PageRenderTime 46ms CodeModel.GetById 17ms RepoModel.GetById 1ms app.codeStats 0ms

/phpmyadmin/libraries/sanitizing.lib.php

https://bitbucket.org/kylestlb/cse360site
PHP | 89 lines | 53 code | 7 blank | 29 comment | 9 complexity | 8e1cf32dbd91485424edba4914c4de51 MD5 | raw file
Possible License(s): GPL-2.0, LGPL-2.1, LGPL-3.0
  1. <?php
  2. /* vim: set expandtab sw=4 ts=4 sts=4: */
  3. /**
  4. * This is in a separate script because it's called from a number of scripts
  5. *
  6. * @package phpMyAdmin
  7. */
  8. /**
  9. * Sanitizes $message, taking into account our special codes
  10. * for formatting.
  11. *
  12. * If you want to include result in element attribute, you should escape it.
  13. *
  14. * Examples:
  15. *
  16. * <p><?php echo PMA_sanitize($foo); ?></p>
  17. *
  18. * <a title="<?php echo PMA_sanitize($foo, true); ?>">bar</a>
  19. *
  20. * @uses preg_replace()
  21. * @uses strtr()
  22. * @param string the message
  23. * @param boolean whether to escape html in result
  24. *
  25. * @return string the sanitized message
  26. *
  27. * @access public
  28. */
  29. function PMA_sanitize($message, $escape = false, $safe = false)
  30. {
  31. if (!$safe) {
  32. $message = strtr($message, array('<' => '&lt;', '>' => '&gt;'));
  33. }
  34. $replace_pairs = array(
  35. '[i]' => '<em>', // deprecated by em
  36. '[/i]' => '</em>', // deprecated by em
  37. '[em]' => '<em>',
  38. '[/em]' => '</em>',
  39. '[b]' => '<strong>', // deprecated by strong
  40. '[/b]' => '</strong>', // deprecated by strong
  41. '[strong]' => '<strong>',
  42. '[/strong]' => '</strong>',
  43. '[tt]' => '<code>', // deprecated by CODE or KBD
  44. '[/tt]' => '</code>', // deprecated by CODE or KBD
  45. '[code]' => '<code>',
  46. '[/code]' => '</code>',
  47. '[kbd]' => '<kbd>',
  48. '[/kbd]' => '</kbd>',
  49. '[br]' => '<br />',
  50. '[/a]' => '</a>',
  51. '[sup]' => '<sup>',
  52. '[/sup]' => '</sup>',
  53. );
  54. $message = strtr($message, $replace_pairs);
  55. $pattern = '/\[a@([^"@]*)@([^]"]*)\]/';
  56. if (preg_match_all($pattern, $message, $founds, PREG_SET_ORDER)) {
  57. $valid_links = array(
  58. 'http', // default http:// links (and https://)
  59. './Do', // ./Documentation
  60. );
  61. foreach ($founds as $found) {
  62. // only http... and ./Do... allowed
  63. if (! in_array(substr($found[1], 0, 4), $valid_links)) {
  64. return $message;
  65. }
  66. // a-z and _ allowed in target
  67. if (! empty($found[2]) && preg_match('/[^a-z_]+/i', $found[2])) {
  68. return $message;
  69. }
  70. }
  71. if (substr($found[1], 0, 4) == 'http') {
  72. $message = preg_replace($pattern, '<a href="' . PMA_linkURL($found[1]) . '" target="\2">', $message);
  73. } else {
  74. $message = preg_replace($pattern, '<a href="\1" target="\2">', $message);
  75. }
  76. }
  77. if ($escape) {
  78. $message = htmlspecialchars($message);
  79. }
  80. return $message;
  81. }
  82. ?>