()\' call"><small>htmLawed processing time <big>', number_format(substr($et, 0, 9) + substr($et, -10) - substr($st, 0, 9) - substr($st, -10), 4), '</big> s</small></span>', ($mem = memory_get_peak_usage()) !== false ? '<span class="help"><small>, peak memory usage <big>' . round(($mem - $pre_mem) / 1048576, 2) . '</big> <small>MB</small>' : '', '</small></span><div id="outputF" style="display: block;"><div><textarea id="text2" class="textarea" name="text2" rows="5" cols="100" style="width: 100%;">', htmlspecialchars($out), '</textarea></div><button type="button" onclick="javascript:document.getElementById(\'text2\').focus();document.getElementById(\'text2\').select()" title="select all to copy" style="float:right;">Select all</button>';
if ($_w3c_validate && $validation) {
?>
<button type="button" title="HTML 4.01 W3C online validation" style="float: right;" onclick="javascript: sndValidn('text2', 'html401'); return false;" onkeypress="javascript: sndValidn('text2', 'html401'); return false;">Check HTML</button>
<button type="button" title="XHTML 1.1 W3C online validation" style="float: right;" onclick="javascript: sndValidn('text2', 'xhtml110'); return false;" onkeypress="javascript: sndValidn('text2', 'xhtml110'); return false;">Check XHTML</button>
<?php
}
echo '</div><br /><a href="htmLawedTest.php" title="[toggle visibility] syntax-highlighted" onclick="javascript:toggle(\'outputR\'); return false;"><span class="notice">Output code »</span></a><div id="outputR" style="display: block;">', format($out), '</div><script type="text/javascript">hl(\'outputR\');</script>', !isset($_POST['text'][$_hlimit]) ? ' <a href="htmLawedTest.php" title="[toggle visibility] hexdump; non-viewable characters like line-returns are shown as dots" onclick="javascript:toggle(\'outputD\'); return false;"><span class="notice">Output binary »</span></a><div id="outputD" style="display: none;">' . hexdump($out) . '</div>' : '', ' <a href="htmLawedTest.php" title="[toggle visibility] inline output-input diff; might not be perfectly accurate, semantically or otherwise " onclick="javascript:toggle(\'diff\'); diffLaunch(); return false;"><span class="notice">Diff »</span></a> <div id="diff" style="display: none;"></div><br /><a href="htmLawedTest.php" title="[toggle visibility] XHTML 1 Transitional doctype" onclick="javascript:toggle(\'outputH\'); return false;"><span class="notice">Output rendered »</span></a><div id="outputH" style="display: block;">', $out, '</div>';
} else {
?>
<br />
