| [ Index ] |
|
Code source de GeekLog 1.4.1 |
1 <?php 2 3 /* Reminder: always indent with 4 spaces (no tabs). */ 4 // +---------------------------------------------------------------------------+ 5 // | Geeklog 1.4 | 6 // +---------------------------------------------------------------------------+ 7 // | sanitize.class.php | 8 // | | 9 // | Geeklog data filtering or sanitizing class library. | 10 // +---------------------------------------------------------------------------+ 11 // | Copyright (C) 2002-2006 by the following authors: | 12 // | | 13 // | Authors: Tony Bibbs - tony AT tonybibbs DOT com | 14 // | Dirk Haun - dirk AT haun-online DOT de | 15 // | Blaine Lang - blaine AT portalparts DOT com | 16 // +---------------------------------------------------------------------------+ 17 // | | 18 // | This program is free software; you can redistribute it and/or | 19 // | modify it under the terms of the GNU General Public License | 20 // | as published by the Free Software Foundation; either version 2 | 21 // | of the License, or (at your option) any later version. | 22 // | | 23 // | This program is distributed in the hope that it will be useful, | 24 // | but WITHOUT ANY WARRANTY; without even the implied warranty of | 25 // | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 26 // | GNU General Public License for more details. | 27 // | | 28 // | You should have received a copy of the GNU General Public License | 29 // | along with this program; if not, write to the Free Software Foundation, | 30 // | Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | 31 // | | 32 // +---------------------------------------------------------------------------+ 33 // 34 35 /* Class derived from original procedural code in Geeklog 1.3.x lib-common.php 36 * Jan 2005: Blaine Lang 37 */ 38 39 if (strpos ($_SERVER['PHP_SELF'], 'sanitize.class.php') !== false) { 40 die ('This file can not be used on its own.'); 41 } 42 43 /** 44 * Include the base kses class if not already loaded 45 */ 46 require_once($_CONF['path_system'] . 'classes/kses.class.php'); 47 48 class sanitize extends kses { 49 50 var $string = ''; 51 var $_parmissions = ''; 52 var $_isnumeric = false; 53 var $_logging = false; 54 var $_setglobal = false; 55 var $_censordata = false; 56 57 /* Filter or sanitize single parm */ 58 function filterparm ($parm) { 59 60 $p = $this->Parse( $parm ); 61 62 if( $this->_isnumeric ) 63 { 64 // Note: PHP's is_numeric() accepts values like 4e4 as numeric 65 if( !is_numeric( $p ) || ( preg_match( '/^([0-9]+)$/', $p ) == 0 )) 66 { 67 $p = 0; 68 } 69 } 70 else 71 { 72 $p = preg_replace( '/\/\*.*/', '', $p ); 73 $pa = explode( "'", $p ); 74 $pa = explode( '"', $pa[0] ); 75 $pa = explode( '`', $pa[0] ); 76 $pa = explode( ';', $pa[0] ); 77 $pa = explode( '\\', $pa[0] ); 78 $p = $pa[0]; 79 } 80 81 if( $this->logging ) 82 { 83 if( strcmp( $p, $parm ) != 0 ) 84 { 85 COM_errorLog( "Filter applied: >> $parm << filtered to $p [IP {$_SERVER['REMOTE_ADDR']}]", 1); 86 } 87 } 88 89 return $p; 90 91 } 92 93 /* Prepare data for SQL insert and apply filtering 94 * Supports passing a single parm or array of parms 95 */ 96 function prepareForDB($data) { 97 if (is_array($data)) { 98 # loop through array and apply the filters 99 foreach($data as $var) { 100 $return_data[] = addslashes($this->filterHTML($var)); 101 } 102 return $return_data; 103 } 104 else 105 { 106 $data = $this->filterHTML($data); 107 $data = addslashes($data); 108 return $data; 109 } 110 } 111 112 function filterHTML ($message) { 113 global $_CONF; 114 115 // strip_tags() gets confused by HTML comments ... 116 $message = preg_replace( '/<!--.+?-->/', '', $message ); 117 118 if( isset( $_CONF['allowed_protocols'] ) && is_array( $_CONF['allowed_protocols'] ) && ( sizeof( $_CONF['allowed_protocols'] ) > 0 )) 119 { 120 $this->Protocols( $_CONF['allowed_protocols'] ); 121 } 122 else 123 { 124 $this->Protocols( array( 'http:', 'https:', 'ftp:' )); 125 } 126 127 if( empty( $this->permissions) || !SEC_hasRights( $this->permissions ) || 128 empty( $_CONF['admin_html'] )) 129 { 130 $html = $_CONF['user_html']; 131 } 132 else 133 { 134 $html = array_merge_recursive( $_CONF['user_html'], 135 $_CONF['admin_html'] ); 136 } 137 138 foreach( $html as $tag => $attr ) 139 { 140 $this->AddHTML( $tag, $attr ); 141 } 142 143 $message = $this->Parse( $message ); 144 $message = $this->formatCode($message); 145 $message = $this->censor($message); 146 return $message; 147 148 } 149 150 151 /* Apply filtering to a single parm or array of parms 152 * Parms may be in either $_POST or $_GET input parms array 153 * If type (GET or POST) is not set then POST is checked first 154 * Optionally Parms can be made global 155 */ 156 function sanitizeParms($vars,$type='') { 157 $return_data = array(); 158 159 #setup common reference to SuperGlobals depending which array is needed 160 if ($type == "GET" OR $type == "POST") { 161 if ($type =="GET") { $SG_Array =& $_GET; } 162 if ($type =="POST") { $SG_Array =& $_POST; } 163 164 # loop through SuperGlobal data array and grab out data for allowed fields if found 165 foreach($vars as $key) { 166 if (array_key_exists($key,$SG_Array)) { $return_data[$key]=$SG_Array[$key]; } 167 } 168 169 } 170 else 171 { 172 foreach ($vars as $key) { 173 if (array_key_exists($key, $_POST)) { 174 $return_data[$key] = $_POST[$key]; 175 } 176 elseif (array_key_exists($key, $_GET)) 177 { 178 $return_data[$key] = $_GET[$key]; 179 } 180 } 181 } 182 183 # loop through $vars array and apply the filter 184 foreach($vars as $value) { 185 $return_data[$value] = $this->filterparm($return_data[$value]); 186 } 187 188 // Optionally set $GLOBALS or return the array 189 if ($this->_setglobal) { 190 # loop through final data and define all the variables using the $GLOBALS array 191 foreach ($return_data as $key=>$value) { 192 $GLOBALS[$key]=$value; 193 } 194 } 195 else 196 { 197 return $return_data; 198 } 199 200 } 201 202 203 function formatCode($message) { 204 205 // Get rid of any newline characters 206 $message = preg_replace( "/\n/", '', $message ); 207 208 // Replace any $ with $ (HTML equiv) 209 $message = str_replace( '$', '$', $message ); 210 211 // handle [code] ... [/code] 212 do 213 { 214 $start_pos = MBYTE_substr( MBYTE_strtolower( $message ), '[code]' ); 215 if( $start_pos !== false ) 216 { 217 $end_pos = MBYTE_substr( MBYTE_strtolower( $message ), '[/code]' ); 218 if( $end_pos !== false ) 219 { 220 $encoded = $this->_handleCode( MBYTE_substr( $message, $start_pos + 6, 221 $end_pos - ( $start_pos + 6 ))); 222 $encoded = '<pre><code>' . $encoded . '</code></pre>'; 223 $message = MBYTE_substr( $message, 0, $start_pos ) . $encoded 224 . MBYTE_substr( $message, $end_pos + 7 ); 225 } 226 else // missing [/code] 227 { 228 // Treat the rest of the text as code (so as not to lose any 229 // special characters). However, the calling entity should 230 // better be checking for missing [/code] before calling this 231 // function ... 232 $encoded = $this->_handleCode( MBYTE_substr( $message, $start_pos + 6 )); 233 $encoded = '<pre><code>' . $encoded . '</code></pre>'; 234 $message = MBYTE_substr( $message, 0, $start_pos ) . $encoded; 235 } 236 } 237 } 238 while( $start_pos !== false ); 239 240 return $message; 241 242 } 243 244 /** 245 * Handles the part within a [code] ... [/code] section, i.e. escapes all 246 * special characters. 247 * 248 * @param string $str the code section to encode 249 * @return string $str with the special characters encoded 250 * 251 */ 252 function _handleCode( $str ) 253 { 254 $search = array( '&', '\\', '<', '>', '[', ']' ); 255 $replace = array( '&', '\', '<', '>', '[', ']' ); 256 257 $str = str_replace( $search, $replace, $str ); 258 259 return( $str ); 260 } 261 262 263 /** 264 * This censors inappropriate content 265 * 266 * This will replace 'bad words' with something more appropriate 267 * 268 * @param string $message String to check 269 * @return string Edited $Message 270 * 271 */ 272 273 function censor ($message) 274 { 275 global $_CONF; 276 277 $editedMessage = $message; 278 279 if( $this->_censordata ) 280 { 281 if( is_array( $_CONF['censorlist'] )) 282 { 283 $replacement = $_CONF['censorreplace']; 284 285 switch( $_CONF['censormode']) 286 { 287 case 1: # Exact match 288 $regExPrefix = '(\s*)'; 289 $regExSuffix = '(\W*)'; 290 break; 291 292 case 2: # Word beginning 293 $regExPrefix = '(\s*)'; 294 $regExSuffix = '(\w*)'; 295 break; 296 297 case 3: # Word fragment 298 $regExPrefix = '(\w*)'; 299 $regExSuffix = '(\w*)'; 300 break; 301 } 302 303 for( $i = 0; $i < count( $_CONF['censorlist']); $i++ ) 304 { 305 $editedMessage = MBYTE_eregi_replace( $regExPrefix . $_CONF['censorlist'][$i] . $regExSuffix, "\\1$replacement\\2", $editedMessage ); 306 } 307 } 308 } 309 310 return $editedMessage; 311 } 312 313 314 function setPermissions($permissions) { 315 $this->permissions = $permissions; 316 } 317 318 function setLogging($state=false) { 319 $this->logging = $state; 320 } 321 322 } 323 324 ?>
titre
Description
Corps
titre
Description
Corps
titre
Description
Corps
titre
Corps
| Généré le : Wed Nov 21 12:27:40 2007 | par Balluche grâce à PHPXref 0.7 |
|
|