1: <?php
2: /**
3: * TextSanitizer extension
4: *
5: * You may not change or alter any portion of this comment or credits
6: * of supporting developers from this source code or any supporting source code
7: * which is considered copyrighted (c) material of the original comment or credit authors.
8: * This program is distributed in the hope that it will be useful,
9: * but WITHOUT ANY WARRANTY; without even the implied warranty of
10: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
11: *
12: * @copyright (c) 2000-2016 XOOPS Project (www.xoops.org)
13: * @license GNU GPL 2 (http://www.gnu.org/licenses/gpl-2.0.html)
14: * @package class
15: * @subpackage textsanitizer
16: * @since 2.3.0
17: * @author Taiwen Jiang <phppp@users.sourceforge.net>
18: */
19: defined('XOOPS_ROOT_PATH') || exit('Restricted access');
20:
21: /**
22: * Filter out possible malicious text
23: * kses project at SF could be a good solution to check
24: *
25: * @param string $text text to filter
26: * @param bool $force flag indicating to force filtering
27: * @return string filtered text
28: */
29: class MytsTextfilter extends MyTextSanitizerExtension
30: {
31: /**
32: * @param $ts
33: * @param $text
34: * @param bool $force
35: *
36: * @return mixed
37: */
38: public function load($ts, $text, $force = false)
39: {
40: global $xoopsUser, $xoopsConfig, $xoopsUserIsAdmin;
41: if (empty($force) && $xoopsUserIsAdmin) {
42: return $text;
43: }
44: // Built-in filters for XSS scripts
45: // To be improved
46: $text = $ts->filterXss($text);
47:
48: if (xoops_load('purifier', 'framework')) {
49: $text = XoopsPurifier::purify($text);
50:
51: return $text;
52: }
53:
54: $tags = array();
55: $search = array();
56: $replace = array();
57: $config = parent::loadConfig(__DIR__);
58: if (!empty($config['patterns'])) {
59: foreach ($config['patterns'] as $pattern) {
60: if (empty($pattern['search'])) {
61: continue;
62: }
63: $search[] = $pattern['search'];
64: $replace[] = $pattern['replace'];
65: }
66: }
67: if (!empty($config['tags'])) {
68: $tags = array_map('trim', $config['tags']);
69: }
70:
71: // Set embedded tags
72: $tags[] = 'SCRIPT';
73: $tags[] = 'VBSCRIPT';
74: $tags[] = 'JAVASCRIPT';
75: foreach ($tags as $tag) {
76: $search[] = '/<' . $tag . "[^>]*?>.*?<\/" . $tag . '>/si';
77: $replace[] = ' [!' . strtoupper($tag) . ' FILTERED!] ';
78: }
79: // Set meta refresh tag
80: $search[] = "/<META[^>\/]*HTTP-EQUIV=(['\"])?REFRESH(\\1)[^>\/]*?\/>/si";
81: $replace[] = '';
82: // Sanitizing scripts in IMG tag
83: //$search[]= "/(<IMG[\s]+[^>\/]*SOURCE=)(['\"])?(.*)(\\2)([^>\/]*?\/>)/si";
84: //$replace[]="";
85: // Set iframe tag
86: $search[] = "/<IFRAME[^>\/]*SRC=(['\"])?([^>\/]*)(\\1)[^>\/]*?\/>/si";
87: $replace[] = " [!IFRAME FILTERED! \\2] ";
88: $search[] = "/<IFRAME[^>]*?>([^<]*)<\/IFRAME>/si";
89: $replace[] = " [!IFRAME FILTERED! \\1] ";
90: // action
91: $text = preg_replace($search, $replace, $text);
92:
93: return $text;
94: }
95: }
96: