/**
* This function removes all attributes, if none are allowed for this element.
*
* If some are allowed it calls kses_hair() to split them further, and then
* it builds up new HTML code from the data that kses_hair() returns. It also
* removes "<" and ">" characters, if there are any left. One more thing it does
* is to check if the tag has a closing XHTML slash, and if it does, it puts one
* in the returned code as well.
*
* @param string $element HTML element/tag
* @param string $attr HTML attributes from HTML element to closing HTML element tag
* @param array $allowed_html Allowed HTML elements
* @param array $allowed_protocols Allowed protocols to keep
* @return string Sanitized HTML element
*/
function kses_attr($element, $attr, $allowed_html, $allowed_protocols)
{
// Is there a closing XHTML slash at the end of the attributes?
$xhtml_slash = '';
if (preg_match('%\\s*/\\s*$%', $attr)) {
$xhtml_slash = ' /';
}
// Are any attributes allowed at all for this element?
if (@count($allowed_html[strtolower($element)]) == 0) {
return "<{$element}{$xhtml_slash}>";
}
// Split it
$attrarr = kses_hair($attr, $allowed_protocols);
// Go through $attrarr, and save the allowed attributes for this element
// in $attr2
$attr2 = '';
foreach ($attrarr as $arreach) {
if (!@isset($allowed_html[strtolower($element)][strtolower($arreach['name'])])) {
continue;
}
// the attribute is not allowed
$current = $allowed_html[strtolower($element)][strtolower($arreach['name'])];
if ($current == '') {
continue;
}
// the attribute is not allowed
if (!is_array($current)) {
$attr2 .= ' ' . $arreach['whole'];
} else {
// there are some checks
$ok = true;
foreach ($current as $currkey => $currval) {
if (!kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) {
$ok = false;
break;
}
}
if (strtolower($arreach['name']) == 'style') {
$orig_value = $arreach['value'];
$value = kses_safecss_filter_attr($orig_value);
if (empty($value)) {
continue;
}
$arreach['value'] = $value;
$arreach['whole'] = str_replace($orig_value, $value, $arreach['whole']);
}
if ($ok) {
$attr2 .= ' ' . $arreach['whole'];
}
// it passed them
}
// if !is_array($current)
}
// foreach
// Remove any "<" or ">" characters
$attr2 = preg_replace('/[<>]/', '', $attr2);
return "<{$element}{$attr2}{$xhtml_slash}>";
}
function kses_attr($element, $attr, $allowed_html, $allowed_protocols)
{
# Is there a closing XHTML slash at the end of the attributes?
$xhtml_slash = '';
if (preg_match('%\\s/\\s*$%', $attr)) {
$xhtml_slash = ' /';
}
# Are any attributes allowed at all for this element?
if (@count($allowed_html[strtolower($element)]) == 0) {
return "<{$element}{$xhtml_slash}>";
}
# Split it
$attrarr = kses_hair($attr, $allowed_protocols);
# Go through $attrarr, and save the allowed attributes for this element
# in $attr2
$attr2 = '';
foreach ($attrarr as $arreach) {
if (!@isset($allowed_html[strtolower($element)][strtolower($arreach['name'])])) {
continue;
}
# the attribute is not allowed
$current = $allowed_html[strtolower($element)][strtolower($arreach['name'])];
if (!is_array($current)) {
$attr2 .= ' ' . $arreach['whole'];
} else {
# there are some checks
$ok = true;
foreach ($current as $currkey => $currval) {
if (!kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) {
$ok = false;
break;
}
}
if ($ok) {
$attr2 .= ' ' . $arreach['whole'];
}
# it passed them
}
# if !is_array($current)
}
# foreach
# Remove any "<" or ">" characters
$attr2 = preg_replace('/[<>]/', '', $attr2);
return "<{$element}{$attr2}{$xhtml_slash}>";
}
function kses_attr($element, $attr, $allowed_html, $allowed_protocols)
{
###############################################################################
# This function removes all attributes, if none are allowed for this element.
# If some are allowed it calls kses_hair() to split them further, and then it
# builds up new HTML code from the data that kses_hair() returns. It also
# removes "<" and ">" characters, if there are any left. One more thing it
# does is to check if the tag has a closing XHTML slash, and if it does,
# it puts one in the returned code as well.
###############################################################################
# Is there a closing XHTML slash at the end of the attributes?
$xhtml_slash = '';
if (preg_match('%\\s/\\s*$%', $attr)) {
$xhtml_slash = ' /';
}
# Are any attributes allowed at all for this element?
if (@count($allowed_html[strtolower($element)]) == 0) {
return "<{$element}{$xhtml_slash}>";
}
# Split it
$attrarr = kses_hair($attr, $allowed_protocols);
# Go through $attrarr, and save the allowed attributes for this element
# in $attr2
$attr2 = '';
foreach ($attrarr as $arreach) {
if (!@isset($allowed_html[strtolower($element)][strtolower($arreach['name'])])) {
continue;
}
# the attribute is not allowed
$current = $allowed_html[strtolower($element)][strtolower($arreach['name'])];
if (!is_array($current)) {
$attr2 .= ' ' . $arreach['whole'];
} else {
# there are some checks
$ok = true;
foreach ($current as $currkey => $currval) {
if (!kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) {
$ok = false;
break;
}
}
if ($ok) {
$attr2 .= ' ' . $arreach['whole'];
}
# it passed them
}
# if !is_array($current)
}
# foreach
# Remove any "<" or ">" characters
$attr2 = preg_replace('/[<>]/', '', $attr2);
return "<{$element}{$attr2}{$xhtml_slash}>";
}
