blob: f9d23ae79a5d4b031ee4082834bacdec30284f68 [file] [log] [blame]
Derek Allarda72b60d2007-01-31 23:56:11 +00001<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
2/**
Derek Allardd2df9bc2007-04-15 17:41:17 +00003 * CodeIgniter
Derek Allarda72b60d2007-01-31 23:56:11 +00004 *
5 * An open source application development framework for PHP 4.3.2 or newer
6 *
7 * @package CodeIgniter
8 * @author Rick Ellis
Derek Allardd2df9bc2007-04-15 17:41:17 +00009 * @copyright Copyright (c) 2006, EllisLab, Inc.
Derek Allarda72b60d2007-01-31 23:56:11 +000010 * @license http://www.codeignitor.com/user_guide/license.html
11 * @link http://www.codeigniter.com
12 * @since Version 1.0
13 * @filesource
14 */
15
16// ------------------------------------------------------------------------
17
18/**
19 * Input Class
20 *
21 * Pre-processes global input data for security
22 *
23 * @package CodeIgniter
24 * @subpackage Libraries
25 * @category Input
26 * @author Rick Ellis
27 * @link http://www.codeigniter.com/user_guide/libraries/input.html
28 */
29class CI_Input {
30 var $use_xss_clean = FALSE;
31 var $ip_address = FALSE;
32 var $user_agent = FALSE;
33 var $allow_get_array = FALSE;
34
35 /**
36 * Constructor
37 *
38 * Sets whether to globally enable the XSS processing
39 * and whether to allow the $_GET array
40 *
41 * @access public
42 */
43 function CI_Input()
44 {
45 log_message('debug', "Input Class Initialized");
46
47 $CFG =& load_class('Config');
48 $this->use_xss_clean = ($CFG->item('global_xss_filtering') === TRUE) ? TRUE : FALSE;
49 $this->allow_get_array = ($CFG->item('enable_query_strings') === TRUE) ? TRUE : FALSE;
50 $this->_sanitize_globals();
51 }
52
53 // --------------------------------------------------------------------
54
55 /**
56 * Sanitize Globals
57 *
58 * This function does the following:
59 *
60 * Unsets $_GET data (if query strings are not enabled)
61 *
62 * Unsets all globals if register_globals is enabled
63 *
64 * Standardizes newline characters to \n
65 *
66 * @access private
67 * @return void
68 */
69 function _sanitize_globals()
70 {
Rick Ellisbb2041d2007-06-09 00:16:13 +000071 // Unset globals for securiy.
72 // This is effectively the same as register_globals = off
Derek Allarda72b60d2007-01-31 23:56:11 +000073 foreach (array($_GET, $_POST, $_COOKIE) as $global)
74 {
75 if ( ! is_array($global))
76 {
77 global $global;
78 $$global = NULL;
79 }
80 else
81 {
82 foreach ($global as $key => $val)
83 {
84 global $$key;
85 $$key = NULL;
86 }
87 }
88 }
89
90 // Is $_GET data allowed? If not we'll set the $_GET to an empty array
91 if ($this->allow_get_array == FALSE)
92 {
93 $_GET = array();
94 }
Rick Ellis112569d2007-02-26 19:19:08 +000095 else
96 {
97 if (is_array($_GET) AND count($_GET) > 0)
98 {
99 foreach($_GET as $key => $val)
100 {
101 $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
102 }
103 }
104 }
Derek Allarda72b60d2007-01-31 23:56:11 +0000105
106 // Clean $_POST Data
107 if (is_array($_POST) AND count($_POST) > 0)
108 {
109 foreach($_POST as $key => $val)
110 {
111 $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
112 }
113 }
114
115 // Clean $_COOKIE Data
116 if (is_array($_COOKIE) AND count($_COOKIE) > 0)
117 {
118 foreach($_COOKIE as $key => $val)
119 {
120 $_COOKIE[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
121 }
122 }
123
124 log_message('debug', "Global POST and COOKIE data sanitized");
125 }
126
127 // --------------------------------------------------------------------
128
129 /**
130 * Clean Input Data
131 *
132 * This is a helper function. It escapes data and
133 * standardizes newline characters to \n
134 *
135 * @access private
136 * @param string
137 * @return string
138 */
139 function _clean_input_data($str)
140 {
141 if (is_array($str))
142 {
143 $new_array = array();
144 foreach ($str as $key => $val)
145 {
146 $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
147 }
148 return $new_array;
149 }
150
Rick Ellisbb2041d2007-06-09 00:16:13 +0000151 // We strip slashes if magic quotes is on to keep things consistent
152 if (get_magic_quotes_gpc())
153 {
154 $str = stripslashes($str);
155 }
156
157 // Should we filter the input data?
Derek Allarda72b60d2007-01-31 23:56:11 +0000158 if ($this->use_xss_clean === TRUE)
159 {
160 $str = $this->xss_clean($str);
161 }
162
163 // Standardize newlines
164 return preg_replace("/\015\012|\015|\012/", "\n", $str);
165 }
166
167 // --------------------------------------------------------------------
168
169 /**
170 * Clean Keys
171 *
172 * This is a helper function. To prevent malicious users
173 * from trying to exploit keys we make sure that keys are
174 * only named with alpha-numeric text and a few other items.
175 *
176 * @access private
177 * @param string
178 * @return string
179 */
180 function _clean_input_keys($str)
181 {
182 if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
183 {
184 exit('Disallowed Key Characters.');
185 }
Rick Ellisbb2041d2007-06-09 00:16:13 +0000186
Derek Allarda72b60d2007-01-31 23:56:11 +0000187 return $str;
188 }
Rick Ellis112569d2007-02-26 19:19:08 +0000189
190 // --------------------------------------------------------------------
191
192 /**
193 * Fetch an item from the GET array
194 *
195 * @access public
196 * @param string
197 * @param bool
198 * @return string
199 */
Derek Allard87d1eeb2007-03-01 13:20:43 +0000200 function get($index = '', $xss_clean = FALSE)
Rick Ellis112569d2007-02-26 19:19:08 +0000201 {
202 if ( ! isset($_GET[$index]))
203 {
204 return FALSE;
205 }
206
207 if ($xss_clean === TRUE)
208 {
209 if (is_array($_GET[$index]))
210 {
211 foreach($_GET[$index] as $key => $val)
212 {
213 $_GET[$index][$key] = $this->xss_clean($val);
214 }
215 }
216 else
217 {
218 return $this->xss_clean($_GET[$index]);
219 }
220 }
221
222 return $_GET[$index];
223 }
Derek Allarda72b60d2007-01-31 23:56:11 +0000224
225 // --------------------------------------------------------------------
226
227 /**
228 * Fetch an item from the POST array
229 *
230 * @access public
231 * @param string
232 * @param bool
233 * @return string
234 */
235 function post($index = '', $xss_clean = FALSE)
236 {
237 if ( ! isset($_POST[$index]))
238 {
239 return FALSE;
240 }
241
242 if ($xss_clean === TRUE)
243 {
244 if (is_array($_POST[$index]))
245 {
246 foreach($_POST[$index] as $key => $val)
247 {
248 $_POST[$index][$key] = $this->xss_clean($val);
249 }
250 }
251 else
252 {
253 return $this->xss_clean($_POST[$index]);
254 }
255 }
256
257 return $_POST[$index];
258 }
259
260 // --------------------------------------------------------------------
261
262 /**
263 * Fetch an item from the COOKIE array
264 *
265 * @access public
266 * @param string
267 * @param bool
268 * @return string
269 */
270 function cookie($index = '', $xss_clean = FALSE)
271 {
272 if ( ! isset($_COOKIE[$index]))
273 {
274 return FALSE;
275 }
276
277 if ($xss_clean === TRUE)
278 {
279 if (is_array($_COOKIE[$index]))
280 {
281 $cookie = array();
282 foreach($_COOKIE[$index] as $key => $val)
283 {
284 $cookie[$key] = $this->xss_clean($val);
285 }
286
287 return $cookie;
288 }
289 else
290 {
291 return $this->xss_clean($_COOKIE[$index]);
292 }
293 }
294 else
295 {
296 return $_COOKIE[$index];
297 }
298 }
299
300 // --------------------------------------------------------------------
301
302 /**
303 * Fetch an item from the SERVER array
304 *
305 * @access public
306 * @param string
307 * @param bool
308 * @return string
309 */
310 function server($index = '', $xss_clean = FALSE)
311 {
312 if ( ! isset($_SERVER[$index]))
313 {
314 return FALSE;
315 }
316
317 if ($xss_clean === TRUE)
318 {
319 return $this->xss_clean($_SERVER[$index]);
320 }
321
322 return $_SERVER[$index];
323 }
324
325 // --------------------------------------------------------------------
326
327 /**
328 * Fetch the IP Address
329 *
330 * @access public
331 * @return string
332 */
333 function ip_address()
334 {
335 if ($this->ip_address !== FALSE)
336 {
337 return $this->ip_address;
338 }
339
340 if ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP'))
341 {
342 $this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
343 }
344 elseif ($this->server('REMOTE_ADDR'))
345 {
346 $this->ip_address = $_SERVER['REMOTE_ADDR'];
347 }
348 elseif ($this->server('HTTP_CLIENT_IP'))
349 {
350 $this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
351 }
352 elseif ($this->server('HTTP_X_FORWARDED_FOR'))
353 {
354 $this->ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];
355 }
356
357 if ($this->ip_address === FALSE)
358 {
359 $this->ip_address = '0.0.0.0';
360 return $this->ip_address;
361 }
362
363 if (strstr($this->ip_address, ','))
364 {
365 $x = explode(',', $this->ip_address);
366 $this->ip_address = end($x);
367 }
368
369 if ( ! $this->valid_ip($this->ip_address))
370 {
371 $this->ip_address = '0.0.0.0';
372 }
373
374 return $this->ip_address;
375 }
376
377 // --------------------------------------------------------------------
378
379 /**
380 * Validate IP Address
381 *
Rick Ellise666afc2007-06-11 05:03:11 +0000382 * Updated version suggested by Geert De Deckere
383 *
Derek Allarda72b60d2007-01-31 23:56:11 +0000384 * @access public
385 * @param string
386 * @return string
387 */
388 function valid_ip($ip)
389 {
Rick Ellise666afc2007-06-11 05:03:11 +0000390 $ip_segments = explode('.', $ip);
391
392 // Always 4 segments needed
393 if (count($ip_segments) != 4)
Rick Ellis112569d2007-02-26 19:19:08 +0000394 {
395 return FALSE;
396 }
Rick Ellis65e8f0e2007-06-12 03:53:21 +0000397 // IP can not start with 0
Rick Ellis39213142007-06-12 03:53:12 +0000398 if (substr($ip_segments[0], 0, 1) == '0')
Rick Ellis112569d2007-02-26 19:19:08 +0000399 {
Rick Ellise666afc2007-06-11 05:03:11 +0000400 return FALSE;
401 }
402 // Check each segment
403 foreach ($ip_segments as $segment)
404 {
405 // IP segments must be digits and can not be
406 // longer than 3 digits or greater then 255
Rick Ellisba648932007-06-12 03:39:38 +0000407 if (preg_match("/[^0-9]/", $segment) OR $segment > 255 OR strlen($segment) > 3)
Rick Ellis112569d2007-02-26 19:19:08 +0000408 {
Rick Ellise666afc2007-06-11 05:03:11 +0000409 return FALSE;
Rick Ellis112569d2007-02-26 19:19:08 +0000410 }
411 }
412
413 return TRUE;
Derek Allarda72b60d2007-01-31 23:56:11 +0000414 }
415
416 // --------------------------------------------------------------------
417
418 /**
419 * User Agent
420 *
421 * @access public
422 * @return string
423 */
424 function user_agent()
425 {
426 if ($this->user_agent !== FALSE)
427 {
428 return $this->user_agent;
429 }
430
431 $this->user_agent = ( ! isset($_SERVER['HTTP_USER_AGENT'])) ? FALSE : $_SERVER['HTTP_USER_AGENT'];
432
433 return $this->user_agent;
434 }
435
436 // --------------------------------------------------------------------
437
438 /**
439 * XSS Clean
440 *
441 * Sanitizes data so that Cross Site Scripting Hacks can be
442 * prevented.  This function does a fair amount of work but
443 * it is extremely thorough, designed to prevent even the
444 * most obscure XSS attempts.  Nothing is ever 100% foolproof,
445 * of course, but I haven't been able to get anything passed
446 * the filter.
447 *
448 * Note: This function should only be used to deal with data
449 * upon submission.  It's not something that should
450 * be used for general runtime processing.
451 *
452 * This function was based in part on some code and ideas I
453 * got from Bitflux: http://blog.bitflux.ch/wiki/XSS_Prevention
454 *
455 * To help develop this script I used this great list of
456 * vulnerabilities along with a few other hacks I've
457 * harvested from examining vulnerabilities in other programs:
458 * http://ha.ckers.org/xss.html
459 *
460 * @access public
461 * @param string
462 * @return string
463 */
464 function xss_clean($str, $charset = 'ISO-8859-1')
465 {
466 /*
467 * Remove Null Characters
468 *
469 * This prevents sandwiching null characters
470 * between ascii characters, like Java\0script.
471 *
472 */
473 $str = preg_replace('/\0+/', '', $str);
474 $str = preg_replace('/(\\\\0)+/', '', $str);
475
476 /*
477 * Validate standard character entities
478 *
479 * Add a semicolon if missing. We do this to enable
480 * the conversion of entities to ASCII later.
481 *
482 */
483 $str = preg_replace('#(&\#*\w+)[\x00-\x20]+;#u',"\\1;",$str);
484
485 /*
486 * Validate UTF16 two byte encoding (x00)
487 *
488 * Just as above, adds a semicolon if missing.
489 *
490 */
491 $str = preg_replace('#(&\#x*)([0-9A-F]+);*#iu',"\\1\\2;",$str);
492
493 /*
494 * URL Decode
495 *
496 * Just in case stuff like this is submitted:
497 *
498 * <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
499 *
500 * Note: Normally urldecode() would be easier but it removes plus signs
501 *
502 */
Derek Jones01f72ca2007-05-04 18:19:17 +0000503 $str = preg_replace("/(%20)+/", '9u3iovBnRThju941s89rKozm', $str);
Derek Allarda72b60d2007-01-31 23:56:11 +0000504 $str = preg_replace("/%u0([a-z0-9]{3})/i", "&#x\\1;", $str);
Derek Jones01f72ca2007-05-04 18:19:17 +0000505 $str = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $str);
506 $str = str_replace('9u3iovBnRThju941s89rKozm', "%20", $str);
Derek Allarda72b60d2007-01-31 23:56:11 +0000507
508 /*
509 * Convert character entities to ASCII
510 *
511 * This permits our tests below to work reliably.
512 * We only convert entities that are within tags since
513 * these are the ones that will pose security problems.
514 *
515 */
516 if (preg_match_all("/<(.+?)>/si", $str, $matches))
517 {
518 for ($i = 0; $i < count($matches['0']); $i++)
519 {
520 $str = str_replace($matches['1'][$i],
521 $this->_html_entity_decode($matches['1'][$i], $charset),
522 $str);
523 }
524 }
525
526 /*
527 * Not Allowed Under Any Conditions
528 */
529 $bad = array(
530 'document.cookie' => '[removed]',
paulburdick033ef022007-06-26 21:52:52 +0000531 '.parentNode' => '[removed]',
532 '.innerHTML' => '[removed]',
Derek Allarda72b60d2007-01-31 23:56:11 +0000533 'document.write' => '[removed]',
534 'window.location' => '[removed]',
535 "javascript\s*:" => '[removed]',
paulburdick033ef022007-06-26 21:52:52 +0000536 "expression\s*\(" => '[removed]', // CSS and IE
Derek Allarda72b60d2007-01-31 23:56:11 +0000537 "Redirect\s+302" => '[removed]',
538 '<!--' => '&lt;!--',
539 '-->' => '--&gt;'
540 );
541
542 foreach ($bad as $key => $val)
543 {
544 $str = preg_replace("#".$key."#i", $val, $str);
545 }
546
547 /*
548 * Convert all tabs to spaces
549 *
550 * This prevents strings like this: ja vascript
551 * Note: we deal with spaces between characters later.
552 *
553 */
554 $str = preg_replace("#\t+#", " ", $str);
555
556 /*
557 * Makes PHP tags safe
558 *
559 * Note: XML tags are inadvertently replaced too:
560 *
561 * <?xml
562 *
563 * But it doesn't seem to pose a problem.
564 *
565 */
566 $str = str_replace(array('<?php', '<?PHP', '<?', '?>'), array('&lt;?php', '&lt;?PHP', '&lt;?', '?&gt;'), $str);
567
568 /*
569 * Compact any exploded words
570 *
571 * This corrects words like: j a v a s c r i p t
572 * These words are compacted back to their correct state.
573 *
574 */
paulburdickb614d392007-06-26 21:58:56 +0000575 $words = array('javascript', 'expression', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
Derek Allarda72b60d2007-01-31 23:56:11 +0000576 foreach ($words as $word)
577 {
578 $temp = '';
579 for ($i = 0; $i < strlen($word); $i++)
580 {
581 $temp .= substr($word, $i, 1)."\s*";
582 }
583
Derek Jones01f72ca2007-05-04 18:19:17 +0000584 // We only want to do this when it is followed by a non-word character
585 // That way valid stuff like "dealer to" does not become "dealerto"
586 $str = preg_replace('#('.substr($temp, 0, -3).')(\W)#ise', "preg_replace('/\s+/s', '', '\\1').'\\2'", $str);
Derek Allarda72b60d2007-01-31 23:56:11 +0000587 }
588
589 /*
590 * Remove disallowed Javascript in links or img tags
paulburdick391eb032007-06-27 22:58:24 +0000591 */
592 do
593 {
594 $original = $str;
595
596 $str = preg_replace_callback("#<a.*?</a>#si", array($this, '_js_link_removal'), $str);
597 $str = preg_replace_callback("#<img.*?>#si", array($this, '_js_img_removal'), $str);
598 $str = preg_replace("#</*(script|xss).*?\>#si", "", $str);
599 }
600 while($original != $str);
601
602 unset($original);
Derek Allarda72b60d2007-01-31 23:56:11 +0000603
604 /*
605 * Remove JavaScript Event Handlers
606 *
607 * Note: This code is a little blunt. It removes
608 * the event handler and anything up to the closing >,
609 * but it's unlikely to be a problem.
610 *
611 */
Derek Jones01f72ca2007-05-04 18:19:17 +0000612 $event_handlers = array('onblur','onchange','onclick','onfocus','onload','onmouseover','onmouseup','onmousedown','onselect','onsubmit','onunload','onkeypress','onkeydown','onkeyup','onresize', 'xmlns');
613 $str = preg_replace("#<([^>]+)(".implode('|', $event_handlers).")([^>]*)>#iU", "&lt;\\1\\2\\3&gt;", $str);
Derek Allarda72b60d2007-01-31 23:56:11 +0000614
615 /*
616 * Sanitize naughty HTML elements
617 *
618 * If a tag containing any of the words in the list
619 * below is found, the tag gets converted to entities.
620 *
621 * So this: <blink>
622 * Becomes: &lt;blink&gt;
623 *
624 */
625 $str = preg_replace('#<(/*\s*)(alert|applet|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|layer|link|meta|object|plaintext|style|script|textarea|title|xml|xss)([^>]*)>#is', "&lt;\\1\\2\\3&gt;", $str);
626
627 /*
628 * Sanitize naughty scripting elements
629 *
630 * Similar to above, only instead of looking for
631 * tags it looks for PHP and JavaScript commands
632 * that are disallowed. Rather than removing the
633 * code, it simply converts the parenthesis to entities
634 * rendering the code un-executable.
635 *
636 * For example: eval('some code')
637 * Becomes: eval&#40;'some code'&#41;
638 *
639 */
paulburdick033ef022007-06-26 21:52:52 +0000640 $str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2&#40;\\3&#41;", $str);
Derek Allarda72b60d2007-01-31 23:56:11 +0000641
642 /*
643 * Final clean up
644 *
645 * This adds a bit of extra precaution in case
646 * something got through the above filters
647 *
648 */
649 $bad = array(
650 'document.cookie' => '[removed]',
paulburdick033ef022007-06-26 21:52:52 +0000651 '.parentNode' => '[removed]',
652 '.innerHTML' => '[removed]',
Derek Allarda72b60d2007-01-31 23:56:11 +0000653 'document.write' => '[removed]',
654 'window.location' => '[removed]',
655 "javascript\s*:" => '[removed]',
paulburdick033ef022007-06-26 21:52:52 +0000656 "expression\s*\(" => '[removed]', // CSS and IE
Derek Allarda72b60d2007-01-31 23:56:11 +0000657 "Redirect\s+302" => '[removed]',
658 '<!--' => '&lt;!--',
659 '-->' => '--&gt;'
660 );
661
662 foreach ($bad as $key => $val)
663 {
664 $str = preg_replace("#".$key."#i", $val, $str);
665 }
666
667
668 log_message('debug', "XSS Filtering completed");
669 return $str;
670 }
671
672 // --------------------------------------------------------------------
Derek Jones01f72ca2007-05-04 18:19:17 +0000673
674 /**
675 * JS Link Removal
676 *
677 * Callback function for xss_clean() to sanitize links
678 * This limits the PCRE backtracks, making it more performance friendly
679 * and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in
680 * PHP 5.2+ on link-heavy strings
681 *
682 * @access private
683 * @param array
684 * @return string
685 */
686 function _js_link_removal($match)
687 {
688 return preg_replace("#<a.+?href=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>.*?</a>#si", "", $match[0]);
689 }
690
691 /**
692 * JS Image Removal
693 *
694 * Callback function for xss_clean() to sanitize image tags
695 * This limits the PCRE backtracks, making it more performance friendly
696 * and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in
697 * PHP 5.2+ on image tag heavy strings
698 *
699 * @access private
700 * @param array
701 * @return string
702 */
703 function _js_img_removal($match)
704 {
705 return preg_replace("#<img.+?src=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>#si", "", $match[0]);
706 }
Derek Allarda72b60d2007-01-31 23:56:11 +0000707
Derek Jones01f72ca2007-05-04 18:19:17 +0000708 // --------------------------------------------------------------------
709
Derek Allarda72b60d2007-01-31 23:56:11 +0000710 /**
711 * HTML Entities Decode
712 *
713 * This function is a replacement for html_entity_decode()
714 *
715 * In some versions of PHP the native function does not work
716 * when UTF-8 is the specified character set, so this gives us
717 * a work-around. More info here:
718 * http://bugs.php.net/bug.php?id=25670
719 *
720 * @access private
721 * @param string
722 * @param string
723 * @return string
724 */
725 /* -------------------------------------------------
726 /* Replacement for html_entity_decode()
727 /* -------------------------------------------------*/
728
729 /*
730 NOTE: html_entity_decode() has a bug in some PHP versions when UTF-8 is the
731 character set, and the PHP developers said they were not back porting the
732 fix to versions other than PHP 5.x.
733 */
734 function _html_entity_decode($str, $charset='ISO-8859-1')
735 {
736 if (stristr($str, '&') === FALSE) return $str;
737
738 // The reason we are not using html_entity_decode() by itself is because
739 // while it is not technically correct to leave out the semicolon
740 // at the end of an entity most browsers will still interpret the entity
741 // correctly. html_entity_decode() does not convert entities without
742 // semicolons, so we are left with our own little solution here. Bummer.
743
744 if (function_exists('html_entity_decode') && (strtolower($charset) != 'utf-8' OR version_compare(phpversion(), '5.0.0', '>=')))
745 {
746 $str = html_entity_decode($str, ENT_COMPAT, $charset);
747 $str = preg_replace('~&#x([0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str);
748 return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str);
749 }
750
751 // Numeric Entities
752 $str = preg_replace('~&#x([0-9a-f]{2,5});{0,1}~ei', 'chr(hexdec("\\1"))', $str);
753 $str = preg_replace('~&#([0-9]{2,4});{0,1}~e', 'chr(\\1)', $str);
754
755 // Literal Entities - Slightly slow so we do another check
756 if (stristr($str, '&') === FALSE)
757 {
758 $str = strtr($str, array_flip(get_html_translation_table(HTML_ENTITIES)));
759 }
760
761 return $str;
762 }
763
764}
765// END Input class
adminb0dd10f2006-08-25 17:25:49 +0000766?>