Gitiles
Code Review Sign In
www.giggi.me / code-igniter-v3-giggi / 8816aaab7ac21d4e3ccd1eedd86462bc94aff2c1 / . / system / libraries / Input.php
blob: 9a73ab9b981da96fd6bea7501a7d696d7f8c494e [file] [log] [blame]
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]1<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
2/**
Derek Allardd2df9bc2007-04-15 17:41:17 +0000[diff] [blame]3 * CodeIgniter
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]4 *
5 * An open source application development framework for PHP 4.3.2 or newer
6 *
7 * @package CodeIgniter
8 * @author Rick Ellis
Derek Allardd2df9bc2007-04-15 17:41:17 +0000[diff] [blame]9 * @copyright Copyright (c) 2006, EllisLab, Inc.
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]10 * @license http://www.codeignitor.com/user_guide/license.html
11 * @link http://www.codeigniter.com
12 * @since Version 1.0
13 * @filesource
14 */
15
16// ------------------------------------------------------------------------
17
18/**
19 * Input Class
20 *
21 * Pre-processes global input data for security
22 *
23 * @package CodeIgniter
24 * @subpackage Libraries
25 * @category Input
26 * @author Rick Ellis
27 * @link http://www.codeigniter.com/user_guide/libraries/input.html
28 */
29class CI_Input {
30 var $use_xss_clean = FALSE;
31 var $ip_address = FALSE;
32 var $user_agent = FALSE;
33 var $allow_get_array = FALSE;
34
35 /**
36 * Constructor
37 *
38 * Sets whether to globally enable the XSS processing
39 * and whether to allow the $_GET array
40 *
41 * @access public
42 */
43 function CI_Input()
44 {
45 log_message('debug', "Input Class Initialized");
46
47 $CFG =& load_class('Config');
48 $this->use_xss_clean = ($CFG->item('global_xss_filtering') === TRUE) ? TRUE : FALSE;
49 $this->allow_get_array = ($CFG->item('enable_query_strings') === TRUE) ? TRUE : FALSE;
50 $this->_sanitize_globals();
51 }
52
53 // --------------------------------------------------------------------
54
55 /**
56 * Sanitize Globals
57 *
58 * This function does the following:
59 *
60 * Unsets $_GET data (if query strings are not enabled)
61 *
62 * Unsets all globals if register_globals is enabled
63 *
64 * Standardizes newline characters to \n
65 *
66 * @access private
67 * @return void
68 */
69 function _sanitize_globals()
70 {
paulburdick8816aaa2007-06-27 23:07:36 +0000[diff] [blame^]71 // Would kind of be "wrong" to unset any of these GLOBALS.
72 $protected = array('_SERVER', '_GET', '_POST', '_FILES', '_REQUEST', '_SESSION', '_ENV', 'GLOBALS', 'HTTP_RAW_POST_DATA');
73
Rick Ellisbb2041d2007-06-09 00:16:13 +0000[diff] [blame]74 // Unset globals for securiy.
75 // This is effectively the same as register_globals = off
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]76 foreach (array($_GET, $_POST, $_COOKIE) as $global)
77 {
78 if ( ! is_array($global))
79 {
paulburdick8816aaa2007-06-27 23:07:36 +0000[diff] [blame^]80 if ( ! in_array($global, $protected))
81 {
82 global $global;
83 $$global = NULL;
84 }
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]85 }
86 else
87 {
88 foreach ($global as $key => $val)
89 {
paulburdick8816aaa2007-06-27 23:07:36 +0000[diff] [blame^]90 if ( ! in_array($key, $protected))
91 {
92 global $$key;
93 $$key = NULL;
94 }
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]95 }
96 }
97 }
98
99 // Is $_GET data allowed? If not we'll set the $_GET to an empty array
100 if ($this->allow_get_array == FALSE)
101 {
102 $_GET = array();
103 }
Rick Ellis112569d2007-02-26 19:19:08 +0000[diff] [blame]104 else
105 {
106 if (is_array($_GET) AND count($_GET) > 0)
107 {
108 foreach($_GET as $key => $val)
109 {
110 $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
111 }
112 }
113 }
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]114
115 // Clean $_POST Data
116 if (is_array($_POST) AND count($_POST) > 0)
117 {
118 foreach($_POST as $key => $val)
119 {
120 $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
121 }
122 }
123
124 // Clean $_COOKIE Data
125 if (is_array($_COOKIE) AND count($_COOKIE) > 0)
126 {
127 foreach($_COOKIE as $key => $val)
128 {
129 $_COOKIE[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
130 }
131 }
132
133 log_message('debug', "Global POST and COOKIE data sanitized");
134 }
135
136 // --------------------------------------------------------------------
137
138 /**
139 * Clean Input Data
140 *
141 * This is a helper function. It escapes data and
142 * standardizes newline characters to \n
143 *
144 * @access private
145 * @param string
146 * @return string
147 */
148 function _clean_input_data($str)
149 {
150 if (is_array($str))
151 {
152 $new_array = array();
153 foreach ($str as $key => $val)
154 {
155 $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
156 }
157 return $new_array;
158 }
159
Rick Ellisbb2041d2007-06-09 00:16:13 +0000[diff] [blame]160 // We strip slashes if magic quotes is on to keep things consistent
161 if (get_magic_quotes_gpc())
162 {
163 $str = stripslashes($str);
164 }
165
166 // Should we filter the input data?
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]167 if ($this->use_xss_clean === TRUE)
168 {
169 $str = $this->xss_clean($str);
170 }
171
172 // Standardize newlines
173 return preg_replace("/\015\012|\015|\012/", "\n", $str);
174 }
175
176 // --------------------------------------------------------------------
177
178 /**
179 * Clean Keys
180 *
181 * This is a helper function. To prevent malicious users
182 * from trying to exploit keys we make sure that keys are
183 * only named with alpha-numeric text and a few other items.
184 *
185 * @access private
186 * @param string
187 * @return string
188 */
189 function _clean_input_keys($str)
190 {
191 if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
192 {
193 exit('Disallowed Key Characters.');
194 }
Rick Ellisbb2041d2007-06-09 00:16:13 +0000[diff] [blame]195
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]196 return $str;
197 }
Rick Ellis112569d2007-02-26 19:19:08 +0000[diff] [blame]198
199 // --------------------------------------------------------------------
200
201 /**
202 * Fetch an item from the GET array
203 *
204 * @access public
205 * @param string
206 * @param bool
207 * @return string
208 */
Derek Allard87d1eeb2007-03-01 13:20:43 +0000[diff] [blame]209 function get($index = '', $xss_clean = FALSE)
Rick Ellis112569d2007-02-26 19:19:08 +0000[diff] [blame]210 {
211 if ( ! isset($_GET[$index]))
212 {
213 return FALSE;
214 }
215
216 if ($xss_clean === TRUE)
217 {
218 if (is_array($_GET[$index]))
219 {
220 foreach($_GET[$index] as $key => $val)
221 {
222 $_GET[$index][$key] = $this->xss_clean($val);
223 }
224 }
225 else
226 {
227 return $this->xss_clean($_GET[$index]);
228 }
229 }
230
231 return $_GET[$index];
232 }
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]233
234 // --------------------------------------------------------------------
235
236 /**
237 * Fetch an item from the POST array
238 *
239 * @access public
240 * @param string
241 * @param bool
242 * @return string
243 */
244 function post($index = '', $xss_clean = FALSE)
245 {
246 if ( ! isset($_POST[$index]))
247 {
248 return FALSE;
249 }
250
251 if ($xss_clean === TRUE)
252 {
253 if (is_array($_POST[$index]))
254 {
255 foreach($_POST[$index] as $key => $val)
256 {
257 $_POST[$index][$key] = $this->xss_clean($val);
258 }
259 }
260 else
261 {
262 return $this->xss_clean($_POST[$index]);
263 }
264 }
265
266 return $_POST[$index];
267 }
268
269 // --------------------------------------------------------------------
270
271 /**
272 * Fetch an item from the COOKIE array
273 *
274 * @access public
275 * @param string
276 * @param bool
277 * @return string
278 */
279 function cookie($index = '', $xss_clean = FALSE)
280 {
281 if ( ! isset($_COOKIE[$index]))
282 {
283 return FALSE;
284 }
285
286 if ($xss_clean === TRUE)
287 {
288 if (is_array($_COOKIE[$index]))
289 {
290 $cookie = array();
291 foreach($_COOKIE[$index] as $key => $val)
292 {
293 $cookie[$key] = $this->xss_clean($val);
294 }
295
296 return $cookie;
297 }
298 else
299 {
300 return $this->xss_clean($_COOKIE[$index]);
301 }
302 }
303 else
304 {
305 return $_COOKIE[$index];
306 }
307 }
308
309 // --------------------------------------------------------------------
310
311 /**
312 * Fetch an item from the SERVER array
313 *
314 * @access public
315 * @param string
316 * @param bool
317 * @return string
318 */
319 function server($index = '', $xss_clean = FALSE)
320 {
321 if ( ! isset($_SERVER[$index]))
322 {
323 return FALSE;
324 }
325
326 if ($xss_clean === TRUE)
327 {
328 return $this->xss_clean($_SERVER[$index]);
329 }
330
331 return $_SERVER[$index];
332 }
333
334 // --------------------------------------------------------------------
335
336 /**
337 * Fetch the IP Address
338 *
339 * @access public
340 * @return string
341 */
342 function ip_address()
343 {
344 if ($this->ip_address !== FALSE)
345 {
346 return $this->ip_address;
347 }
348
349 if ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP'))
350 {
351 $this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
352 }
353 elseif ($this->server('REMOTE_ADDR'))
354 {
355 $this->ip_address = $_SERVER['REMOTE_ADDR'];
356 }
357 elseif ($this->server('HTTP_CLIENT_IP'))
358 {
359 $this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
360 }
361 elseif ($this->server('HTTP_X_FORWARDED_FOR'))
362 {
363 $this->ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];
364 }
365
366 if ($this->ip_address === FALSE)
367 {
368 $this->ip_address = '0.0.0.0';
369 return $this->ip_address;
370 }
371
372 if (strstr($this->ip_address, ','))
373 {
374 $x = explode(',', $this->ip_address);
375 $this->ip_address = end($x);
376 }
377
378 if ( ! $this->valid_ip($this->ip_address))
379 {
380 $this->ip_address = '0.0.0.0';
381 }
382
383 return $this->ip_address;
384 }
385
386 // --------------------------------------------------------------------
387
388 /**
389 * Validate IP Address
390 *
Rick Ellise666afc2007-06-11 05:03:11 +0000[diff] [blame]391 * Updated version suggested by Geert De Deckere
392 *
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]393 * @access public
394 * @param string
395 * @return string
396 */
397 function valid_ip($ip)
398 {
Rick Ellise666afc2007-06-11 05:03:11 +0000[diff] [blame]399 $ip_segments = explode('.', $ip);
400
401 // Always 4 segments needed
402 if (count($ip_segments) != 4)
Rick Ellis112569d2007-02-26 19:19:08 +0000[diff] [blame]403 {
404 return FALSE;
405 }
Rick Ellis65e8f0e2007-06-12 03:53:21 +0000[diff] [blame]406 // IP can not start with 0
Rick Ellis39213142007-06-12 03:53:12 +0000[diff] [blame]407 if (substr($ip_segments[0], 0, 1) == '0')
Rick Ellis112569d2007-02-26 19:19:08 +0000[diff] [blame]408 {
Rick Ellise666afc2007-06-11 05:03:11 +0000[diff] [blame]409 return FALSE;
410 }
411 // Check each segment
412 foreach ($ip_segments as $segment)
413 {
414 // IP segments must be digits and can not be
415 // longer than 3 digits or greater then 255
Rick Ellisba648932007-06-12 03:39:38 +0000[diff] [blame]416 if (preg_match("/[^0-9]/", $segment) OR $segment > 255 OR strlen($segment) > 3)
Rick Ellis112569d2007-02-26 19:19:08 +0000[diff] [blame]417 {
Rick Ellise666afc2007-06-11 05:03:11 +0000[diff] [blame]418 return FALSE;
Rick Ellis112569d2007-02-26 19:19:08 +0000[diff] [blame]419 }
420 }
421
422 return TRUE;
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]423 }
424
425 // --------------------------------------------------------------------
426
427 /**
428 * User Agent
429 *
430 * @access public
431 * @return string
432 */
433 function user_agent()
434 {
435 if ($this->user_agent !== FALSE)
436 {
437 return $this->user_agent;
438 }
439
440 $this->user_agent = ( ! isset($_SERVER['HTTP_USER_AGENT'])) ? FALSE : $_SERVER['HTTP_USER_AGENT'];
441
442 return $this->user_agent;
443 }
444
445 // --------------------------------------------------------------------
446
447 /**
448 * XSS Clean
449 *
450 * Sanitizes data so that Cross Site Scripting Hacks can be
451 * prevented.  This function does a fair amount of work but
452 * it is extremely thorough, designed to prevent even the
453 * most obscure XSS attempts.  Nothing is ever 100% foolproof,
454 * of course, but I haven't been able to get anything passed
455 * the filter.
456 *
457 * Note: This function should only be used to deal with data
458 * upon submission.  It's not something that should
459 * be used for general runtime processing.
460 *
461 * This function was based in part on some code and ideas I
462 * got from Bitflux: http://blog.bitflux.ch/wiki/XSS_Prevention
463 *
464 * To help develop this script I used this great list of
465 * vulnerabilities along with a few other hacks I've
466 * harvested from examining vulnerabilities in other programs:
467 * http://ha.ckers.org/xss.html
468 *
469 * @access public
470 * @param string
471 * @return string
472 */
473 function xss_clean($str, $charset = 'ISO-8859-1')
474 {
475 /*
476 * Remove Null Characters
477 *
478 * This prevents sandwiching null characters
479 * between ascii characters, like Java\0script.
480 *
481 */
482 $str = preg_replace('/\0+/', '', $str);
483 $str = preg_replace('/(\\\\0)+/', '', $str);
484
485 /*
486 * Validate standard character entities
487 *
488 * Add a semicolon if missing. We do this to enable
489 * the conversion of entities to ASCII later.
490 *
491 */
492 $str = preg_replace('#(&\#*\w+)[\x00-\x20]+;#u',"\\1;",$str);
493
494 /*
495 * Validate UTF16 two byte encoding (x00)
496 *
497 * Just as above, adds a semicolon if missing.
498 *
499 */
500 $str = preg_replace('#(&\#x*)([0-9A-F]+);*#iu',"\\1\\2;",$str);
501
502 /*
503 * URL Decode
504 *
505 * Just in case stuff like this is submitted:
506 *
507 * <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
508 *
509 * Note: Normally urldecode() would be easier but it removes plus signs
510 *
511 */
Derek Jones01f72ca2007-05-04 18:19:17 +0000[diff] [blame]512 $str = preg_replace("/(%20)+/", '9u3iovBnRThju941s89rKozm', $str);
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]513 $str = preg_replace("/%u0([a-z0-9]{3})/i", "&#x\\1;", $str);
Derek Jones01f72ca2007-05-04 18:19:17 +0000[diff] [blame]514 $str = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $str);
515 $str = str_replace('9u3iovBnRThju941s89rKozm', "%20", $str);
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]516
517 /*
518 * Convert character entities to ASCII
519 *
520 * This permits our tests below to work reliably.
521 * We only convert entities that are within tags since
522 * these are the ones that will pose security problems.
523 *
524 */
525 if (preg_match_all("/<(.+?)>/si", $str, $matches))
526 {
527 for ($i = 0; $i < count($matches['0']); $i++)
528 {
529 $str = str_replace($matches['1'][$i],
530 $this->_html_entity_decode($matches['1'][$i], $charset),
531 $str);
532 }
533 }
534
535 /*
536 * Not Allowed Under Any Conditions
537 */
538 $bad = array(
539 'document.cookie' => '[removed]',
paulburdick033ef022007-06-26 21:52:52 +0000[diff] [blame]540 '.parentNode' => '[removed]',
541 '.innerHTML' => '[removed]',
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]542 'document.write' => '[removed]',
543 'window.location' => '[removed]',
544 "javascript\s*:" => '[removed]',
paulburdick033ef022007-06-26 21:52:52 +0000[diff] [blame]545 "expression\s*\(" => '[removed]', // CSS and IE
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]546 "Redirect\s+302" => '[removed]',
547 '<!--' => '&lt;!--',
548 '-->' => '--&gt;'
549 );
550
551 foreach ($bad as $key => $val)
552 {
553 $str = preg_replace("#".$key."#i", $val, $str);
554 }
555
556 /*
557 * Convert all tabs to spaces
558 *
559 * This prevents strings like this: ja vascript
560 * Note: we deal with spaces between characters later.
561 *
562 */
563 $str = preg_replace("#\t+#", " ", $str);
564
565 /*
566 * Makes PHP tags safe
567 *
568 * Note: XML tags are inadvertently replaced too:
569 *
570 * <?xml
571 *
572 * But it doesn't seem to pose a problem.
573 *
574 */
575 $str = str_replace(array('<?php', '<?PHP', '<?', '?>'), array('&lt;?php', '&lt;?PHP', '&lt;?', '?&gt;'), $str);
576
577 /*
578 * Compact any exploded words
579 *
580 * This corrects words like: j a v a s c r i p t
581 * These words are compacted back to their correct state.
582 *
583 */
paulburdickb614d392007-06-26 21:58:56 +0000[diff] [blame]584 $words = array('javascript', 'expression', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]585 foreach ($words as $word)
586 {
587 $temp = '';
588 for ($i = 0; $i < strlen($word); $i++)
589 {
590 $temp .= substr($word, $i, 1)."\s*";
591 }
592
Derek Jones01f72ca2007-05-04 18:19:17 +0000[diff] [blame]593 // We only want to do this when it is followed by a non-word character
594 // That way valid stuff like "dealer to" does not become "dealerto"
595 $str = preg_replace('#('.substr($temp, 0, -3).')(\W)#ise', "preg_replace('/\s+/s', '', '\\1').'\\2'", $str);
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]596 }
597
598 /*
599 * Remove disallowed Javascript in links or img tags
paulburdick391eb032007-06-27 22:58:24 +0000[diff] [blame]600 */
601 do
602 {
603 $original = $str;
604
605 $str = preg_replace_callback("#<a.*?</a>#si", array($this, '_js_link_removal'), $str);
606 $str = preg_replace_callback("#<img.*?>#si", array($this, '_js_img_removal'), $str);
607 $str = preg_replace("#</*(script|xss).*?\>#si", "", $str);
608 }
609 while($original != $str);
610
611 unset($original);
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]612
613 /*
614 * Remove JavaScript Event Handlers
615 *
616 * Note: This code is a little blunt. It removes
617 * the event handler and anything up to the closing >,
618 * but it's unlikely to be a problem.
619 *
620 */
Derek Jones01f72ca2007-05-04 18:19:17 +0000[diff] [blame]621 $event_handlers = array('onblur','onchange','onclick','onfocus','onload','onmouseover','onmouseup','onmousedown','onselect','onsubmit','onunload','onkeypress','onkeydown','onkeyup','onresize', 'xmlns');
622 $str = preg_replace("#<([^>]+)(".implode('|', $event_handlers).")([^>]*)>#iU", "&lt;\\1\\2\\3&gt;", $str);
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]623
624 /*
625 * Sanitize naughty HTML elements
626 *
627 * If a tag containing any of the words in the list
628 * below is found, the tag gets converted to entities.
629 *
630 * So this: <blink>
631 * Becomes: &lt;blink&gt;
632 *
633 */
634 $str = preg_replace('#<(/*\s*)(alert|applet|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|layer|link|meta|object|plaintext|style|script|textarea|title|xml|xss)([^>]*)>#is', "&lt;\\1\\2\\3&gt;", $str);
635
636 /*
637 * Sanitize naughty scripting elements
638 *
639 * Similar to above, only instead of looking for
640 * tags it looks for PHP and JavaScript commands
641 * that are disallowed. Rather than removing the
642 * code, it simply converts the parenthesis to entities
643 * rendering the code un-executable.
644 *
645 * For example: eval('some code')
646 * Becomes: eval&#40;'some code'&#41;
647 *
648 */
paulburdick033ef022007-06-26 21:52:52 +0000[diff] [blame]649 $str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2&#40;\\3&#41;", $str);
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]650
651 /*
652 * Final clean up
653 *
654 * This adds a bit of extra precaution in case
655 * something got through the above filters
656 *
657 */
658 $bad = array(
659 'document.cookie' => '[removed]',
paulburdick033ef022007-06-26 21:52:52 +0000[diff] [blame]660 '.parentNode' => '[removed]',
661 '.innerHTML' => '[removed]',
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]662 'document.write' => '[removed]',
663 'window.location' => '[removed]',
664 "javascript\s*:" => '[removed]',
paulburdick033ef022007-06-26 21:52:52 +0000[diff] [blame]665 "expression\s*\(" => '[removed]', // CSS and IE
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]666 "Redirect\s+302" => '[removed]',
667 '<!--' => '&lt;!--',
668 '-->' => '--&gt;'
669 );
670
671 foreach ($bad as $key => $val)
672 {
673 $str = preg_replace("#".$key."#i", $val, $str);
674 }
675
676
677 log_message('debug', "XSS Filtering completed");
678 return $str;
679 }
680
681 // --------------------------------------------------------------------
Derek Jones01f72ca2007-05-04 18:19:17 +0000[diff] [blame]682
683 /**
684 * JS Link Removal
685 *
686 * Callback function for xss_clean() to sanitize links
687 * This limits the PCRE backtracks, making it more performance friendly
688 * and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in
689 * PHP 5.2+ on link-heavy strings
690 *
691 * @access private
692 * @param array
693 * @return string
694 */
695 function _js_link_removal($match)
696 {
697 return preg_replace("#<a.+?href=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>.*?</a>#si", "", $match[0]);
698 }
699
700 /**
701 * JS Image Removal
702 *
703 * Callback function for xss_clean() to sanitize image tags
704 * This limits the PCRE backtracks, making it more performance friendly
705 * and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in
706 * PHP 5.2+ on image tag heavy strings
707 *
708 * @access private
709 * @param array
710 * @return string
711 */
712 function _js_img_removal($match)
713 {
714 return preg_replace("#<img.+?src=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>#si", "", $match[0]);
715 }
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]716
Derek Jones01f72ca2007-05-04 18:19:17 +0000[diff] [blame]717 // --------------------------------------------------------------------
718
Derek Allarda72b60d2007-01-31 23:56:11 +0000[diff] [blame]719 /**
720 * HTML Entities Decode
721 *
722 * This function is a replacement for html_entity_decode()
723 *
724 * In some versions of PHP the native function does not work
725 * when UTF-8 is the specified character set, so this gives us
726 * a work-around. More info here:
727 * http://bugs.php.net/bug.php?id=25670
728 *
729 * @access private
730 * @param string
731 * @param string
732 * @return string
733 */
734 /* -------------------------------------------------
735 /* Replacement for html_entity_decode()
736 /* -------------------------------------------------*/
737
738 /*
739 NOTE: html_entity_decode() has a bug in some PHP versions when UTF-8 is the
740 character set, and the PHP developers said they were not back porting the
741 fix to versions other than PHP 5.x.
742 */
743 function _html_entity_decode($str, $charset='ISO-8859-1')
744 {
745 if (stristr($str, '&') === FALSE) return $str;
746
747 // The reason we are not using html_entity_decode() by itself is because
748 // while it is not technically correct to leave out the semicolon
749 // at the end of an entity most browsers will still interpret the entity
750 // correctly. html_entity_decode() does not convert entities without
751 // semicolons, so we are left with our own little solution here. Bummer.
752
753 if (function_exists('html_entity_decode') && (strtolower($charset) != 'utf-8' OR version_compare(phpversion(), '5.0.0', '>=')))
754 {
755 $str = html_entity_decode($str, ENT_COMPAT, $charset);
756 $str = preg_replace('~&#x([0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str);
757 return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str);
758 }
759
760 // Numeric Entities
761 $str = preg_replace('~&#x([0-9a-f]{2,5});{0,1}~ei', 'chr(hexdec("\\1"))', $str);
762 $str = preg_replace('~&#([0-9]{2,4});{0,1}~e', 'chr(\\1)', $str);
763
764 // Literal Entities - Slightly slow so we do another check
765 if (stristr($str, '&') === FALSE)
766 {
767 $str = strtr($str, array_flip(get_html_translation_table(HTML_ENTITIES)));
768 }
769
770 return $str;
771 }
772
773}
774// END Input class
adminb0dd10f2006-08-25 17:25:49 +0000[diff] [blame]775?>