| [ Index ] |
|
Code source de Horde 3.1.3 |
1 <?php 2 /** 3 * The MIME_Viewer_html class renders out HTML text with an effort to 4 * remove potentially malicious code. 5 * 6 * $Horde: framework/MIME/MIME/Viewer/html.php,v 1.14.4.20 2006/06/07 13:34:16 jan Exp $ 7 * 8 * Copyright 1999-2006 Anil Madhavapeddy <anil@recoil.org> 9 * Copyright 1999-2006 Jon Parise <jon@horde.org> 10 * Copyright 2002-2006 Michael Slusarz <slusarz@horde.org> 11 * 12 * See the enclosed file COPYING for license information (GPL). If you 13 * did not receive this file, see http://www.fsf.org/copyleft/gpl.html. 14 * 15 * @author Anil Madhavapeddy <anil@recoil.org> 16 * @author Jon Parise <jon@horde.org> 17 * @author Michael Slusarz <slusarz@horde.org> 18 * @since Horde 3.0 19 * @package Horde_MIME_Viewer 20 */ 21 class MIME_Viewer_html extends MIME_Viewer { 22 23 /** 24 * Render out the currently set contents. 25 * 26 * @param array $params Any parameters the viewer may need. 27 * 28 * @return string The rendered text. 29 */ 30 function render($params = null) 31 { 32 return $this->_cleanHTML($this->mime_part->getContents()); 33 } 34 35 /** 36 * Filters active content, dereferences external links, detects phishing, 37 * etc. 38 * 39 * @access private 40 * 41 * @param string $data The HTML data. 42 * 43 * @return string The cleaned HTML data. 44 */ 45 function _cleanHTML($data) 46 { 47 global $browser, $prefs; 48 49 $phish_warn = false; 50 51 require_once 'Horde/MIME/Contents.php'; 52 $attachment = MIME_Contents::viewAsAttachment(); 53 54 /* Deal with <base> tags in the HTML, since they will screw up our own 55 * relative paths. */ 56 if (preg_match('/<base href="?([^"> ]*)"? ?\/?>/i', $data, $matches)) { 57 $base = $matches[1]; 58 if (substr($base, -1, 1) != '/') { 59 $base .= '/'; 60 } 61 62 /* Recursively call _cleanHTML() to prevent clever fiends from 63 * sneaking nasty things into the page via $base. */ 64 $base = $this->_cleanHTML($base); 65 } 66 67 /* Attempt to fix paths that were relying on a <base> tag. */ 68 if (!empty($base)) { 69 $pattern = array('|src=(["\'])([^:"\']+)\1|i', 70 '|src=([^: >"\']+)|i', 71 '|href= *(["\'])([^:"\']+)\1|i', 72 '|href=([^: >"\']+)|i'); 73 $replace = array('src=\1' . $base . '\2\1', 74 'src=' . $base . '\1', 75 'href=\1' . $base . '\2\1', 76 'href=' . $base . '\1'); 77 $data = preg_replace($pattern, $replace, $data); 78 } 79 80 require_once 'Horde/Text/Filter.php'; 81 $strip_styles = !$attachment || 82 ($browser->isBrowser('mozilla') && 83 $browser->getMajor() == 4) || 84 $browser->isBrowser('msie'); 85 $data = Text_Filter::filter($data, 'xss', 86 array('body_only' => !$attachment, 87 'strip_styles' => $strip_styles)); 88 89 /* Check for phishing exploits. */ 90 if (preg_match('/href\s*=\s*["\']?\s*(http|https|ftp):\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i', $data)) { 91 /* Check 1: Check for IP address links. */ 92 $phish_warn = true; 93 } elseif (preg_match_all('/href\s*=\s*["\']?\s*(?:http|https|ftp):\/\/([^\s"\'>]+)["\']?[^>]*>\s*(?:(?:http|https|ftp):\/\/)?(.*?)<\/a/is', $data, $m)) { 94 /* $m[1] = Link; $m[2] = Target 95 * Check 2: Check for links that point to a different host than 96 * the target url; if target looks like a domain name, check it 97 * against the link. */ 98 $links = count($m[0]); 99 for ($i = 0; $i < $links; $i++) { 100 $m[1][$i] = strtolower(urldecode($m[1][$i])); 101 $m[2][$i] = strtolower(preg_replace('/^(http|https|ftp):\/\//', '', strip_tags($m[2][$i]))); 102 if (preg_match('/^[-._\da-z]+\.[a-z]{2,}/i', $m[2][$i]) && 103 strpos($m[1][$i], $m[2][$i]) !== 0 && 104 strpos($m[2][$i], $m[1][$i]) !== 0) { 105 /* Don't consider the link a phishing link if the domain 106 * is the same on both links (e.g. adtracking.example.com 107 * & www.example.com). */ 108 preg_match('/\.?([^\.\/]+\.[^\.\/]+)\//', $m[1][$i], $host1); 109 preg_match('/\.?([^\.\/]+\.[^\.\/]+)(\/.*)?$/', $m[2][$i], $host2); 110 if (!(count($host1) && count($host2)) || 111 strcasecmp($host1[1], $host2[1]) !== 0) { 112 $phish_warn = true; 113 } 114 } 115 } 116 } 117 118 /* Try to derefer all external references. */ 119 $data = preg_replace_callback('/href\s*=\s*(["\'])?((?(1)[^\1]*?|[^\s>]+))(?(1)\1|)/i', 120 create_function('$m', 'return \'href="\' . (strlen($m[2]) && $m[2]{0} == \'#\' ? $m[2] : Horde::externalUrl($m[2])) . \'"\';'), 121 $data); 122 123 /* Prepend phishing warning. */ 124 if ($phish_warn) { 125 require_once 'Horde/MIME/Contents.php'; 126 $contents = &new MIME_Contents(new MIME_Part()); 127 $phish_warning = sprintf(_("%s: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information."), _("Warning")); 128 if ($contents->viewAsAttachment()) { 129 $phish_warning = '<span style="background-color:#ffd0af;color:black">' . String::convertCharset($phish_warning, NLS::getCharset(), $this->mime_part->getCharset()) . '</span><br />'; 130 } 131 $phish_warning = $contents->formatStatusMsg($phish_warning, null, true, 'mimeStatusWarning'); 132 if (stristr($data, '<body') === false) { 133 $data = $phish_warning . $data; 134 } else { 135 $data = preg_replace('/(.*<body.*?>)(.*)/i', '$1' . $phish_warning . '$2', $data); 136 } 137 } 138 139 return $data; 140 } 141 142 /** 143 * Return the content-type of the rendered text. 144 * 145 * @return string The MIME Content-Type. 146 */ 147 function getType() 148 { 149 require_once 'Horde/MIME/Contents.php'; 150 return MIME_Contents::viewAsAttachment() ? $this->mime_part->getType(true) : 'text/html; charset=' . NLS::getCharset(); 151 } 152 153 }
titre
Description
Corps
titre
Description
Corps
titre
Description
Corps
titre
Corps
| Généré le : Sun Feb 25 18:01:28 2007 | par Balluche grâce à PHPXref 0.7 |