/inc/popoon/classes/externalinput.php
PHP | 88 lines | 42 code | 15 blank | 31 comment | 7 complexity | cdcdee1205c8bceec05565ae1eb05a02 MD5 | raw file
Possible License(s): GPL-2.0, BSD-3-Clause, Apache-2.0, LGPL-2.1
- <?php
- // +----------------------------------------------------------------------+
- // | popoon |
- // +----------------------------------------------------------------------+
- // | Copyright (c) 2001-2008 Liip AG |
- // +----------------------------------------------------------------------+
- // | Licensed under the Apache License, Version 2.0 (the "License"); |
- // | you may not use this file except in compliance with the License. |
- // | You may obtain a copy of the License at |
- // | http://www.apache.org/licenses/LICENSE-2.0 |
- // | Unless required by applicable law or agreed to in writing, software |
- // | distributed under the License is distributed on an "AS IS" BASIS, |
- // | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or |
- // | implied. See the License for the specific language governing |
- // | permissions and limitations under the License. |
- // +----------------------------------------------------------------------+
- // | Author: Christian Stocker <christian.stocker@liip.ch> |
- // +----------------------------------------------------------------------+
- //
- // $Id$
- class popoon_classes_externalinput {
-
- // this basic clean should clean html code from
- // lot of possible malicious code for Cross Site Scripting
- // use it whereever you get external input
- static function basicClean($string) {
- if (get_magic_quotes_gpc()) {
- $string = stripslashes($string);
- }
- //if the newer externalinput class exists, use this
- if (method_exists('lx_externalinput_clean','basic')) {
- return lx_externalinput_clean::basic($string);
- }
- $string = str_replace(array("&","<",">"),array("&amp;","&lt;","&gt;"),$string);
- // fix &entitiy\n;
- $string = preg_replace('#(&\#*\w+)[\x00-\x20]+;#u',"$1;",$string);
- $string = preg_replace('#(&\#x*)([0-9A-F]+);*#iu',"$1$2;",$string);
- $string = html_entity_decode($string, ENT_COMPAT, "UTF-8");
-
- // remove any attribute starting with "on" or xmlns
- $string = preg_replace('#(<[^>]+[\x00-\x20\"\'\/])(on|xmlns)[^>]*>#iUu', "$1>", $string);
-
- // remove javascript: and vbscript: protocol
- $string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iUu', '$1=$2nojavascript...', $string);
- $string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iUu', '$1=$2novbscript...', $string);
- $string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*-moz-binding[\x00-\x20]*:#Uu', '$1=$2nomozbinding...', $string);
- $string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*data[\x00-\x20]*:#Uu', '$1=$2nodata...', $string);
-
- //remove any style attributes, IE allows too much stupid things in them, eg.
- //<span style="width: expression(alert('Ping!'));"></span>
- // and in general you really don't want style declarations in your UGC
- $string = preg_replace('#(<[^>]+[\x00-\x20\"\'\/])style[^>]*>#iUu', "$1>", $string);
-
- //remove namespaced elements (we do not need them...)
- $string = preg_replace('#</*\w+:\w[^>]*>#i',"",$string);
- //remove really unwanted tags
-
- do {
- $oldstring = $string;
- $string = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$string);
- } while ($oldstring != $string);
-
- return $string;
- }
-
- static function removeMagicQuotes($data) {
-
- if (get_magic_quotes_gpc()) {
- $newdata = array();
- foreach ($data as $name => $value) {
- $name = stripslashes($name);
- if (is_array($value)) {
- $newdata[$name] = self::removeMagicQuotes($value);
- } else {
- $newdata[$name] = stripslashes($value);
- }
- }
- return $newdata;
- }
- return $data;
-
- }
- }