libraries/sanitizing.lib.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  *
   5  * @version $Id$
   6  * This is in a separate script because it's called from a number of scripts
   7  */
   8
   9 /**
  10  * Sanitizes $message, taking into account our special codes
  11  * for formatting
  12  *
  13  * @uses    preg_replace()
  14  * @uses    strtr()
  15  * @param   string   the message
  16  *
  17  * @return  string   the sanitized message
  18  *
  19  * @access  public
  20  */
  21 function PMA_sanitize($message)
  22 {
  23     $replace_pairs = array(
  24         '<'         => '&lt;',
  25         '>'         => '&gt;',
  26         '[i]'       => '<em>',      // deprecated by em
  27         '[/i]'      => '</em>',     // deprecated by em
  28         '[em]'      => '<em>',
  29         '[/em]'     => '</em>',
  30         '[b]'       => '<strong>',  // deprecated by strong
  31         '[/b]'      => '</strong>', // deprecated by strong
  32         '[strong]'  => '<strong>',
  33         '[/strong]' => '</strong>',
  34         '[tt]'      => '<code>',    // deprecated by CODE or KBD
  35         '[/tt]'     => '</code>',   // deprecated by CODE or KBD
  36         '[code]'    => '<code>',
  37         '[/code]'   => '</code>',
  38         '[kbd]'     => '<kbd>',
  39         '[/kbd]'    => '</kbd>',
  40         '[br]'      => '<br />',
  41         '[/a]'      => '</a>',
  42         '[sup]'      => '<sup>',
  43         '[/sup]'      => '</sup>',
  44     );
  45     $message = strtr($message, $replace_pairs);
  46
  47     $pattern = '/\[a@([^"@]*)@([^]"]*)\]/';
  48
  49     if (preg_match_all($pattern, $message, $founds, PREG_SET_ORDER)) {
  50         $valid_links = array(
  51             'http',  // default http:// links (and https://)
  52             './Do',  // ./Documentation
  53         );
  54
  55         foreach ($founds as $found) {
  56             // only http... and ./Do... allowed
  57             if (! in_array(substr($found[1], 0, 4), $valid_links)) {
  58                 return $message;
  59             }
  60             // a-z and _ allowed in target
  61             if (! empty($found[2]) && preg_match('/[^a-z_]+/i', $found[2])) {
  62                 return $message;
  63             }
  64         }
  65
  66         $message = preg_replace($pattern, '<a href="\1" target="\2">', $message);
  67     }
  68
  69     return $message;
  70 }
  71 ?>