phpmyadmin/libraries/sanitizing.lib.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * This is in a separate script because it's called from a number of scripts
   5  *
   6  * @package PhpMyAdmin
   7  */
   8 if (! defined('PHPMYADMIN')) {
   9     exit;
  10 }
  11
  12 /**
  13  * Checks whether given link is valid
  14  *
  15  * @param string $url URL to check
  16  *
  17  * @return boolean True if string can be used as link
  18  */
  19 function PMA_checkLink($url)
  20 {
  21     $valid_starts = array(
  22         'http://',
  23         'https://',
  24         './url.php?url=http%3A%2F%2F',
  25         './url.php?url=https%3A%2F%2F',
  26         './doc/html/',
  27     );
  28     if (defined('PMA_SETUP')) {
  29         $valid_starts[] = '?page=form&';
  30         $valid_starts[] = '?page=servers&';
  31     }
  32     foreach ($valid_starts as $val) {
  33         if (/*overload*/mb_substr($url, 0, /*overload*/mb_strlen($val)) == $val) {
  34             return true;
  35         }
  36     }
  37     return false;
  38 }
  39
  40 /**
  41  * Callback function for replacing [a@link@target] links in bb code.
  42  *
  43  * @param array $found Array of preg matches
  44  *
  45  * @return string Replaced string
  46  */
  47 function PMA_replaceBBLink($found)
  48 {
  49     /* Check for valid link */
  50     if (! PMA_checkLink($found[1])) {
  51         return $found[0];
  52     }
  53     /* a-z and _ allowed in target */
  54     if (! empty($found[3]) && preg_match('/[^a-z_]+/i', $found[3])) {
  55         return $found[0];
  56     }
  57
  58     /* Construct target */
  59     $target = '';
  60     if (! empty($found[3])) {
  61         $target = ' target="' . $found[3] . '"';
  62     }
  63
  64     /* Construct url */
  65     if (substr($found[1], 0, 4) == 'http') {
  66         $url = PMA_linkURL($found[1]);
  67     } else {
  68         $url = $found[1];
  69     }
  70
  71     return '<a href="' . $url . '"' . $target . '>';
  72 }
  73
  74 /**
  75  * Callback function for replacing [doc@anchor] links in bb code.
  76  *
  77  * @param array $found Array of preg matches
  78  *
  79  * @return string Replaced string
  80  */
  81 function PMA_replaceDocLink($found)
  82 {
  83     $anchor = $found[1];
  84     if (strncmp('faq', $anchor, 3) == 0) {
  85         $page = 'faq';
  86     } else if (strncmp('cfg', $anchor, 3) == 0) {
  87         $page = 'cfg';
  88     } else {
  89         /* Guess */
  90         $page = 'setup';
  91     }
  92     $link = PMA_Util::getDocuLink($page, $anchor);
  93     return '<a href="' . $link . '" target="documentation">';
  94 }
  95
  96 /**
  97  * Sanitizes $message, taking into account our special codes
  98  * for formatting.
  99  *
 100  * If you want to include result in element attribute, you should escape it.
 101  *
 102  * Examples:
 103  *
 104  * <p><?php echo PMA_sanitize($foo); ?></p>
 105  *
 106  * <a title="<?php echo PMA_sanitize($foo, true); ?>">bar</a>
 107  *
 108  * @param string  $message the message
 109  * @param boolean $escape  whether to escape html in result
 110  * @param boolean $safe    whether string is safe (can keep < and > chars)
 111  *
 112  * @return string   the sanitized message
 113  */
 114 function PMA_sanitize($message, $escape = false, $safe = false)
 115 {
 116     if (!$safe) {
 117         $message = strtr($message, array('<' => '&lt;', '>' => '&gt;'));
 118     }
 119
 120     /* Interpret bb code */
 121     $replace_pairs = array(
 122         '[em]'      => '<em>',
 123         '[/em]'     => '</em>',
 124         '[strong]'  => '<strong>',
 125         '[/strong]' => '</strong>',
 126         '[code]'    => '<code>',
 127         '[/code]'   => '</code>',
 128         '[kbd]'     => '<kbd>',
 129         '[/kbd]'    => '</kbd>',
 130         '[br]'      => '<br />',
 131         '[/a]'      => '</a>',
 132         '[/doc]'      => '</a>',
 133         '[sup]'     => '<sup>',
 134         '[/sup]'    => '</sup>',
 135          // used in common.inc.php:
 136         '[conferr]' => '<iframe src="show_config_errors.php" />',
 137     );
 138
 139     $message = strtr($message, $replace_pairs);
 140
 141     /* Match links in bb code ([a@url@target], where @target is options) */
 142     $pattern = '/\[a@([^]"@]*)(@([^]"]*))?\]/';
 143
 144     /* Find and replace all links */
 145     $message = preg_replace_callback($pattern, 'PMA_replaceBBLink', $message);
 146
 147     /* Replace documentation links */
 148     $message = preg_replace_callback(
 149         '/\[doc@([a-zA-Z0-9_-]+)\]/',
 150         'PMA_replaceDocLink',
 151         $message
 152     );
 153
 154     /* Possibly escape result */
 155     if ($escape) {
 156         $message = htmlspecialchars($message);
 157     }
 158
 159     return $message;
 160 }
 161
 162
 163 /**
 164  * Sanitize a filename by removing anything besides legit characters
 165  *
 166  * Intended usecase:
 167  *    When using a filename in a Content-Disposition header
 168  *    the value should not contain ; or "
 169  *
 170  *    When exporting, avoiding generation of an unexpected double-extension file
 171  *
 172  * @param string  $filename    The filename
 173  * @param boolean $replaceDots Whether to also replace dots
 174  *
 175  * @return string  the sanitized filename
 176  *
 177  */
 178 function PMA_sanitizeFilename($filename, $replaceDots = false)
 179 {
 180     $pattern = '/[^A-Za-z0-9_';
 181     // if we don't have to replace dots
 182     if (! $replaceDots) {
 183         // then add the dot to the list of legit characters
 184         $pattern .= '.';
 185     }
 186     $pattern .= '-]/';
 187     $filename = preg_replace($pattern, '_', $filename);
 188     return $filename;
 189 }
 190