phpmyadmin/libraries/sanitizing.lib.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * This is in a separate script because it's called from a number of scripts
   5  *
   6  * @package PhpMyAdmin
   7  */
   8 if (! defined('PHPMYADMIN')) {
   9     exit;
  10 }
  11
  12 /**
  13  * Checks whether given link is valid
  14  *
  15  * @param string $url URL to check
  16  *
  17  * @return boolean True if string can be used as link
  18  */
  19 function PMA_checkLink($url)
  20 {
  21     $valid_starts = array(
  22         'http://',
  23         'https://',
  24         './url.php?url=http%3A%2F%2F',
  25         './url.php?url=https%3A%2F%2F',
  26     );
  27     if (defined('PMA_SETUP')) {
  28         $valid_starts[] = '?page=form&';
  29         $valid_starts[] = '?page=servers&';
  30     }
  31     foreach ($valid_starts as $val) {
  32         if (substr($url, 0, strlen($val)) == $val) {
  33             return true;
  34         }
  35     }
  36     return false;
  37 }
  38
  39 /**
  40  * Callback function for replacing [a@link@target] links in bb code.
  41  *
  42  * @param array $found Array of preg matches
  43  *
  44  * @return string Replaced string
  45  */
  46 function PMA_replaceBBLink($found)
  47 {
  48     /* Check for valid link */
  49     if (! PMA_checkLink($found[1])) {
  50         return $found[0];
  51     }
  52     /* a-z and _ allowed in target */
  53     if (! empty($found[3]) && preg_match('/[^a-z_]+/i', $found[3])) {
  54         return $found[0];
  55     }
  56
  57     /* Construct target */
  58     $target = '';
  59     if (! empty($found[3])) {
  60         $target = ' target="' . $found[3] . '"';
  61     }
  62
  63     /* Construct url */
  64     if (substr($found[1], 0, 4) == 'http') {
  65         $url = PMA_linkURL($found[1]);
  66     } else {
  67         $url = $found[1];
  68     }
  69
  70     return '<a href="' . $url . '"' . $target . '>';
  71 }
  72
  73 /**
  74  * Callback function for replacing [doc@anchor] links in bb code.
  75  *
  76  * @param array $found Array of preg matches
  77  *
  78  * @return string Replaced string
  79  */
  80 function PMA_replaceDocLink($found)
  81 {
  82     $anchor = $found[1];
  83     if (strncmp('faq', $anchor, 3) == 0) {
  84         $page = 'faq';
  85     } else if (strncmp('cfg', $anchor, 3) == 0) {
  86         $page = 'cfg';
  87     } else {
  88         /* Guess */
  89         $page = 'setup';
  90     }
  91     $link = PMA_Util::getDocuLink($page, $anchor);
  92     return '<a href="' . $link . '" target="documentation">';
  93 }
  94
  95 /**
  96  * Sanitizes $message, taking into account our special codes
  97  * for formatting.
  98  *
  99  * If you want to include result in element attribute, you should escape it.
 100  *
 101  * Examples:
 102  *
 103  * <p><?php echo PMA_sanitize($foo); ?></p>
 104  *
 105  * <a title="<?php echo PMA_sanitize($foo, true); ?>">bar</a>
 106  *
 107  * @param string  $message the message
 108  * @param boolean $escape  whether to escape html in result
 109  * @param boolean $safe    whether string is safe (can keep < and > chars)
 110  *
 111  * @return string   the sanitized message
 112  */
 113 function PMA_sanitize($message, $escape = false, $safe = false)
 114 {
 115     if (!$safe) {
 116         $message = strtr($message, array('<' => '&lt;', '>' => '&gt;'));
 117     }
 118
 119     /* Interpret bb code */
 120     $replace_pairs = array(
 121         '[em]'      => '<em>',
 122         '[/em]'     => '</em>',
 123         '[strong]'  => '<strong>',
 124         '[/strong]' => '</strong>',
 125         '[code]'    => '<code>',
 126         '[/code]'   => '</code>',
 127         '[kbd]'     => '<kbd>',
 128         '[/kbd]'    => '</kbd>',
 129         '[br]'      => '<br />',
 130         '[/a]'      => '</a>',
 131         '[/doc]'      => '</a>',
 132         '[sup]'     => '<sup>',
 133         '[/sup]'    => '</sup>',
 134          // used in common.inc.php:
 135         '[conferr]' => '<iframe src="show_config_errors.php" />',
 136     );
 137
 138     $message = strtr($message, $replace_pairs);
 139
 140     /* Match links in bb code ([a@url@target], where @target is options) */
 141     $pattern = '/\[a@([^]"@]*)(@([^]"]*))?\]/';
 142
 143     /* Find and replace all links */
 144     $message = preg_replace_callback($pattern, 'PMA_replaceBBLink', $message);
 145
 146     /* Replace documentation links */
 147     $message = preg_replace_callback(
 148         '/\[doc@([a-zA-Z0-9_-]+)\]/',
 149         'PMA_replaceDocLink',
 150         $message
 151     );
 152
 153     /* Possibly escape result */
 154     if ($escape) {
 155         $message = htmlspecialchars($message);
 156     }
 157
 158     return $message;
 159 }
 160
 161
 162 /**
 163  * Sanitize a filename by removing anything besides legit characters
 164  *
 165  * Intended usecase:
 166  *    When using a filename in a Content-Disposition header
 167  *    the value should not contain ; or "
 168  *
 169  *    When exporting, avoiding generation of an unexpected double-extension file
 170  *
 171  * @param string  $filename    The filename
 172  * @param boolean $replaceDots Whether to also replace dots
 173  *
 174  * @return string  the sanitized filename
 175  *
 176  */
 177 function PMA_sanitizeFilename($filename, $replaceDots = false)
 178 {
 179     $pattern = '/[^A-Za-z0-9_';
 180     // if we don't have to replace dots
 181     if (! $replaceDots) {
 182         // then add the dot to the list of legit characters
 183         $pattern .= '.';
 184     }
 185     $pattern .= '-]/';
 186     $filename = preg_replace($pattern, '_', $filename);
 187     return $filename;
 188 }
 189
 190 ?>