libraries/sanitizing.lib.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * This is in a separate script because it's called from a number of scripts
   5  *
   6  * @package PhpMyAdmin
   7  */
   8
   9 /**
  10  * Checks whether given link is valid
  11  *
  12  * @param string $url URL to check
  13  * @return boolean True if string can be used as link
  14  */
  15 function PMA_checkLink($url)
  16 {
  17     $valid_starts = array(
  18         'http://',
  19         'https://',
  20         './url.php?url=http%3A%2F%2F',
  21         './url.php?url=https%3A%2F%2F',
  22     );
  23     if (defined('PMA_SETUP')) {
  24         $valid_starts[] = '../Documentation.html';
  25         $valid_starts[] = '?page=form&';
  26     } else {
  27         $valid_starts[] = './Documentation.html';
  28     }
  29     foreach ($valid_starts as $val) {
  30         if (substr($url, 0, strlen($val)) == $val) {
  31             return true;
  32         }
  33     }
  34     return false;
  35 }
  36
  37 /**
  38  * Callback function for replacing [a@link@target] links in bb code.
  39  *
  40  * @param array $found Array of preg matches
  41  * @return string Replaced string
  42  */
  43 function PMA_replaceBBLink($found)
  44 {
  45     /* Check for valid link */
  46     if (! PMA_checkLink($found[1])) {
  47         return $found[0];
  48     }
  49     /* a-z and _ allowed in target */
  50     if (! empty($found[3]) && preg_match('/[^a-z_]+/i', $found[3])) {
  51         return $found[0];
  52     }
  53
  54     /* Construct target */
  55     $target = '';
  56     if (! empty($found[3])) {
  57         $target = ' target="' . $found[3] . '"';
  58     }
  59
  60     /* Construct url */
  61     if (substr($found[1], 0, 4) == 'http') {
  62         $url = PMA_linkURL($found[1]);
  63     } else {
  64         $url = $found[1];
  65     }
  66
  67     return '<a href="' . $url . '"' . $target . '>';
  68 }
  69
  70 /**
  71  * Sanitizes $message, taking into account our special codes
  72  * for formatting.
  73  *
  74  * If you want to include result in element attribute, you should escape it.
  75  *
  76  * Examples:
  77  *
  78  * <p><?php echo PMA_sanitize($foo); ?></p>
  79  *
  80  * <a title="<?php echo PMA_sanitize($foo, true); ?>">bar</a>
  81  *
  82  * @param string  $message the message
  83  * @param boolean $escape  whether to escape html in result
  84  * @param boolean $safe    whether string is safe (can keep < and > chars)
  85  * @return  string   the sanitized message
  86  */
  87 function PMA_sanitize($message, $escape = false, $safe = false)
  88 {
  89     if (!$safe) {
  90         $message = strtr($message, array('<' => '&lt;', '>' => '&gt;'));
  91     }
  92     /* Interpret bb code */
  93     $replace_pairs = array(
  94         '[i]'       => '<em>',      // deprecated by em
  95         '[/i]'      => '</em>',     // deprecated by em
  96         '[em]'      => '<em>',
  97         '[/em]'     => '</em>',
  98         '[b]'       => '<strong>',  // deprecated by strong
  99         '[/b]'      => '</strong>', // deprecated by strong
 100         '[strong]'  => '<strong>',
 101         '[/strong]' => '</strong>',
 102         '[tt]'      => '<code>',    // deprecated by CODE or KBD
 103         '[/tt]'     => '</code>',   // deprecated by CODE or KBD
 104         '[code]'    => '<code>',
 105         '[/code]'   => '</code>',
 106         '[kbd]'     => '<kbd>',
 107         '[/kbd]'    => '</kbd>',
 108         '[br]'      => '<br />',
 109         '[/a]'      => '</a>',
 110         '[sup]'      => '<sup>',
 111         '[/sup]'      => '</sup>',
 112     );
 113     /* Adjust links for setup, which lives in subfolder */
 114     if (defined('PMA_SETUP')) {
 115         $replace_pairs['[a@Documentation.html'] = '[a@../Documentation.html';
 116     } else {
 117         $replace_pairs['[a@Documentation.html'] = '[a@./Documentation.html';
 118     }
 119     $message = strtr($message, $replace_pairs);
 120
 121     /* Match links in bb code ([a@url@target], where @target is options) */
 122     $pattern = '/\[a@([^]"@]*)(@([^]"]*))?\]/';
 123
 124     /* Find and replace all links */
 125     $message = preg_replace_callback($pattern, 'PMA_replaceBBLink', $message);
 126
 127     /* Possibly escape result */
 128     if ($escape) {
 129         $message = htmlspecialchars($message);
 130     }
 131
 132     return $message;
 133 }
 134
 135
 136 /**
 137  * Sanitize a filename by removing anything besides A-Za-z0-9_.-
 138  *
 139  * Intended usecase:
 140  *    When using a filename in a Content-Disposition header the value should not contain ; or "
 141  *
 142  * @param   string  The filename
 143  *
 144  * @return  string  the sanitized filename
 145  *
 146  */
 147 function PMA_sanitize_filename($filename) {
 148     $filename = preg_replace('/[^A-Za-z0-9_.-]/', '_', $filename);
 149     return $filename;
 150 }
 151
 152 ?>