PageRenderTime 39ms CodeModel.GetById 11ms RepoModel.GetById 0ms app.codeStats 0ms

/core/libraries/inputfilter.php

https://github.com/joostina/joostina
PHP | 268 lines | 221 code | 26 blank | 21 comment | 67 complexity | 01d181f1c95d08f53fc547f12298c4c9 MD5 | raw file
Possible License(s): AGPL-1.0, GPL-3.0, LGPL-2.1 
    

  1. <?php defined('_JOOS_CORE') or exit;
    2. 

  2. 

  3. /**
    4. 

  4.  * Библиотека обеспечения безопасности при работе со входящими данными
    5. 

  5.  *
    6. 

  6.  * @version    1.0
    7. 

  7.  * @package    Core\Libraries
    8. 

  8.  * @subpackage Inputfilter
    9. 

  9.  * @category   Libraries
    10. 

  10.  * @author     Joostina Team <info@joostina.ru>
    11. 

  11.  * @copyright  (C) 2007-2012 Joostina Team
    12. 

  12.  * @license    MIT License http://www.opensource.org/licenses/mit-license.php
    13. 

  13.  * Информация об авторах и лицензиях стороннего кода в составе Joostina CMS: docs/copyrights
    14. 

  14.  *
    15. 

  15.  * */
    16. 

  16. class joosInputFilter
    17. 

  17. {
    18. 

  18.     /**
    19. 

  19.      * @var joosInputFilter
    20. 

  20.      */
    21. 

  21.     private static $instance;
    22. 

  22.     protected $tagsArray;
    23. 

  23.     protected $attrArray;
    24. 

  24.     protected $tagsMethod;
    25. 

  25.     protected $attrMethod;
    26. 

  26.     protected $xssAuto;
    27. 

  27.     protected $tagBlacklist = array('applet', 'body', 'bgsound', 'base', 'basefont', 'embed', 'frame', 'frameset', 'head', 'html', 'id', 'iframe', 'ilayer', 'layer', 'link', 'meta', 'name', 'object', 'script', 'style', 'title', 'xml');
    28. 

  28.     protected $attrBlacklist = array('action', 'background', 'codebase', 'dynsrc', 'lowsrc');
    29. 

  29. 

  30.     private function __construct($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1)
    31. 

  31.     {
    32. 

  32.         $tagsArray = array_map('strtolower', (array) $tagsArray);
    33. 

  33.         $attrArray = array_map('strtolower', (array) $attrArray);
    34. 

  34.         $this->tagsArray = (array) $tagsArray;
    35. 

  35.         $this->attrArray = (array) $attrArray;
    36. 

  36.         $this->tagsMethod = $tagsMethod;
    37. 

  37.         $this->attrMethod = $attrMethod;
    38. 

  38.         $this->xssAuto = $xssAuto;
    39. 

  39.     }
    40. 

  40. 

  41.     public static function instance($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1)
    42. 

  42.     {
    43. 

  43.         !JDEBUG ? : joosDebug::inc('joosInputFilter::instance');
    44. 

  44. 

  45.         if (self::$instance === null) {
    46. 

  46.             self::$instance = new self($tagsArray, $attrArray, $tagsMethod, $attrMethod, $xssAuto);
    47. 

  47.         }
    48. 

  48. 

  49.         return self::$instance;
    50. 

  50.     }
    51. 

  51. 

  52.     private function __clone()
    53. 

  53.     {
    54. 

  54.     }
    55. 

  55. 

  56.     public function process($source)
    57. 

  57.     {
    58. 

  58.         if (is_array($source)) {
    59. 

  59.             foreach ($source as $key => $value) {
    60. 

  60.                 if (is_string($value)) {
    61. 

  61.                     $source[$key] = $this->remove($this->decode($value));
    62. 

  62.                 }
    63. 

  63.             }
    64. 

  64. 

  65.             return $source;
    66. 

  66.         } else {
    67. 

  67.             if (is_string($source) && !empty($source)) {
    68. 

  68.                 return $this->remove($this->decode($source));
    69. 

  69.             } else {
    70. 

  70.                 return $source;
    71. 

  71.             }
    72. 

  72.         }
    73. 

  73.     }
    74. 

  74. 

  75.     protected function remove($source)
    76. 

  76.     {
    77. 

  77.         //$loopCounter = 0;
    78. 

  78.         while ($source != $this->filterTags($source)) {
    79. 

  79.             $source = $this->filterTags($source);
    80. 

  80.             //$loopCounter++;
    81. 

  81.         }
    82. 

  82. 

  83.         return $source;
    84. 

  84.     }
    85. 

  85. 

  86.     protected function filterTags($source)
    87. 

  87.     {
    88. 

  88.         $preTag = null;
    89. 

  89.         $postTag = $source;
    90. 

  90.         $tagOpen_start = strpos($source, '<');
    91. 

  91.         while ($tagOpen_start !== false) {
    92. 

  92.             $preTag .= substr($postTag, 0, $tagOpen_start);
    93. 

  93.             $postTag = substr($postTag, $tagOpen_start);
    94. 

  94.             $fromTagOpen = substr($postTag, 1);
    95. 

  95.             $tagOpen_end = strpos($fromTagOpen, '>');
    96. 

  96.             if ($tagOpen_end === false) {
    97. 

  97.                 $postTag = substr($postTag, $tagOpen_start + 1);
    98. 

  98.                 $tagOpen_start = strpos($postTag, '<');
    99. 

  99.                 continue;
    100. 

  100.             }
    101. 

  101.             $tagOpen_nested = strpos($fromTagOpen, '<');
    102. 

  102.             //$tagOpen_nested_end = strpos(substr($postTag,$tagOpen_end),'>');
    103. 

  103.             if (($tagOpen_nested !== false) && ($tagOpen_nested < $tagOpen_end)) {
    104. 

  104.                 $preTag .= substr($postTag, 0, ($tagOpen_nested + 1));
    105. 

  105.                 $postTag = substr($postTag, ($tagOpen_nested + 1));
    106. 

  106.                 $tagOpen_start = strpos($postTag, '<');
    107. 

  107.                 continue;
    108. 

  108.             }
    109. 

  109.             //$tagOpen_nested = (strpos($fromTagOpen, '<') + $tagOpen_start + 1);
    110. 

  110.             $currentTag = substr($fromTagOpen, 0, $tagOpen_end);
    111. 

  111.             $tagLength = strlen($currentTag);
    112. 

  112.             $tagLeft = $currentTag;
    113. 

  113.             $attrSet = array();
    114. 

  114.             $currentSpace = strpos($tagLeft, ' ');
    115. 

  115.             if (substr($currentTag, 0, 1) == "/") {
    116. 

  116.                 $isCloseTag = true;
    117. 

  117.                 list($tagName) = explode(' ', $currentTag);
    118. 

  118.                 $tagName = substr($tagName, 1);
    119. 

  119.             } else {
    120. 

  120.                 $isCloseTag = false;
    121. 

  121.                 list($tagName) = explode(' ', $currentTag);
    122. 

  122.             }
    123. 

  123.             if ((!preg_match("/^[a-z][a-z0-9]*$/iu", $tagName)) || (!$tagName) || ((in_array(strtolower($tagName), $this->tagBlacklist)) && ($this->xssAuto))) {
    124. 

  124.                 $postTag = substr($postTag, ($tagLength + 2));
    125. 

  125.                 $tagOpen_start = strpos($postTag, '<');
    126. 

  126.                 continue;
    127. 

  127.             }
    128. 

  128.             while ($currentSpace !== false) {
    129. 

  129.                 $fromSpace = substr($tagLeft, ($currentSpace + 1));
    130. 

  130.                 $nextSpace = strpos($fromSpace, ' ');
    131. 

  131.                 $openQuotes = strpos($fromSpace, '"');
    132. 

  132.                 $closeQuotes = strpos(substr($fromSpace, ($openQuotes + 1)), '"') + $openQuotes + 1;
    133. 

  133.                 if (strpos($fromSpace, '=') !== false) {
    134. 

  134.                     if (($openQuotes !== false) && (strpos(substr($fromSpace, ($openQuotes + 1)), '"') !== false)) {
    135. 

  135.                         $attr = substr($fromSpace, 0, ($closeQuotes + 1));
    136. 

  136.                     } else {
    137. 

  137.                         $attr = substr($fromSpace, 0, $nextSpace);
    138. 

  138.                     }
    139. 

  139.                 } else {
    140. 

  140.                     $attr = substr($fromSpace, 0, $nextSpace);
    141. 

  141.                 }
    142. 

  142.                 if (!$attr) {
    143. 

  143.                     $attr = $fromSpace;
    144. 

  144.                 }
    145. 

  145.                 $attrSet[] = $attr;
    146. 

  146.                 $tagLeft = substr($fromSpace, strlen($attr));
    147. 

  147.                 $currentSpace = strpos($tagLeft, ' ');
    148. 

  148.             }
    149. 

  149.             $tagFound = in_array(strtolower($tagName), $this->tagsArray);
    150. 

  150.             if ((!$tagFound && $this->tagsMethod) || ($tagFound && !$this->tagsMethod)) {
    151. 

  151.                 if (!$isCloseTag) {
    152. 

  152.                     $attrSet = $this->filterAttr($attrSet);
    153. 

  153.                     $preTag .= '<' . $tagName;
    154. 

  154.                     for ($i = 0; $i < count($attrSet); $i++) {
    155. 

  155.                         $preTag .= ' ' . $attrSet[$i];
    156. 

  156.                     }
    157. 

  157.                     if (strpos($fromTagOpen, "</" . $tagName)) {
    158. 

  158.                         $preTag .= '>';
    159. 

  159.                     } else {
    160. 

  160.                         $preTag .= ' />';
    161. 

  161.                     }
    162. 

  162.                 } else {
    163. 

  163.                     $preTag .= '</' . $tagName . '>';
    164. 

  164.                 }
    165. 

  165.             }
    166. 

  166.             $postTag = substr($postTag, ($tagLength + 2));
    167. 

  167.             $tagOpen_start = strpos($postTag, '<');
    168. 

  168.         }
    169. 

  169.         if ($postTag != '<') {
    170. 

  170.             $preTag .= $postTag;
    171. 

  171.         }
    172. 

  172. 

  173.         return $preTag;
    174. 

  174.     }
    175. 

  175. 

  176.     protected function filterAttr($attrSet)
    177. 

  177.     {
    178. 

  178.         $newSet = array();
    179. 

  179.         for ($i = 0; $i < count($attrSet); $i++) {
    180. 

  180.             if (!$attrSet[$i]) {
    181. 

  181.                 continue;
    182. 

  182.             }
    183. 

  183.             $attrSubSet = explode('=', trim($attrSet[$i]), 2);
    184. 

  184.             list($attrSubSet[0]) = explode(' ', $attrSubSet[0]);
    185. 

  185.             // TODO eregi - зло
    186. 

  186.             if ((!eregi("^[a-z]*$", $attrSubSet[0])) || (($this->xssAuto) && ((in_array(strtolower($attrSubSet[0]), $this->attrBlacklist)) || (substr(strtolower($attrSubSet[0]), 0, 2) == 'on')))) {
    187. 

  187.                 continue;
    188. 

  188.             }
    189. 

  189.             if ($attrSubSet[1]) {
    190. 

  190.                 $attrSubSet[1] = str_replace('&#', '', $attrSubSet[1]);
    191. 

  191.                 $attrSubSet[1] = preg_replace('/\s+/', '', $attrSubSet[1]);
    192. 

  192.                 $attrSubSet[1] = str_replace('"', '', $attrSubSet[1]);
    193. 

  193.                 if ((substr($attrSubSet[1], 0, 1) == "'") && (substr($attrSubSet[1], (strlen($attrSubSet[1]) - 1), 1) == "'")) {
    194. 

  194.                     $attrSubSet[1] = substr($attrSubSet[1], 1, (strlen($attrSubSet[1]) - 2));
    195. 

  195.                 }
    196. 

  196.                 $attrSubSet[1] = stripslashes($attrSubSet[1]);
    197. 

  197.             }
    198. 

  198.             if (self::badAttributeValue($attrSubSet)) {
    199. 

  199.                 continue;
    200. 

  200.             }
    201. 

  201.             $attrFound = in_array(strtolower($attrSubSet[0]), $this->attrArray);
    202. 

  202.             if ((!$attrFound && $this->attrMethod) || ($attrFound && !$this->attrMethod)) {
    203. 

  203.                 if ($attrSubSet[1]) {
    204. 

  204.                     $newSet[] = $attrSubSet[0] . '="' . $attrSubSet[1] . '"';
    205. 

  205.                 } elseif ($attrSubSet[1] == "0") {
    206. 

  206.                     $newSet[] = $attrSubSet[0] . '="0"';
    207. 

  207.                 } else {
    208. 

  208.                     $newSet[] = $attrSubSet[0] . '="' . $attrSubSet[0] . '"';
    209. 

  209.                 }
    210. 

  210.             }
    211. 

  211.         }
    212. 

  212. 

  213.         return $newSet;
    214. 

  214.     }
    215. 

  215. 

  216.     public function badAttributeValue($attrSubSet)
    217. 

  217.     {
    218. 

  218.         $attrSubSet[0] = strtolower($attrSubSet[0]);
    219. 

  219.         $attrSubSet[1] = strtolower($attrSubSet[1]);
    220. 

  220. 

  221.         return (((strpos($attrSubSet[1], 'expression') !== false) && ($attrSubSet[0]) == 'style') || (strpos($attrSubSet[1], 'javascript:') !== false) || (strpos($attrSubSet[1], 'behaviour:') !== false) || (strpos($attrSubSet[1], 'vbscript:') !== false) || (strpos($attrSubSet[1], 'mocha:') !== false) || (strpos($attrSubSet[1], 'livescript:') !== false));
    222. 

  222.     }
    223. 

  223. 

  224.     protected function decode($source)
    225. 

  225.     {
    226. 

  226.         $source = html_entity_decode($source, ENT_QUOTES, "UTF-8");
    227. 

  227.         $source = preg_replace('/&#(\d+);/me', "chr(\\1)", $source);
    228. 

  228.         $source = preg_replace('/&#x([a-f0-9]+);/mei', "chr(0x\\1)", $source);
    229. 

  229. 

  230.         return $source;
    231. 

  231.     }
    232. 

  232. 

  233.     public function safeSQL($source)
    234. 

  234.     {
    235. 

  235.         if (is_array($source)) {
    236. 

  236.             foreach ($source as $key => $value) {
    237. 

  237.                 if (is_string($value)) {
    238. 

  238.                     $source[$key] = $this->quoteSmart($this->decode($value));
    239. 

  239.                 }
    240. 

  240.             }
    241. 

  241. 

  242.             return $source;
    243. 

  243.         } elseif (is_string($source)) {
    244. 

  244.             if (is_string($source)) {
    245. 

  245.                 return $this->quoteSmart($this->decode($source));
    246. 

  246.             }
    247. 

  247.         } else {
    248. 

  248.             return $source;
    249. 

  249.         }
    250. 

  250. 

  251.         return 'error';
    252. 

  252.     }
    253. 

  253. 

  254.     protected function quoteSmart($source)
    255. 

  255.     {
    256. 

  256.         $source = $this->escapeString($source);
    257. 

  257. 

  258.         return $source;
    259. 

  259.     }
    260. 

  260. 

  261.     protected function escapeString($string)
    262. 

  262.     {
    263. 

  263.         $string = mysql_real_escape_string($string);
    264. 

  264. 

  265.         return $string;
    266. 

  266.     }
    267. 

  267. 

  268. }
    269. 

  269.