From e737d69a773115be9767d03c5d81c0c758609b1a Mon Sep 17 00:00:00 2001
From: OpenXE <>
Date: Tue, 7 Nov 2023 09:44:44 +0100
Subject: [PATCH] bugfix stringcleaner array vs. object
---
phpwf/plugins/class.stringcleaner.php | 898 +++++++++++++-------------
1 file changed, 450 insertions(+), 448 deletions(-)
diff --git a/phpwf/plugins/class.stringcleaner.php b/phpwf/plugins/class.stringcleaner.php
index e4d20639..bb4672ae 100644
--- a/phpwf/plugins/class.stringcleaner.php
+++ b/phpwf/plugins/class.stringcleaner.php
@@ -1,451 +1,453 @@
-app = $app;
- if(class_exists('HTMLPurifier_Config')) {
- $this->htmlpuriferconfig = HTMLPurifier_Config::createDefault();
- $this->htmlpuriferconfig->set('Core.Encoding', 'UTF-8');
- $this->htmlpuriferconfig->set('Attr.AllowedFrameTargets', ['_blank']); // Allow hyperlinks with target="_blank"
- //$this->htmlpuriferconfig->set('HTML.AllowedElements', 'h1,h2,h3,h4,h5,h6,p,a,strong,em,ol,ul,li,img,param,div,br,form,label,fieldset,input,textarea,select,option');
- $this->htmlpurifer = new HTMLPurifier($this->htmlpuriferconfig);
- }
- $this->elements = array('nohtml'=> array('ust_befreit','abweichendelieferadresse','bestellungsart','bearbeiter','datum','lieferdatum','name','anrede','partner','packstation_inhaber','packstation_station','packstation_ident','packstation_plz','packstation_ort','partnerid','kennen','ihrebestellnummer'
- ,'abteilung','unterabteilung','ansprechpartner','adresszusatz','strasse','land','bundesstaat','plz','ort','versandart','internet','transaktionsnummer','vertrieb','zahlungsweise'
- ,'lieferabteilung','lieferunterabteilung','lieferansprechpartner','lieferadresszusatz','lieferstrasse','lieferland','lieferbundesstaat','lieferplz','lieferort'
- ,'bank_inhaber','bank_institut','bank_blz','bank_konto'
- ,'email','telefon','telefax','ustid','partner','projekt','herstellernummer','ean','nummer','name_de','name_ean'),
- 'nojs' => array('anabregstext','anabregstext_en','uebersicht_de','uebersicht_en','kurztext_de','kurztext_en','internebemerkung','internebezeichnung','freitext'));
-
- $this->rulechecks = array('digit'=>'/^[0-9]+$/'
- ,'alpha'=>'/^[a-zA-Z]+$/'
- ,'alphadigit'=>'/^[0-9a-zA-Z]+$/'
- ,'username'=>'/^[0-9a-zA-Z\.\-]+$/'
- ,'space'=>'/^[\x20]+$/'
- ,'module'=>'/^[0-9a-zA-Z\_]$/'
- ,'password'=>'/^[^\s\n]{1}[^\n]{5}.*$/'
- ,'email'=>'/^[^@\s\x00-\x20]+@[^@\s\x00-\x20\.]+\.[^@\s\x00-\x20\.]+[^@\s\x00-\x20]*$/'
- );
-
- $this->ruleregexps = array(
- 'digit'=>'/[^0-9]/'
- ,'username'=>'/[^0-9a-zA-Z\.\-]/'
- ,'alpha'=>'/[^a-zA-Z]/'
- ,'alphadigits'=>'/[^0-9a-zA-Z]/'
- ,'module'=>'/[^0-9a-zA-Z\_]/'
- ,'moduleminus'=>'/[^0-9a-zA-Z\_\-]/'
- ,'alphadigitsspecial'=>'/[^0-9a-zA-Z\_\.\(\)]/'
- ,'base64'=>'/[^0-9a-zA-Z\=\+\-\_\/]/'
- );
- }
-
- function SyntaxByElement($key, $default = '')
- {
- foreach($this->elements as $type => $arr) {
- if(in_array($key, $arr)) {
- return $type;
- }
- }
- return $default;
- }
-
- function CleanSQLReturn($value, $columnname, $default = '')
- {
- if($value == '' || is_numeric($value))
- {
- return $value;
- }
- if(in_array($columnname, array('nummer','name','kundennummer','bezeichnung','bezeichnunglieferant','lieferantennummer','mitarbeiternummer','name_de','name_en',
- 'kurzbezeichnung','abkuerzung',
- 'strasse','plz','ort','land','ansprechpartner','abteilung','unterabteilung',
- 'liefername','lieferstrasse','lieferplz','lieferort','lieferland','lieferansprechpartner','lieferabteilung','lieferunterabteilung'))){
- return strip_tags($value);
- }
- if($default == 'xss_clean')
- {
- return $this->xss_clean($value, false);
- }
- if($this->htmlpurifer)
- {
- return $this->htmlpurifer->purify($value);
- }
- return $value;
- }
-
- function RuleCheck($string, $rule = null, &$found = false)
- {
- if(isset($this->rulechecks[$rule]))
- {
- $found = true;
- return preg_match_all($this->rulechecks[$rule], $string, $dummy);
- }
- switch($rule)
- {
- case 'datum':
- $found = true;
-
- if(preg_match_all('/([0-9]+)\.([0-9]+)\.$/', $string, $matches))
- {
- $string = $matches[1][0].'.'.$matches[2][0].'.'.date('Y');
- }
-
- try {
- if($x = new DateTime($string)) {
- return $x->format('Y') > 0;
- }
- }
- catch (Exception $e) {
- return false;
- }
- return false;
- break;
- }
- }
-
- function CheckSQLHtml($sql)
- {
- $start = 0;
- $len = strlen($sql);
- $lvl = 0;
- $col = 0;
- $ret = array(0);
- $instring = false;
- for($i = $start; $i < $len; $i++)
- {
- $char = $sql[$i];
- switch($char)
- {
- case "'":
- if($instring)
- {
- if($sql[$i-1] != '\\')
- {
- $instring = false;
- }
- }else{
- if($sql[$i-1] != '\\'){
- $instring = true;
- }
- }
- break;
- case "(":
- if($instring)
- {
-
- }else{
- $lvl++;
- }
- break;
- case ")":
- if($instring)
- {
-
- }else{
- $lvl--;
- }
- break;
- case "<":
- if($instring)
- {
- if(preg_match('/<[a-zA-Z]/',$char.$sql[$i+1]))
- {
- if($ret[$col] != 2)
- {
- $ret[$col] = 1;
- }
- }
- }
- break;
- case ',':
- if($instring)
- {
-
- }else{
- if($lvl == 0)
- {
- $col++;
- $ret[$col] = 0;
- }
- }
- break;
- case 'o':
- case 'O':
- if($instring)
- {
- if($i < $len -4)
- {
- if(strtolower(substr($sql, $i, 2)) == 'on')
- {
- if(preg_match('/^on[a-z]+(\s*)=/', substr($sql, $i)))
- {
- $ret[$col] = 2;
- }
- }
- }
- }
- break;
- case 'F':
- case 'f':
- if($instring)
- {
-
- }else{
- if($lvl == 0)
- {
- if($i < $len - 4)
- {
- if(strtolower(substr($sql, $i, 4)) == 'from')
- {
- break 2;
- }
- }
- }
- }
- break;
- }
- }
- $where = strripos($sql, 'where');
- $restsql = substr($sql, $i, $where - $i);
- if(preg_match('/<[a-zA-Z]/', $restsql))
- {
- if(preg_match('/on[a-z]+(\s*)=/',$restsql))
- {
- if($ret)
- {
- foreach($ret as $k => $v)
- {
- $ret[$k] = 2;
- }
- }
- }else{
- if($ret)
- {
- foreach($ret as $k => $v)
- {
- if($v != 2)
- {
- $ret[$k] = 1;
- }
- }
- }
- }
- }
- return $ret;
- }
-
- public function CleanString($string, $rule = null, &$found = false)
- {
- if(is_null($rule))
- {
- $rule = 'nothml';
- }
- switch($rule)
- {
- case 'email':
- if($this->RuleCheck($string, $rule))
- {
- return $string;
- }
- return '';
- break;
- case 'nohtml':
- $found = true;
- if($string == '' || is_numeric($string))
- {
- return $string;
- }
- if(strpos($string,'<') === false)
- {
- return $string;
- }
- return strip_tags($string);
- break;
- case 'datum':
- $found = true;
- $string_ = $string;
- if(preg_match_all('/([0-9]+)\.([0-9]+)\.$/', $string, $matches))
- {
- $string_ = $matches[1][0].'.'.$matches[2][0].'.'.date('Y');
- }
- try
- {
- if($x = new DateTime($string_))
- {
- if($x->format('Y') <= 0)
- {
- return '';
- }
- return $string;
- }
- } catch (Exception $e) {
- return '';
- }
- return '';
- break;
- case 'xss_clean':
- $found = true;
- if($string == '' || is_numeric($string))
- {
- return $string;
- }
- if(strpos($string,'<') === false){
- return $string;
- }
- return $this->xss_clean($string, false);
- break;
- case 'nojs':
- $found = true;
- if($string == '' || is_numeric($string))return $string;
- if(strpos($string,'<') === false)return $string;
- if($this->htmlpurifer)
- {
- return $this->htmlpurifer->purify($string);
- }
- return $this->xss_clean($string);
- break;
- case 'id':
- $found = true;
- if((String)$string === '')
- {
- return $string;
- }
- return (int)$string;
- break;
- case 'doppelid':
- $found = true;
- if((String)$string === '')
- {
- return $string;
- }
- $stringa = explode('-', $string, 2);
- if(count($stringa) == 1)return (int)$stringa[0];
- return ($stringa[0]===''?'':(int)$stringa[0]).'-'.(int)$stringa[1];
- break;
- case 'module':
- $found = true;
- return preg_replace ($this->ruleregexps[$rule], '' , $string);
- break;
- default:
- if(isset($this->ruleregexps[$rule]))
- {
- $found = true;
- return preg_replace ($this->ruleregexps[$rule], '' , $string);
- }
- break;
- }
- return $string;
- }
-
- public function xss_clean($data, $usepurify = true)
- {
- if($usepurify && !empty($this->htmlpurifer))
- {
- return $this->htmlpurifer->purify($data);
- }
- // Fix &entity\n;
- $data = str_replace(array('&','<','>'), array('&','<','>'), $data);
- $data = preg_replace('/(*\w+)[\x00-\x20]+;/u', '$1;', $data);
- $data = preg_replace('/(*[0-9A-F]+);*/iu', '$1;', $data);
- $data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');
- return $data;
- // Remove any attribute starting with "on" or xmlns
- $data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);
-
- // Remove javascript: and vbscript: protocols
- $data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
- $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
- $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);
-
- // Only works in IE:
- $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
- $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
- $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);
-
- // Remove namespaced elements (we do not need them)
- $data = preg_replace('#*\w+:\w[^>]*+>#i', '', $data);
-
- do
- {
- // Remove really unwanted tags
- $old_data = $data;
- $data = preg_replace('#*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
- }
- while ($old_data !== $data);
-
- return $data;
- }
-
- function XMLArray_clean(&$xml, $lvl = 0)
- {
- if(is_string($xml))
- {
-
- }elseif(is_array($xml))
- {
- if(count($xml) > 0)
- {
- foreach($xml as $k => $v)
- {
- if(is_string($v))
- {
- $xml[$k] = $this->CleanString($v, $this->SyntaxByElement($k,'nojs'));
- }
- if($lvl < 10)
- {
- $this->XMLArray_clean($v, $lvl + 1);
- }
- }
- }
- }elseif(is_object($xml))
- {
- if(count($xml) > 0)
- {
- foreach($xml as $k => $v)
- {
- if(count($v) > 0)
- {
- if($lvl < 10)
- {
- $this->XMLArray_clean($v, $lvl + 1);
- }
- }elseif((String)$v != '')
- {
- if(isset($xml->$k))
- {
- //$xml->$k = $this->CleanString($v, $this->SyntaxByElement($k,'nojs'));
- }
- }
- }
- }
- }
- return $xml;
- }
- }
+app = $app;
+ if(class_exists('HTMLPurifier_Config')) {
+ $this->htmlpuriferconfig = HTMLPurifier_Config::createDefault();
+ $this->htmlpuriferconfig->set('Core.Encoding', 'UTF-8');
+ $this->htmlpuriferconfig->set('Attr.AllowedFrameTargets', ['_blank']); // Allow hyperlinks with target="_blank"
+ //$this->htmlpuriferconfig->set('HTML.AllowedElements', 'h1,h2,h3,h4,h5,h6,p,a,strong,em,ol,ul,li,img,param,div,br,form,label,fieldset,input,textarea,select,option');
+ $this->htmlpurifer = new HTMLPurifier($this->htmlpuriferconfig);
+ }
+ $this->elements = array('nohtml'=> array('ust_befreit','abweichendelieferadresse','bestellungsart','bearbeiter','datum','lieferdatum','name','anrede','partner','packstation_inhaber','packstation_station','packstation_ident','packstation_plz','packstation_ort','partnerid','kennen','ihrebestellnummer'
+ ,'abteilung','unterabteilung','ansprechpartner','adresszusatz','strasse','land','bundesstaat','plz','ort','versandart','internet','transaktionsnummer','vertrieb','zahlungsweise'
+ ,'lieferabteilung','lieferunterabteilung','lieferansprechpartner','lieferadresszusatz','lieferstrasse','lieferland','lieferbundesstaat','lieferplz','lieferort'
+ ,'bank_inhaber','bank_institut','bank_blz','bank_konto'
+ ,'email','telefon','telefax','ustid','partner','projekt','herstellernummer','ean','nummer','name_de','name_ean'),
+ 'nojs' => array('anabregstext','anabregstext_en','uebersicht_de','uebersicht_en','kurztext_de','kurztext_en','internebemerkung','internebezeichnung','freitext'));
+
+ $this->rulechecks = array('digit'=>'/^[0-9]+$/'
+ ,'alpha'=>'/^[a-zA-Z]+$/'
+ ,'alphadigit'=>'/^[0-9a-zA-Z]+$/'
+ ,'username'=>'/^[0-9a-zA-Z\.\-]+$/'
+ ,'space'=>'/^[\x20]+$/'
+ ,'module'=>'/^[0-9a-zA-Z\_]$/'
+ ,'password'=>'/^[^\s\n]{1}[^\n]{5}.*$/'
+ ,'email'=>'/^[^@\s\x00-\x20]+@[^@\s\x00-\x20\.]+\.[^@\s\x00-\x20\.]+[^@\s\x00-\x20]*$/'
+ );
+
+ $this->ruleregexps = array(
+ 'digit'=>'/[^0-9]/'
+ ,'username'=>'/[^0-9a-zA-Z\.\-]/'
+ ,'alpha'=>'/[^a-zA-Z]/'
+ ,'alphadigits'=>'/[^0-9a-zA-Z]/'
+ ,'module'=>'/[^0-9a-zA-Z\_]/'
+ ,'moduleminus'=>'/[^0-9a-zA-Z\_\-]/'
+ ,'alphadigitsspecial'=>'/[^0-9a-zA-Z\_\.\(\)]/'
+ ,'base64'=>'/[^0-9a-zA-Z\=\+\-\_\/]/'
+ );
+ }
+
+ function SyntaxByElement($key, $default = '')
+ {
+ foreach($this->elements as $type => $arr) {
+ if(in_array($key, $arr)) {
+ return $type;
+ }
+ }
+ return $default;
+ }
+
+ function CleanSQLReturn($value, $columnname, $default = '')
+ {
+ if($value == '' || is_numeric($value))
+ {
+ return $value;
+ }
+ if(in_array($columnname, array('nummer','name','kundennummer','bezeichnung','bezeichnunglieferant','lieferantennummer','mitarbeiternummer','name_de','name_en',
+ 'kurzbezeichnung','abkuerzung',
+ 'strasse','plz','ort','land','ansprechpartner','abteilung','unterabteilung',
+ 'liefername','lieferstrasse','lieferplz','lieferort','lieferland','lieferansprechpartner','lieferabteilung','lieferunterabteilung'))){
+ return strip_tags($value);
+ }
+ if($default == 'xss_clean')
+ {
+ return $this->xss_clean($value, false);
+ }
+ if($this->htmlpurifer)
+ {
+ return $this->htmlpurifer->purify($value);
+ }
+ return $value;
+ }
+
+ function RuleCheck($string, $rule = null, &$found = false)
+ {
+ if(isset($this->rulechecks[$rule]))
+ {
+ $found = true;
+ return preg_match_all($this->rulechecks[$rule], $string, $dummy);
+ }
+ switch($rule)
+ {
+ case 'datum':
+ $found = true;
+
+ if(preg_match_all('/([0-9]+)\.([0-9]+)\.$/', $string, $matches))
+ {
+ $string = $matches[1][0].'.'.$matches[2][0].'.'.date('Y');
+ }
+
+ try {
+ if($x = new DateTime($string)) {
+ return $x->format('Y') > 0;
+ }
+ }
+ catch (Exception $e) {
+ return false;
+ }
+ return false;
+ break;
+ }
+ }
+
+ function CheckSQLHtml($sql)
+ {
+ $start = 0;
+ $len = strlen($sql);
+ $lvl = 0;
+ $col = 0;
+ $ret = array(0);
+ $instring = false;
+ for($i = $start; $i < $len; $i++)
+ {
+ $char = $sql[$i];
+ switch($char)
+ {
+ case "'":
+ if($instring)
+ {
+ if($sql[$i-1] != '\\')
+ {
+ $instring = false;
+ }
+ }else{
+ if($sql[$i-1] != '\\'){
+ $instring = true;
+ }
+ }
+ break;
+ case "(":
+ if($instring)
+ {
+
+ }else{
+ $lvl++;
+ }
+ break;
+ case ")":
+ if($instring)
+ {
+
+ }else{
+ $lvl--;
+ }
+ break;
+ case "<":
+ if($instring)
+ {
+ if(preg_match('/<[a-zA-Z]/',$char.$sql[$i+1]))
+ {
+ if($ret[$col] != 2)
+ {
+ $ret[$col] = 1;
+ }
+ }
+ }
+ break;
+ case ',':
+ if($instring)
+ {
+
+ }else{
+ if($lvl == 0)
+ {
+ $col++;
+ $ret[$col] = 0;
+ }
+ }
+ break;
+ case 'o':
+ case 'O':
+ if($instring)
+ {
+ if($i < $len -4)
+ {
+ if(strtolower(substr($sql, $i, 2)) == 'on')
+ {
+ if(preg_match('/^on[a-z]+(\s*)=/', substr($sql, $i)))
+ {
+ $ret[$col] = 2;
+ }
+ }
+ }
+ }
+ break;
+ case 'F':
+ case 'f':
+ if($instring)
+ {
+
+ }else{
+ if($lvl == 0)
+ {
+ if($i < $len - 4)
+ {
+ if(strtolower(substr($sql, $i, 4)) == 'from')
+ {
+ break 2;
+ }
+ }
+ }
+ }
+ break;
+ }
+ }
+ $where = strripos($sql, 'where');
+ $restsql = substr($sql, $i, $where - $i);
+ if(preg_match('/<[a-zA-Z]/', $restsql))
+ {
+ if(preg_match('/on[a-z]+(\s*)=/',$restsql))
+ {
+ if($ret)
+ {
+ foreach($ret as $k => $v)
+ {
+ $ret[$k] = 2;
+ }
+ }
+ }else{
+ if($ret)
+ {
+ foreach($ret as $k => $v)
+ {
+ if($v != 2)
+ {
+ $ret[$k] = 1;
+ }
+ }
+ }
+ }
+ }
+ return $ret;
+ }
+
+ public function CleanString($string, $rule = null, &$found = false)
+ {
+ if(is_null($rule))
+ {
+ $rule = 'nothml';
+ }
+ switch($rule)
+ {
+ case 'email':
+ if($this->RuleCheck($string, $rule))
+ {
+ return $string;
+ }
+ return '';
+ break;
+ case 'nohtml':
+ $found = true;
+ if($string == '' || is_numeric($string))
+ {
+ return $string;
+ }
+ if(strpos($string,'<') === false)
+ {
+ return $string;
+ }
+ return strip_tags($string);
+ break;
+ case 'datum':
+ $found = true;
+ $string_ = $string;
+ if(preg_match_all('/([0-9]+)\.([0-9]+)\.$/', $string, $matches))
+ {
+ $string_ = $matches[1][0].'.'.$matches[2][0].'.'.date('Y');
+ }
+ try
+ {
+ if($x = new DateTime($string_))
+ {
+ if($x->format('Y') <= 0)
+ {
+ return '';
+ }
+ return $string;
+ }
+ } catch (Exception $e) {
+ return '';
+ }
+ return '';
+ break;
+ case 'xss_clean':
+ $found = true;
+ if($string == '' || is_numeric($string))
+ {
+ return $string;
+ }
+ if(strpos($string,'<') === false){
+ return $string;
+ }
+ return $this->xss_clean($string, false);
+ break;
+ case 'nojs':
+ $found = true;
+ if($string == '' || is_numeric($string))return $string;
+ if(strpos($string,'<') === false)return $string;
+ if($this->htmlpurifer)
+ {
+ return $this->htmlpurifer->purify($string);
+ }
+ return $this->xss_clean($string);
+ break;
+ case 'id':
+ $found = true;
+ if((String)$string === '')
+ {
+ return $string;
+ }
+ return (int)$string;
+ break;
+ case 'doppelid':
+ $found = true;
+ if((String)$string === '')
+ {
+ return $string;
+ }
+ $stringa = explode('-', $string, 2);
+ if(count($stringa) == 1)return (int)$stringa[0];
+ return ($stringa[0]===''?'':(int)$stringa[0]).'-'.(int)$stringa[1];
+ break;
+ case 'module':
+ $found = true;
+ return preg_replace ($this->ruleregexps[$rule], '' , $string);
+ break;
+ default:
+ if(isset($this->ruleregexps[$rule]))
+ {
+ $found = true;
+ return preg_replace ($this->ruleregexps[$rule], '' , $string);
+ }
+ break;
+ }
+ return $string;
+ }
+
+ public function xss_clean($data, $usepurify = true)
+ {
+ if($usepurify && !empty($this->htmlpurifer))
+ {
+ return $this->htmlpurifer->purify($data);
+ }
+ // Fix &entity\n;
+ $data = str_replace(array('&','<','>'), array('&','<','>'), $data);
+ $data = preg_replace('/(*\w+)[\x00-\x20]+;/u', '$1;', $data);
+ $data = preg_replace('/(*[0-9A-F]+);*/iu', '$1;', $data);
+ $data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');
+ return $data;
+ // Remove any attribute starting with "on" or xmlns
+ $data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);
+
+ // Remove javascript: and vbscript: protocols
+ $data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
+ $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
+ $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);
+
+ // Only works in IE:
+ $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
+ $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
+ $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);
+
+ // Remove namespaced elements (we do not need them)
+ $data = preg_replace('#*\w+:\w[^>]*+>#i', '', $data);
+
+ do
+ {
+ // Remove really unwanted tags
+ $old_data = $data;
+ $data = preg_replace('#*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
+ }
+ while ($old_data !== $data);
+
+ return $data;
+ }
+
+ function XMLArray_clean(&$xml, $lvl = 0)
+ {
+ if(is_string($xml))
+ {
+
+ }elseif(is_array($xml))
+ {
+ if(count($xml) > 0)
+ {
+ foreach($xml as $k => $v)
+ {
+ if(is_string($v))
+ {
+ $xml[$k] = $this->CleanString($v, $this->SyntaxByElement($k,'nojs'));
+ }
+ if($lvl < 10)
+ {
+ $this->XMLArray_clean($v, $lvl + 1);
+ }
+ }
+ }
+ }elseif(is_object($xml))
+ {
+ $xml = (array) $xml;
+ if(count($xml) > 0)
+ {
+ foreach($xml as $k => $v)
+ {
+ $v = (array) $v;
+ if(count($v) > 0)
+ {
+ if($lvl < 10)
+ {
+ $this->XMLArray_clean($v, $lvl + 1);
+ }
+ }elseif((String)$v != '')
+ {
+ if(isset($xml->$k))
+ {
+ //$xml->$k = $this->CleanString($v, $this->SyntaxByElement($k,'nojs'));
+ }
+ }
+ }
+ }
+ }
+ return $xml;
+ }
+ }