X-Git-Url: http://git.dj3c1t.com/?a=blobdiff_plain;f=web%2Flibs%2Finputfilter.php;fp=web%2Flibs%2Finputfilter.php;h=0000000000000000000000000000000000000000;hb=36ed114046cbe3d72a3589230e9f306a54fcc79d;hp=b023bc0970467dede05386d872df65d9545bb3fb;hpb=281c96e95451269f2614684b8de5be25862c8374;p=mtweb

diff --git a/web/libs/inputfilter.php b/web/libs/inputfilter.php
deleted file mode 100644
index b023bc0..0000000
--- a/web/libs/inputfilter.php
+++ /dev/null
@@ -1,315 +0,0 @@
-<?php
-
-/** @class: InputFilter (PHP4 & PHP5, with comments)
-  * @project: PHP Input Filter
-  * @date: 10-05-2005
-  * @version: 1.2.2_php4/php5
-  * @author: Daniel Morris
-  * @contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie.
-  * @copyright: Daniel Morris
-  * @email: dan@rootcube.com
-  * @license: GNU General Public License (GPL)
-  */
-class InputFilter {
-	var $tagsArray;			// default = empty array
-	var $attrArray;			// default = empty array
-
-	var $tagsMethod;		// default = 0
-	var $attrMethod;		// default = 0
-
-	var $xssAuto;           // default = 1
-	var $tagBlacklist = array('applet', 'body', 'bgsound', 'base', 'basefont', 'embed', 'frame', 'frameset', 'head', 'html', 'id', 'iframe', 'ilayer', 'layer', 'link', 'meta', 'name', 'object', 'script', 'style', 'title', 'xml');
-	var $attrBlacklist = array('action', 'background', 'codebase', 'dynsrc', 'lowsrc');  // also will strip ALL event handlers
-		
-	/** 
-	  * Constructor for inputFilter class. Only first parameter is required.
-	  * @access constructor
-	  * @param Array $tagsArray - list of user-defined tags
-	  * @param Array $attrArray - list of user-defined attributes
-	  * @param int $tagsMethod - 0= allow just user-defined, 1= allow all but user-defined
-	  * @param int $attrMethod - 0= allow just user-defined, 1= allow all but user-defined
-	  * @param int $xssAuto - 0= only auto clean essentials, 1= allow clean blacklisted tags/attr
-	  */
-	function inputFilter($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1) {		
-		// make sure user defined arrays are in lowercase
-		for ($i = 0; $i < count($tagsArray); $i++) $tagsArray[$i] = strtolower($tagsArray[$i]);
-		for ($i = 0; $i < count($attrArray); $i++) $attrArray[$i] = strtolower($attrArray[$i]);
-		// assign to member vars
-		$this->tagsArray = (array) $tagsArray;
-		$this->attrArray = (array) $attrArray;
-		$this->tagsMethod = $tagsMethod;
-		$this->attrMethod = $attrMethod;
-		$this->xssAuto = $xssAuto;
-	}
-	
-	/** 
-	  * Method to be called by another php script. Processes for XSS and specified bad code.
-	  * @access public
-	  * @param Mixed $source - input string/array-of-string to be 'cleaned'
-	  * @return String $source - 'cleaned' version of input parameter
-	  */
-	function process($source) {
-		// clean all elements in this array
-		if (is_array($source)) {
-			foreach($source as $key => $value)
-				// filter element for XSS and other 'bad' code etc.
-				if (is_string($value)) $source[$key] = $this->remove($this->decode($value));
-			return $source;
-		// clean this string
-		} else if (is_string($source)) {
-			// filter source for XSS and other 'bad' code etc.
-			return $this->remove($this->decode($source));
-		// return parameter as given
-		} else return $source;	
-	}
-
-	/** 
-	  * Internal method to iteratively remove all unwanted tags and attributes
-	  * @access protected
-	  * @param String $source - input string to be 'cleaned'
-	  * @return String $source - 'cleaned' version of input parameter
-	  */
-	function remove($source) {
-		$loopCounter=0;
-		// provides nested-tag protection
-		while($source != $this->filterTags($source)) {
-			$source = $this->filterTags($source);
-			$loopCounter++;
-		}
-		return $source;
-	}	
-	
-	/** 
-	  * Internal method to strip a string of certain tags
-	  * @access protected
-	  * @param String $source - input string to be 'cleaned'
-	  * @return String $source - 'cleaned' version of input parameter
-	  */
-	function filterTags($source) {
-		// filter pass setup
-		$preTag = NULL;
-		$postTag = $source;
-		// find initial tag's position
-		$tagOpen_start = strpos($source, '<');
-		// interate through string until no tags left
-		while($tagOpen_start !== FALSE) {
-			// process tag interatively
-			$preTag .= substr($postTag, 0, $tagOpen_start);
-			$postTag = substr($postTag, $tagOpen_start);
-			$fromTagOpen = substr($postTag, 1);
-			// end of tag
-			$tagOpen_end = strpos($fromTagOpen, '>');
-			if ($tagOpen_end === false) break;
-			// next start of tag (for nested tag assessment)
-			$tagOpen_nested = strpos($fromTagOpen, '<');
-			if (($tagOpen_nested !== false) && ($tagOpen_nested < $tagOpen_end)) {
-				$preTag .= substr($postTag, 0, ($tagOpen_nested+1));
-				$postTag = substr($postTag, ($tagOpen_nested+1));
-				$tagOpen_start = strpos($postTag, '<');
-				continue;
-			} 
-			$tagOpen_nested = (strpos($fromTagOpen, '<') + $tagOpen_start + 1);
-			$currentTag = substr($fromTagOpen, 0, $tagOpen_end);
-			$tagLength = strlen($currentTag);
-			if (!$tagOpen_end) {
-				$preTag .= $postTag;
-				$tagOpen_start = strpos($postTag, '<');			
-			}
-			// iterate through tag finding attribute pairs - setup
-			$tagLeft = $currentTag;
-			$attrSet = array();
-			$currentSpace = strpos($tagLeft, ' ');
-			// is end tag
-			if (substr($currentTag, 0, 1) == "/") {
-				$isCloseTag = TRUE;
-				list($tagName) = explode(' ', $currentTag);
-				$tagName = substr($tagName, 1);
-			// is start tag
-			} else {
-				$isCloseTag = FALSE;
-				list($tagName) = explode(' ', $currentTag);
-			}		
-			// excludes all "non-regular" tagnames OR no tagname OR remove if xssauto is on and tag is blacklisted
-			if ((!preg_match("/^[a-z][a-z0-9]*$/i",$tagName)) || (!$tagName) || ((in_array(strtolower($tagName), $this->tagBlacklist)) && ($this->xssAuto))) { 				
-				$postTag = substr($postTag, ($tagLength + 2));
-				$tagOpen_start = strpos($postTag, '<');
-				// don't append this tag
-				continue;
-			}
-			// this while is needed to support attribute values with spaces in!
-			while ($currentSpace !== FALSE) {
-				$fromSpace = substr($tagLeft, ($currentSpace+1));
-				$nextSpace = strpos($fromSpace, ' ');
-				$openQuotes = strpos($fromSpace, '"');
-				$closeQuotes = strpos(substr($fromSpace, ($openQuotes+1)), '"') + $openQuotes + 1;
-				// another equals exists
-				if (strpos($fromSpace, '=') !== FALSE) {
-					// opening and closing quotes exists
-					if (($openQuotes !== FALSE) && (strpos(substr($fromSpace, ($openQuotes+1)), '"') !== FALSE))
-						$attr = substr($fromSpace, 0, ($closeQuotes+1));
-					// one or neither exist
-					else $attr = substr($fromSpace, 0, $nextSpace);
-				// no more equals exist
-				} else $attr = substr($fromSpace, 0, $nextSpace);
-				// last attr pair
-				if (!$attr) $attr = $fromSpace;
-				// add to attribute pairs array
-				$attrSet[] = $attr;
-				// next inc
-				$tagLeft = substr($fromSpace, strlen($attr));
-				$currentSpace = strpos($tagLeft, ' ');
-			}
-			// appears in array specified by user
-			$tagFound = in_array(strtolower($tagName), $this->tagsArray);			
-			// remove this tag on condition
-			if ((!$tagFound && $this->tagsMethod) || ($tagFound && !$this->tagsMethod)) {
-				// reconstruct tag with allowed attributes
-				if (!$isCloseTag) {
-					$attrSet = $this->filterAttr($attrSet);
-					$preTag .= '<' . $tagName;
-					for ($i = 0; $i < count($attrSet); $i++)
-						$preTag .= ' ' . $attrSet[$i];
-					// reformat single tags to XHTML
-					if (strpos($fromTagOpen, "</" . $tagName)) $preTag .= '>';
-					else $preTag .= ' />';
-				// just the tagname
-			    } else $preTag .= '</' . $tagName . '>';
-			}
-			// find next tag's start
-			$postTag = substr($postTag, ($tagLength + 2));
-			$tagOpen_start = strpos($postTag, '<');			
-		}
-		// append any code after end of tags
-		$preTag .= $postTag;
-		return $preTag;
-	}
-
-	/** 
-	  * Internal method to strip a tag of certain attributes
-	  * @access protected
-	  * @param Array $attrSet
-	  * @return Array $newSet
-	  */
-	function filterAttr($attrSet) {	
-		$newSet = array();
-		// process attributes
-		for ($i = 0; $i <count($attrSet); $i++) {
-			// skip blank spaces in tag
-			if (!$attrSet[$i]) continue;
-			// split into attr name and value
-			$attrSubSet = explode('=', trim($attrSet[$i]));
-			list($attrSubSet[0]) = explode(' ', $attrSubSet[0]);
-			// removes all "non-regular" attr names AND also attr blacklisted
-			if ((!eregi("^[a-z]*$",$attrSubSet[0])) || (($this->xssAuto) && ((in_array(strtolower($attrSubSet[0]), $this->attrBlacklist)) || (substr($attrSubSet[0], 0, 2) == 'on')))) 
-				continue;
-			// xss attr value filtering
-			if ($attrSubSet[1]) {
-				// strips unicode, hex, etc
-				$attrSubSet[1] = str_replace('&#', '', $attrSubSet[1]);
-				// strip normal newline within attr value
-				$attrSubSet[1] = preg_replace('/\s+/', '', $attrSubSet[1]);
-				// strip double quotes
-				$attrSubSet[1] = str_replace('"', '', $attrSubSet[1]);
-				// [requested feature] convert single quotes from either side to doubles (Single quotes shouldn't be used to pad attr value)
-				if ((substr($attrSubSet[1], 0, 1) == "'") && (substr($attrSubSet[1], (strlen($attrSubSet[1]) - 1), 1) == "'"))
-					$attrSubSet[1] = substr($attrSubSet[1], 1, (strlen($attrSubSet[1]) - 2));
-				// strip slashes
-				$attrSubSet[1] = stripslashes($attrSubSet[1]);
-			}
-			// auto strip attr's with "javascript:
-			if (	((strpos(strtolower($attrSubSet[1]), 'expression') !== false) &&	(strtolower($attrSubSet[0]) == 'style')) ||
-					(strpos(strtolower($attrSubSet[1]), 'javascript:') !== false) ||
-					(strpos(strtolower($attrSubSet[1]), 'behaviour:') !== false) ||
-					(strpos(strtolower($attrSubSet[1]), 'vbscript:') !== false) ||
-					(strpos(strtolower($attrSubSet[1]), 'mocha:') !== false) ||
-					(strpos(strtolower($attrSubSet[1]), 'livescript:') !== false) 
-			) continue;
-
-			// if matches user defined array
-			$attrFound = in_array(strtolower($attrSubSet[0]), $this->attrArray);
-			// keep this attr on condition
-			if ((!$attrFound && $this->attrMethod) || ($attrFound && !$this->attrMethod)) {
-				// attr has value
-				if ($attrSubSet[1]) $newSet[] = $attrSubSet[0] . '="' . $attrSubSet[1] . '"';
-				// attr has decimal zero as value
-				else if ($attrSubSet[1] == "0") $newSet[] = $attrSubSet[0] . '="0"';
-				// reformat single attributes to XHTML
-				else $newSet[] = $attrSubSet[0] . '="' . $attrSubSet[0] . '"';
-			}	
-		}
-		return $newSet;
-	}
-	
-	/** 
-	  * Try to convert to plaintext
-	  * @access protected
-	  * @param String $source
-	  * @return String $source
-	  */
-	function decode($source) {
-		// url decode
-//		$source = html_entity_decode($source, ENT_QUOTES, "ISO-8859-1");
-		$source = html_entity_decode($source, ENT_QUOTES, "UTF-8");
-		// convert decimal
-		$source = preg_replace('/&#(\d+);/me',"chr(\\1)", $source);				// decimal notation
-		// convert hex
-		$source = preg_replace('/&#x([a-f0-9]+);/mei',"chr(0x\\1)", $source);	// hex notation
-		return $source;
-	}
-
-	/** 
-	  * Method to be called by another php script. Processes for SQL injection
-	  * @access public
-	  * @param Mixed $source - input string/array-of-string to be 'cleaned'
-	  * @param Buffer $connection - An open MySQL connection
-	  * @return String $source - 'cleaned' version of input parameter
-	  */
-	function safeSQL($source, &$connection) {
-		// clean all elements in this array
-		if (is_array($source)) {
-			foreach($source as $key => $value)
-				// filter element for SQL injection
-				if (is_string($value)) $source[$key] = $this->quoteSmart($this->decode($value), $connection);
-			return $source;
-		// clean this string
-		} else if (is_string($source)) {
-			// filter source for SQL injection
-			if (is_string($source)) return $this->quoteSmart($this->decode($source), $connection);
-		// return parameter as given
-		} else return $source;	
-	}
-
-	/** 
-	  * @author Chris Tobin
-	  * @author Daniel Morris
-	  * @access protected
-	  * @param String $source
-	  * @param Resource $connection - An open MySQL connection
-	  * @return String $source
-	  */
-	function quoteSmart($source, &$connection) {
-		// strip slashes
-		if (get_magic_quotes_gpc()) $source = stripslashes($source);
-		// quote both numeric and text
-		$source = $this->escapeString($source, $connection);
-		return $source;
-	}
-	
-	/** 
-	  * @author Chris Tobin
-	  * @author Daniel Morris
-	  * @access protected
-	  * @param String $source
-	  * @param Resource $connection - An open MySQL connection
-	  * @return String $source
-	  */	
-	function escapeString($string, &$connection) {
-		// depreciated function
-		if (version_compare(phpversion(),"4.3.0", "<")) mysql_escape_string($string);
-		// current function
-		else mysql_real_escape_string($string);
-		return $string;
-	}
-}
-
-?>
\ No newline at end of file