PageRenderTime 77ms CodeModel.GetById 28ms RepoModel.GetById 0ms app.codeStats 0ms

/inc/popoon/classes/externalinput.php

https://github.com/chregu/fluxcms
PHP | 88 lines | 42 code | 15 blank | 31 comment | 7 complexity | cdcdee1205c8bceec05565ae1eb05a02 MD5 | raw file
Possible License(s): GPL-2.0, BSD-3-Clause, Apache-2.0, LGPL-2.1 
    

  1. <?php
    2. 

  2. 

  3. // +----------------------------------------------------------------------+
    4. 

  4. // | popoon                                                               |
    5. 

  5. // +----------------------------------------------------------------------+
    6. 

  6. // | Copyright (c) 2001-2008 Liip AG                                      |
    7. 

  7. // +----------------------------------------------------------------------+
    8. 

  8. // | Licensed under the Apache License, Version 2.0 (the "License");      |
    9. 

  9. // | you may not use this file except in compliance with the License.     |
    10. 

  10. // | You may obtain a copy of the License at                              |
    11. 

  11. // | http://www.apache.org/licenses/LICENSE-2.0                           |
    12. 

  12. // | Unless required by applicable law or agreed to in writing, software  |
    13. 

  13. // | distributed under the License is distributed on an "AS IS" BASIS,    |
    14. 

  14. // | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or      |
    15. 

  15. // | implied. See the License for the specific language governing         |
    16. 

  16. // | permissions and limitations under the License.                       |
    17. 

  17. // +----------------------------------------------------------------------+
    18. 

  18. // | Author: Christian Stocker <christian.stocker@liip.ch>                |
    19. 

  19. // +----------------------------------------------------------------------+
    20. 

  20. //
    21. 

  21. // $Id$
    22. 

  22. 

  23. class popoon_classes_externalinput {
    24. 

  24.     
    25. 

  25.     // this basic clean should clean html code from
    26. 

  26.     // lot of possible malicious code for Cross Site Scripting
    27. 

  27.     // use it whereever you get external input    
    28. 

  28. 

  29.     static function basicClean($string) {
    30. 

  30.         if (get_magic_quotes_gpc()) {
    31. 

  31.             $string = stripslashes($string);
    32. 

  32.         }
    33. 

  33.         //if the newer externalinput class exists, use this
    34. 

  34.         if (method_exists('lx_externalinput_clean','basic')) {
    35. 

  35. 

  36.            return lx_externalinput_clean::basic($string);
    37. 

  37.         }
    38. 

  38.         $string = str_replace(array("&amp;","&lt;","&gt;"),array("&amp;amp;","&amp;lt;","&amp;gt;"),$string);
    39. 

  39.         // fix &entitiy\n;
    40. 

  40.         $string = preg_replace('#(&\#*\w+)[\x00-\x20]+;#u',"$1;",$string);
    41. 

  41.         $string = preg_replace('#(&\#x*)([0-9A-F]+);*#iu',"$1$2;",$string);
    42. 

  42.         $string = html_entity_decode($string, ENT_COMPAT, "UTF-8");
    43. 

  43.         
    44. 

  44.         // remove any attribute starting with "on" or xmlns
    45. 

  45.         $string = preg_replace('#(<[^>]+[\x00-\x20\"\'\/])(on|xmlns)[^>]*>#iUu', "$1>", $string);
    46. 

  46.         
    47. 

  47.         // remove javascript: and vbscript: protocol
    48. 

  48.         $string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iUu', '$1=$2nojavascript...', $string);
    49. 

  49.         $string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iUu', '$1=$2novbscript...', $string);
    50. 

  50.         $string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*-moz-binding[\x00-\x20]*:#Uu', '$1=$2nomozbinding...', $string);
    51. 

  51.         $string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*data[\x00-\x20]*:#Uu', '$1=$2nodata...', $string);
    52. 

  52.         
    53. 

  53.         //remove any style attributes, IE allows too much stupid things in them, eg.
    54. 

  54.         //<span style="width: expression(alert('Ping!'));"></span> 
    55. 

  55.         // and in general you really don't want style declarations in your UGC
    56. 

  56. 

  57.         $string = preg_replace('#(<[^>]+[\x00-\x20\"\'\/])style[^>]*>#iUu', "$1>", $string);
    58. 

  58.         
    59. 

  59.         //remove namespaced elements (we do not need them...)
    60. 

  60.         $string = preg_replace('#</*\w+:\w[^>]*>#i',"",$string);
    61. 

  61.         //remove really unwanted tags
    62. 

  62.         
    63. 

  63.         do {
    64. 

  64.             $oldstring = $string;
    65. 

  65.             $string = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$string);
    66. 

  66.         } while ($oldstring != $string);
    67. 

  67.         
    68. 

  68.         return $string;
    69. 

  69.     }
    70. 

  70.     
    71. 

  71.     static function removeMagicQuotes($data) {
    72. 

  72.         
    73. 

  73.         if (get_magic_quotes_gpc()) {
    74. 

  74.             $newdata = array();
    75. 

  75.             foreach ($data as $name => $value) {
    76. 

  76.                 $name = stripslashes($name);
    77. 

  77.                 if (is_array($value)) {
    78. 

  78.                     $newdata[$name] = self::removeMagicQuotes($value);
    79. 

  79.                 } else {
    80. 

  80.                     $newdata[$name] = stripslashes($value);
    81. 

  81.                 }
    82. 

  82.             }
    83. 

  83.             return $newdata;
    84. 

  84.         }
    85. 

  85.         return $data;
    86. 

  86.         
    87. 

  87.     }
    88. 

  88. }   
    89. 

  89.