function paw_xss_cleaner($data, $eschtml = false) { if (is_array($data)) { foreach ($data as $key => $value) { $data[$key] = paw_xss_cleaner($value, $eschtml); } } else { if (is_string($data)) { // THE WOLF XSS CLEANER //$data = remove_xss($data); // ESCAPE HTML STUFF if ($eschtml === true) { $data = htmlspecialchars(trim($data), ENT_QUOTES, "UTF-8"); $data = preg_replace("#<(script|style)[^>]*?>.*?</\\1>#si", "", $data); $data = trim(strip_tags($data)); $data = htmlspecialchars(trim($data), ENT_QUOTES, "UTF-8"); } // @source https://gist.github.com/mbijon/1098477 $data = str_replace(array('&', '<', '>'), array('&amp;', '&lt;', '&gt;'), $data); $data = preg_replace('/(&#*\\w+)[\\x00-\\x20]+;/u', '$1;', $data); $data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data); $data = html_entity_decode($data, ENT_COMPAT, 'UTF-8'); $data = preg_replace('#(<[^>]+?[\\x00-\\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data); $data = preg_replace('#([a-z]*)[\\x00-\\x20]*=[\\x00-\\x20]*([`\'"]*)[\\x00-\\x20]*j[\\x00-\\x20]*a[\\x00-\\x20]*v[\\x00-\\x20]*a[\\x00-\\x20]*s[\\x00-\\x20]*c[\\x00-\\x20]*r[\\x00-\\x20]*i[\\x00-\\x20]*p[\\x00-\\x20]*t[\\x00-\\x20]*:#iu', '$1=$2nojavascript...', $data); $data = preg_replace('#([a-z]*)[\\x00-\\x20]*=([\'"]*)[\\x00-\\x20]*v[\\x00-\\x20]*b[\\x00-\\x20]*s[\\x00-\\x20]*c[\\x00-\\x20]*r[\\x00-\\x20]*i[\\x00-\\x20]*p[\\x00-\\x20]*t[\\x00-\\x20]*:#iu', '$1=$2novbscript...', $data); $data = preg_replace('#([a-z]*)[\\x00-\\x20]*=([\'"]*)[\\x00-\\x20]*-moz-binding[\\x00-\\x20]*:#u', '$1=$2nomozbinding...', $data); $data = preg_replace('#(<[^>]+?)style[\\x00-\\x20]*=[\\x00-\\x20]*[`\'"]*.*?expression[\\x00-\\x20]*\\([^>]*+>#i', '$1>', $data); $data = preg_replace('#(<[^>]+?)style[\\x00-\\x20]*=[\\x00-\\x20]*[`\'"]*.*?behaviour[\\x00-\\x20]*\\([^>]*+>#i', '$1>', $data); $data = preg_replace('#(<[^>]+?)style[\\x00-\\x20]*=[\\x00-\\x20]*[`\'"]*.*?s[\\x00-\\x20]*c[\\x00-\\x20]*r[\\x00-\\x20]*i[\\x00-\\x20]*p[\\x00-\\x20]*t[\\x00-\\x20]*:*[^>]*+>#iu', '$1>', $data); $data = preg_replace('#</*\\w+:\\w[^>]*+>#i', '', $data); $old_data = $data; while ($old_data !== $data) { $data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data); } } } return $data; }
public function getUserFields($data) { global $pawUsers; // VALIDATE $data = paw_xss_cleaner($data); if (($user = $pawUsers->getUser($data)) === false) { return false; } $fields = $this->getFields(); $return = array(); foreach ($fields as $field) { $return[$field["name"]] = $this->getMeta($user->id, $field["name"], true, NULL); if ($return[$field["name"]] === NULL) { if (isset($field["attributes"]["value"])) { $return[$field["name"]] = $field["attributes"]["value"]; } else { if (isset($field["attributes"]["checked"])) { $return[$field["name"]] = $field["attributes"]["checked"]; } else { if (isset($field["attributes"]["selected"])) { $return[$field["name"]] = $field["attributes"]["selected"]; } } } } } return $return; }
public function index($action = "", $param = "") { global $pawUsers; $request = $this->_check("user_view"); // GET FILTER AND SEARCH $filter = $this->_filter("users", $_GET); if ($request === "POST" && isset($_POST["user-filter"])) { $filter = $this->_filter("users", $_POST); } unset($filter["filter"]); if ($request === "POST" && isset($_POST["search"])) { $filter["users"] = array(paw_xss_cleaner($_POST["search"], true)); } // GET SUCCESS if (isset($_GET["success"])) { $this->success = $this->_success($_GET["success"], __("User")); } // GET ORDER switch (isset($_GET["orderby"]) ? $_GET["orderby"] : "") { case "email": $order["orderby"] = "user.email"; break; default: $order["orderby"] = "user.username"; break; } switch (isset($_GET["order"]) ? $_GET["order"] : "") { case "DESC": $order["order"] = "DESC"; break; default: $order["order"] = "ASC"; break; } // GET LIMIT AND OFFSET $limit = $pawUsers->config["show_users_num"]; $offset = 0; if (isset($_GET["page"]) && is_numeric($_GET["page"]) && $_GET["page"] > 1) { $offset = ($_GET["page"] - 1) * $limit; } // DISPLAY PAGE $items = $pawUsers->findUsers($filter, implode(" ", $order), $limit, $offset); $this->_display("users", "", array_merge($filter, $order), $items); }
public function getBlacklist($type = NULL, $status = NULL) { global $pawUsers; // VALIDATE $type = paw_xss_cleaner($type); $where = ""; if ($type !== NULL && is_string($type)) { $where[] = "type=:type"; } if (is_bool($status) || is_numeric($status)) { $where[] = "status=" . (int) $status; } if (!empty($where)) { $where = "WHERE " . implode(" AND ", $where); } // SELECT AND RETURN $query = "SELECT * FROM " . TABLE_PREFIX . "blacklist " . $where . " ORDER BY type"; $query = Record::query($query, array(":type" => $type)); if (!empty($query)) { $return = array(); foreach ($query as $q) { $user = $pawUsers->getUser($q->author, "id"); $q->author = $user->name; $q->settings = paw_unserializer($q->settings); $return[] = (array) $q; } return (array) $return; } return array(); }
public function hasPermission($permission, $data = NULL) { global $pawUsers; // CHECK IF PERMISSION EXIST if (empty($permission) || !is_string($permission)) { return false; } $permission = paw_xss_cleaner($permission); $query = "SELECT * FROM " . TABLE_PREFIX . "permission WHERE name=:name"; $query = Record::query($query, array(":name" => $permission)); if (empty($query)) { return false; } if ($data === false) { return true; } $permission = $query[0]->id; // GET USER if ($data === NULL) { $data = $pawUsers->getCurrentUserID(); } $user = $pawUsers->getUser($data); if ($user === false) { return false; } // CHECK IF THE USER HAS THE PERMISSION $query = "SELECT ur.user_id AS id FROM " . TABLE_PREFIX . "user_role AS ur\n\t\t\t\tLEFT JOIN " . TABLE_PREFIX . "role_permission AS rp ON (ur.role_id = rp.role_id) \n\t\t\t\tWHERE ur.user_id=:user AND rp.permission_id=:perm;"; $query = Record::query($query, array(":user" => $user->id, ":perm" => $permission)); if (!empty($query) && isset($query[0])) { return true; } return false; }
public function delete() { global $pawUsers; // CHECK IF USER IS LOGGED IN if (!$pawUsers->isLoggedIn()) { $this->_redirect(get_url("login")); } // GET PARAMETER $input = func_get_args(); $input = array_slice(array_pad($input, 1, NULL), 0, 1); $input = array_combine(array("user"), $input); // GET USER if (is_numeric($input["user"]) && ($user = $pawUsers->getUser($input["user"], "id") !== false)) { $input["user"] = $user->username; } // GET POST $delete = false; if (get_request_method() === "POST" && isset($_POST["account"])) { $post = $_POST["account"]; if (isset($post["action"]) && $post["action"] == "delete") { $delete = $this->_action("delete", $post); $input["user"] = isset($post["user"]) ? $post["user"] : $input["user"]; } } // DISPLAY PAGE if ($delete === true) { $redirect = $pawUsers->config["redirect_pages"]["delete"]; if (defined("CMS_BACKEND") && CMS_BACKEND == true && startsWith($redirect, ADMIN_DIR . "/")) { $redirect = str_replace(ADMIN_DIR . "/", "", $redirect); } if (!startsWith($redirect, "http") && !startsWith($redirect, "www")) { $redirect = get_url($redirect); } $this->_redirect($redirect . "?success=delete"); } else { $this->display("../../plugins/paw_users/admin/account", array("action" => "delete", "input" => paw_xss_cleaner($input), "redirect" => $this->_redirect(false), "errors" => $this->errors, "success" => $this->success)); } }
private function _getUser($data, $type = NULL) { $data = paw_xss_cleaner($data); if (in_array($type, array("id", "email", "username"))) { $type = $type; } else { if (is_numeric($data)) { $type = "id"; } else { if (filter_var($data, FILTER_VALIDATE_EMAIL)) { $type = "email"; } else { $type = "username"; } } } $user = false; $query = "SELECT * FROM " . TABLE_PREFIX . "user WHERE " . $type . "=:data LIMIT 1"; $temp = Record::query($query, array(":data" => $data)); if ($temp !== false && isset($temp[0])) { $user = $temp[0]; } return $user; }