libraries/sanitizing.lib.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * This is in a separate script because it's called from a number of scripts
   5  *
   6  * @package phpMyAdmin
   7  */
   8
   9 /**
  10  * Sanitizes $message, taking into account our special codes
  11  * for formatting.
  12  *
  13  * If you want to include result in element attribute, you should escape it.
  14  *
  15  * Examples:
  16  *
  17  * <p><?php echo PMA_sanitize($foo); ?></p>
  18  *
  19  * <a title="<?php echo PMA_sanitize($foo, true); ?>">bar</a>
  20  *
  21  * @uses    preg_replace()
  22  * @uses    strtr()
  23  * @param   string   the message
  24  * @param   boolean  whether to escape html in result
  25  *
  26  * @return  string   the sanitized message
  27  *
  28  * @access  public
  29  */
  30 function PMA_sanitize($message, $escape = false, $safe = false)
  31 {
  32     if (!$safe) {
  33         $message = strtr($message, array('<' => '&lt;', '>' => '&gt;'));
  34     }
  35     $replace_pairs = array(
  36         '[i]'       => '<em>',      // deprecated by em
  37         '[/i]'      => '</em>',     // deprecated by em
  38         '[em]'      => '<em>',
  39         '[/em]'     => '</em>',
  40         '[b]'       => '<strong>',  // deprecated by strong
  41         '[/b]'      => '</strong>', // deprecated by strong
  42         '[strong]'  => '<strong>',
  43         '[/strong]' => '</strong>',
  44         '[tt]'      => '<code>',    // deprecated by CODE or KBD
  45         '[/tt]'     => '</code>',   // deprecated by CODE or KBD
  46         '[code]'    => '<code>',
  47         '[/code]'   => '</code>',
  48         '[kbd]'     => '<kbd>',
  49         '[/kbd]'    => '</kbd>',
  50         '[br]'      => '<br />',
  51         '[/a]'      => '</a>',
  52         '[sup]'      => '<sup>',
  53         '[/sup]'      => '</sup>',
  54     );
  55     $message = strtr($message, $replace_pairs);
  56
  57     $pattern = '/\[a@([^"@]*)@([^]"]*)\]/';
  58
  59     if (preg_match_all($pattern, $message, $founds, PREG_SET_ORDER)) {
  60         $valid_links = array(
  61             'http',  // default http:// links (and https://)
  62             './Do',  // ./Documentation
  63         );
  64
  65         foreach ($founds as $found) {
  66             // only http... and ./Do... allowed
  67             if (! in_array(substr($found[1], 0, 4), $valid_links)) {
  68                 return $message;
  69             }
  70             // a-z and _ allowed in target
  71             if (! empty($found[2]) && preg_match('/[^a-z_]+/i', $found[2])) {
  72                 return $message;
  73             }
  74         }
  75
  76         if (substr($found[1], 0, 4) == 'http') {
  77             $message = preg_replace($pattern, '<a href="' . PMA_linkURL($found[1]) . '" target="\2">', $message);
  78         } else {
  79             $message = preg_replace($pattern, '<a href="\1" target="\2">', $message);
  80         }
  81     }
  82
  83     if ($escape) {
  84         $message = htmlspecialchars($message);
  85     }
  86
  87     return $message;
  88 }
  89
  90
  91 /**
  92  * Sanitize a filename by removing anything besides A-Za-z0-9_.-
  93  *
  94  * Intended usecase:
  95  *    When using a filename in a Content-Disposition header the value should not contain ; or "
  96  *
  97  * @param   string  The filename
  98  *
  99  * @return  string  the sanitized filename
 100  *
 101  */
 102 function PMA_sanitize_filename($filename) {
 103     $filename = preg_replace('/[^A-Za-z0-9_.-]/', '_', $filename);
 104     return $filename;
 105 }
 106
 107 ?>