+++ /dev/null
-<?php
-
-/** @class: InputFilter (PHP4 & PHP5, with comments)
- * @project: PHP Input Filter
- * @date: 10-05-2005
- * @version: 1.2.2_php4/php5
- * @author: Daniel Morris
- * @contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie.
- * @copyright: Daniel Morris
- * @email: dan@rootcube.com
- * @license: GNU General Public License (GPL)
- */
-class InputFilter {
- var $tagsArray; // default = empty array
- var $attrArray; // default = empty array
-
- var $tagsMethod; // default = 0
- var $attrMethod; // default = 0
-
- var $xssAuto; // default = 1
- var $tagBlacklist = array('applet', 'body', 'bgsound', 'base', 'basefont', 'embed', 'frame', 'frameset', 'head', 'html', 'id', 'iframe', 'ilayer', 'layer', 'link', 'meta', 'name', 'object', 'script', 'style', 'title', 'xml');
- var $attrBlacklist = array('action', 'background', 'codebase', 'dynsrc', 'lowsrc'); // also will strip ALL event handlers
-
- /**
- * Constructor for inputFilter class. Only first parameter is required.
- * @access constructor
- * @param Array $tagsArray - list of user-defined tags
- * @param Array $attrArray - list of user-defined attributes
- * @param int $tagsMethod - 0= allow just user-defined, 1= allow all but user-defined
- * @param int $attrMethod - 0= allow just user-defined, 1= allow all but user-defined
- * @param int $xssAuto - 0= only auto clean essentials, 1= allow clean blacklisted tags/attr
- */
- function inputFilter($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1) {
- // make sure user defined arrays are in lowercase
- for ($i = 0; $i < count($tagsArray); $i++) $tagsArray[$i] = strtolower($tagsArray[$i]);
- for ($i = 0; $i < count($attrArray); $i++) $attrArray[$i] = strtolower($attrArray[$i]);
- // assign to member vars
- $this->tagsArray = (array) $tagsArray;
- $this->attrArray = (array) $attrArray;
- $this->tagsMethod = $tagsMethod;
- $this->attrMethod = $attrMethod;
- $this->xssAuto = $xssAuto;
- }
-
- /**
- * Method to be called by another php script. Processes for XSS and specified bad code.
- * @access public
- * @param Mixed $source - input string/array-of-string to be 'cleaned'
- * @return String $source - 'cleaned' version of input parameter
- */
- function process($source) {
- // clean all elements in this array
- if (is_array($source)) {
- foreach($source as $key => $value)
- // filter element for XSS and other 'bad' code etc.
- if (is_string($value)) $source[$key] = $this->remove($this->decode($value));
- return $source;
- // clean this string
- } else if (is_string($source)) {
- // filter source for XSS and other 'bad' code etc.
- return $this->remove($this->decode($source));
- // return parameter as given
- } else return $source;
- }
-
- /**
- * Internal method to iteratively remove all unwanted tags and attributes
- * @access protected
- * @param String $source - input string to be 'cleaned'
- * @return String $source - 'cleaned' version of input parameter
- */
- function remove($source) {
- $loopCounter=0;
- // provides nested-tag protection
- while($source != $this->filterTags($source)) {
- $source = $this->filterTags($source);
- $loopCounter++;
- }
- return $source;
- }
-
- /**
- * Internal method to strip a string of certain tags
- * @access protected
- * @param String $source - input string to be 'cleaned'
- * @return String $source - 'cleaned' version of input parameter
- */
- function filterTags($source) {
- // filter pass setup
- $preTag = NULL;
- $postTag = $source;
- // find initial tag's position
- $tagOpen_start = strpos($source, '<');
- // interate through string until no tags left
- while($tagOpen_start !== FALSE) {
- // process tag interatively
- $preTag .= substr($postTag, 0, $tagOpen_start);
- $postTag = substr($postTag, $tagOpen_start);
- $fromTagOpen = substr($postTag, 1);
- // end of tag
- $tagOpen_end = strpos($fromTagOpen, '>');
- if ($tagOpen_end === false) break;
- // next start of tag (for nested tag assessment)
- $tagOpen_nested = strpos($fromTagOpen, '<');
- if (($tagOpen_nested !== false) && ($tagOpen_nested < $tagOpen_end)) {
- $preTag .= substr($postTag, 0, ($tagOpen_nested+1));
- $postTag = substr($postTag, ($tagOpen_nested+1));
- $tagOpen_start = strpos($postTag, '<');
- continue;
- }
- $tagOpen_nested = (strpos($fromTagOpen, '<') + $tagOpen_start + 1);
- $currentTag = substr($fromTagOpen, 0, $tagOpen_end);
- $tagLength = strlen($currentTag);
- if (!$tagOpen_end) {
- $preTag .= $postTag;
- $tagOpen_start = strpos($postTag, '<');
- }
- // iterate through tag finding attribute pairs - setup
- $tagLeft = $currentTag;
- $attrSet = array();
- $currentSpace = strpos($tagLeft, ' ');
- // is end tag
- if (substr($currentTag, 0, 1) == "/") {
- $isCloseTag = TRUE;
- list($tagName) = explode(' ', $currentTag);
- $tagName = substr($tagName, 1);
- // is start tag
- } else {
- $isCloseTag = FALSE;
- list($tagName) = explode(' ', $currentTag);
- }
- // excludes all "non-regular" tagnames OR no tagname OR remove if xssauto is on and tag is blacklisted
- if ((!preg_match("/^[a-z][a-z0-9]*$/i",$tagName)) || (!$tagName) || ((in_array(strtolower($tagName), $this->tagBlacklist)) && ($this->xssAuto))) {
- $postTag = substr($postTag, ($tagLength + 2));
- $tagOpen_start = strpos($postTag, '<');
- // don't append this tag
- continue;
- }
- // this while is needed to support attribute values with spaces in!
- while ($currentSpace !== FALSE) {
- $fromSpace = substr($tagLeft, ($currentSpace+1));
- $nextSpace = strpos($fromSpace, ' ');
- $openQuotes = strpos($fromSpace, '"');
- $closeQuotes = strpos(substr($fromSpace, ($openQuotes+1)), '"') + $openQuotes + 1;
- // another equals exists
- if (strpos($fromSpace, '=') !== FALSE) {
- // opening and closing quotes exists
- if (($openQuotes !== FALSE) && (strpos(substr($fromSpace, ($openQuotes+1)), '"') !== FALSE))
- $attr = substr($fromSpace, 0, ($closeQuotes+1));
- // one or neither exist
- else $attr = substr($fromSpace, 0, $nextSpace);
- // no more equals exist
- } else $attr = substr($fromSpace, 0, $nextSpace);
- // last attr pair
- if (!$attr) $attr = $fromSpace;
- // add to attribute pairs array
- $attrSet[] = $attr;
- // next inc
- $tagLeft = substr($fromSpace, strlen($attr));
- $currentSpace = strpos($tagLeft, ' ');
- }
- // appears in array specified by user
- $tagFound = in_array(strtolower($tagName), $this->tagsArray);
- // remove this tag on condition
- if ((!$tagFound && $this->tagsMethod) || ($tagFound && !$this->tagsMethod)) {
- // reconstruct tag with allowed attributes
- if (!$isCloseTag) {
- $attrSet = $this->filterAttr($attrSet);
- $preTag .= '<' . $tagName;
- for ($i = 0; $i < count($attrSet); $i++)
- $preTag .= ' ' . $attrSet[$i];
- // reformat single tags to XHTML
- if (strpos($fromTagOpen, "</" . $tagName)) $preTag .= '>';
- else $preTag .= ' />';
- // just the tagname
- } else $preTag .= '</' . $tagName . '>';
- }
- // find next tag's start
- $postTag = substr($postTag, ($tagLength + 2));
- $tagOpen_start = strpos($postTag, '<');
- }
- // append any code after end of tags
- $preTag .= $postTag;
- return $preTag;
- }
-
- /**
- * Internal method to strip a tag of certain attributes
- * @access protected
- * @param Array $attrSet
- * @return Array $newSet
- */
- function filterAttr($attrSet) {
- $newSet = array();
- // process attributes
- for ($i = 0; $i <count($attrSet); $i++) {
- // skip blank spaces in tag
- if (!$attrSet[$i]) continue;
- // split into attr name and value
- $attrSubSet = explode('=', trim($attrSet[$i]));
- list($attrSubSet[0]) = explode(' ', $attrSubSet[0]);
- // removes all "non-regular" attr names AND also attr blacklisted
- if ((!eregi("^[a-z]*$",$attrSubSet[0])) || (($this->xssAuto) && ((in_array(strtolower($attrSubSet[0]), $this->attrBlacklist)) || (substr($attrSubSet[0], 0, 2) == 'on'))))
- continue;
- // xss attr value filtering
- if ($attrSubSet[1]) {
- // strips unicode, hex, etc
- $attrSubSet[1] = str_replace('&#', '', $attrSubSet[1]);
- // strip normal newline within attr value
- $attrSubSet[1] = preg_replace('/\s+/', '', $attrSubSet[1]);
- // strip double quotes
- $attrSubSet[1] = str_replace('"', '', $attrSubSet[1]);
- // [requested feature] convert single quotes from either side to doubles (Single quotes shouldn't be used to pad attr value)
- if ((substr($attrSubSet[1], 0, 1) == "'") && (substr($attrSubSet[1], (strlen($attrSubSet[1]) - 1), 1) == "'"))
- $attrSubSet[1] = substr($attrSubSet[1], 1, (strlen($attrSubSet[1]) - 2));
- // strip slashes
- $attrSubSet[1] = stripslashes($attrSubSet[1]);
- }
- // auto strip attr's with "javascript:
- if ( ((strpos(strtolower($attrSubSet[1]), 'expression') !== false) && (strtolower($attrSubSet[0]) == 'style')) ||
- (strpos(strtolower($attrSubSet[1]), 'javascript:') !== false) ||
- (strpos(strtolower($attrSubSet[1]), 'behaviour:') !== false) ||
- (strpos(strtolower($attrSubSet[1]), 'vbscript:') !== false) ||
- (strpos(strtolower($attrSubSet[1]), 'mocha:') !== false) ||
- (strpos(strtolower($attrSubSet[1]), 'livescript:') !== false)
- ) continue;
-
- // if matches user defined array
- $attrFound = in_array(strtolower($attrSubSet[0]), $this->attrArray);
- // keep this attr on condition
- if ((!$attrFound && $this->attrMethod) || ($attrFound && !$this->attrMethod)) {
- // attr has value
- if ($attrSubSet[1]) $newSet[] = $attrSubSet[0] . '="' . $attrSubSet[1] . '"';
- // attr has decimal zero as value
- else if ($attrSubSet[1] == "0") $newSet[] = $attrSubSet[0] . '="0"';
- // reformat single attributes to XHTML
- else $newSet[] = $attrSubSet[0] . '="' . $attrSubSet[0] . '"';
- }
- }
- return $newSet;
- }
-
- /**
- * Try to convert to plaintext
- * @access protected
- * @param String $source
- * @return String $source
- */
- function decode($source) {
- // url decode
-// $source = html_entity_decode($source, ENT_QUOTES, "ISO-8859-1");
- $source = html_entity_decode($source, ENT_QUOTES, "UTF-8");
- // convert decimal
- $source = preg_replace('/&#(\d+);/me',"chr(\\1)", $source); // decimal notation
- // convert hex
- $source = preg_replace('/&#x([a-f0-9]+);/mei',"chr(0x\\1)", $source); // hex notation
- return $source;
- }
-
- /**
- * Method to be called by another php script. Processes for SQL injection
- * @access public
- * @param Mixed $source - input string/array-of-string to be 'cleaned'
- * @param Buffer $connection - An open MySQL connection
- * @return String $source - 'cleaned' version of input parameter
- */
- function safeSQL($source, &$connection) {
- // clean all elements in this array
- if (is_array($source)) {
- foreach($source as $key => $value)
- // filter element for SQL injection
- if (is_string($value)) $source[$key] = $this->quoteSmart($this->decode($value), $connection);
- return $source;
- // clean this string
- } else if (is_string($source)) {
- // filter source for SQL injection
- if (is_string($source)) return $this->quoteSmart($this->decode($source), $connection);
- // return parameter as given
- } else return $source;
- }
-
- /**
- * @author Chris Tobin
- * @author Daniel Morris
- * @access protected
- * @param String $source
- * @param Resource $connection - An open MySQL connection
- * @return String $source
- */
- function quoteSmart($source, &$connection) {
- // strip slashes
- if (get_magic_quotes_gpc()) $source = stripslashes($source);
- // quote both numeric and text
- $source = $this->escapeString($source, $connection);
- return $source;
- }
-
- /**
- * @author Chris Tobin
- * @author Daniel Morris
- * @access protected
- * @param String $source
- * @param Resource $connection - An open MySQL connection
- * @return String $source
- */
- function escapeString($string, &$connection) {
- // depreciated function
- if (version_compare(phpversion(),"4.3.0", "<")) mysql_escape_string($string);
- // current function
- else mysql_real_escape_string($string);
- return $string;
- }
-}
-
-?>
\ No newline at end of file
projects / mtweb / blobdiff