app = $app; if(class_exists('HTMLPurifier_Config')) { $this->htmlpuriferconfig = HTMLPurifier_Config::createDefault(); $this->htmlpuriferconfig->set('Core.Encoding', 'UTF-8'); $this->htmlpuriferconfig->set('Attr.AllowedFrameTargets', ['_blank']); // Allow hyperlinks with target="_blank" //$this->htmlpuriferconfig->set('HTML.AllowedElements', 'h1,h2,h3,h4,h5,h6,p,a,strong,em,ol,ul,li,img,param,div,br,form,label,fieldset,input,textarea,select,option'); $this->htmlpurifer = new HTMLPurifier($this->htmlpuriferconfig); } $this->elements = array('nohtml'=> array('ust_befreit','abweichendelieferadresse','bestellungsart','bearbeiter','datum','lieferdatum','name','anrede','partner','packstation_inhaber','packstation_station','packstation_ident','packstation_plz','packstation_ort','partnerid','kennen','ihrebestellnummer' ,'abteilung','unterabteilung','ansprechpartner','adresszusatz','strasse','land','bundesstaat','plz','ort','versandart','internet','transaktionsnummer','vertrieb','zahlungsweise' ,'lieferabteilung','lieferunterabteilung','lieferansprechpartner','lieferadresszusatz','lieferstrasse','lieferland','lieferbundesstaat','lieferplz','lieferort' ,'bank_inhaber','bank_institut','bank_blz','bank_konto' ,'email','telefon','telefax','ustid','partner','projekt','herstellernummer','ean','nummer','name_de','name_ean'), 'nojs' => array('anabregstext','anabregstext_en','uebersicht_de','uebersicht_en','kurztext_de','kurztext_en','internebemerkung','internebezeichnung','freitext')); $this->rulechecks = array('digit'=>'/^[0-9]+$/' ,'alpha'=>'/^[a-zA-Z]+$/' ,'alphadigit'=>'/^[0-9a-zA-Z]+$/' ,'username'=>'/^[0-9a-zA-Z\.\-]+$/' ,'space'=>'/^[\x20]+$/' ,'module'=>'/^[0-9a-zA-Z\_]$/' ,'password'=>'/^[^\s\n]{1}[^\n]{5}.*$/' ,'email'=>'/^[^@\s\x00-\x20]+@[^@\s\x00-\x20\.]+\.[^@\s\x00-\x20\.]+[^@\s\x00-\x20]*$/' ); $this->ruleregexps = array( 'digit'=>'/[^0-9]/' ,'username'=>'/[^0-9a-zA-Z\.\-]/' ,'alpha'=>'/[^a-zA-Z]/' ,'alphadigits'=>'/[^0-9a-zA-Z]/' ,'module'=>'/[^0-9a-zA-Z\_]/' ,'moduleminus'=>'/[^0-9a-zA-Z\_\-]/' ,'alphadigitsspecial'=>'/[^0-9a-zA-Z\_\.\(\)]/' ,'base64'=>'/[^0-9a-zA-Z\=\+\-\_\/]/' ); } function SyntaxByElement($key, $default = '') { foreach($this->elements as $type => $arr) { if(in_array($key, $arr)) { return $type; } } return $default; } function CleanSQLReturn($value, $columnname, $default = '') { if($value == '' || is_numeric($value)) { return $value; } if(in_array($columnname, array('nummer','name','kundennummer','bezeichnung','bezeichnunglieferant','lieferantennummer','mitarbeiternummer','name_de','name_en', 'kurzbezeichnung','abkuerzung', 'strasse','plz','ort','land','ansprechpartner','abteilung','unterabteilung', 'liefername','lieferstrasse','lieferplz','lieferort','lieferland','lieferansprechpartner','lieferabteilung','lieferunterabteilung'))){ return strip_tags($value); } if($default == 'xss_clean') { return $this->xss_clean($value, false); } if($this->htmlpurifer) { return $this->htmlpurifer->purify($value); } return $value; } function RuleCheck($string, $rule = null, &$found = false) { if(isset($this->rulechecks[$rule])) { $found = true; return preg_match_all($this->rulechecks[$rule], $string, $dummy); } switch($rule) { case 'datum': $found = true; if(preg_match_all('/([0-9]+)\.([0-9]+)\.$/', $string, $matches)) { $string = $matches[1][0].'.'.$matches[2][0].'.'.date('Y'); } try { if($x = new DateTime($string)) { return $x->format('Y') > 0; } } catch (Exception $e) { return false; } return false; break; } } function CheckSQLHtml($sql) { $start = 0; $len = strlen($sql); $lvl = 0; $col = 0; $ret = array(0); $instring = false; for($i = $start; $i < $len; $i++) { $char = $sql[$i]; switch($char) { case "'": if($instring) { if($sql[$i-1] != '\\') { $instring = false; } }else{ if($sql[$i-1] != '\\'){ $instring = true; } } break; case "(": if($instring) { }else{ $lvl++; } break; case ")": if($instring) { }else{ $lvl--; } break; case "<": if($instring) { if(preg_match('/<[a-zA-Z]/',$char.$sql[$i+1])) { if($ret[$col] != 2) { $ret[$col] = 1; } } } break; case ',': if($instring) { }else{ if($lvl == 0) { $col++; $ret[$col] = 0; } } break; case 'o': case 'O': if($instring) { if($i < $len -4) { if(strtolower(substr($sql, $i, 2)) == 'on') { if(preg_match('/^on[a-z]+(\s*)=/', substr($sql, $i))) { $ret[$col] = 2; } } } } break; case 'F': case 'f': if($instring) { }else{ if($lvl == 0) { if($i < $len - 4) { if(strtolower(substr($sql, $i, 4)) == 'from') { break 2; } } } } break; } } $where = strripos($sql, 'where'); $restsql = substr($sql, $i, $where - $i); if(preg_match('/<[a-zA-Z]/', $restsql)) { if(preg_match('/on[a-z]+(\s*)=/',$restsql)) { if($ret) { foreach($ret as $k => $v) { $ret[$k] = 2; } } }else{ if($ret) { foreach($ret as $k => $v) { if($v != 2) { $ret[$k] = 1; } } } } } return $ret; } public function CleanString($string, $rule = null, &$found = false) { if(is_null($rule)) { $rule = 'nothml'; } switch($rule) { case 'email': if($this->RuleCheck($string, $rule)) { return $string; } return ''; break; case 'nohtml': $found = true; if($string == '' || is_numeric($string)) { return $string; } if(strpos($string,'<') === false) { return $string; } return strip_tags($string); break; case 'datum': $found = true; $string_ = $string; if(preg_match_all('/([0-9]+)\.([0-9]+)\.$/', $string, $matches)) { $string_ = $matches[1][0].'.'.$matches[2][0].'.'.date('Y'); } try { if($x = new DateTime($string_)) { if($x->format('Y') <= 0) { return ''; } return $string; } } catch (Exception $e) { return ''; } return ''; break; case 'xss_clean': $found = true; if($string == '' || is_numeric($string)) { return $string; } if(strpos($string,'<') === false){ return $string; } return $this->xss_clean($string, false); break; case 'nojs': $found = true; if($string == '' || is_numeric($string))return $string; if(strpos($string,'<') === false)return $string; if($this->htmlpurifer) { return $this->htmlpurifer->purify($string); } return $this->xss_clean($string); break; case 'id': $found = true; if((String)$string === '') { return $string; } return (int)$string; break; case 'doppelid': $found = true; if((String)$string === '') { return $string; } $stringa = explode('-', $string, 2); if(count($stringa) == 1)return (int)$stringa[0]; return ($stringa[0]===''?'':(int)$stringa[0]).'-'.(int)$stringa[1]; break; case 'module': $found = true; return preg_replace ($this->ruleregexps[$rule], '' , $string); break; default: if(isset($this->ruleregexps[$rule])) { $found = true; return preg_replace ($this->ruleregexps[$rule], '' , $string); } break; } return $string; } public function xss_clean($data, $usepurify = true) { if($usepurify && !empty($this->htmlpurifer)) { return $this->htmlpurifer->purify($data); } // Fix &entity\n; $data = str_replace(array('&','<','>'), array('&amp;','&lt;','&gt;'), $data); $data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data); $data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data); $data = html_entity_decode($data, ENT_COMPAT, 'UTF-8'); return $data; // Remove any attribute starting with "on" or xmlns $data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data); // Remove javascript: and vbscript: protocols $data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data); $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data); $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data); // Only works in IE: $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data); $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data); $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data); // Remove namespaced elements (we do not need them) $data = preg_replace('#]*+>#i', '', $data); do { // Remove really unwanted tags $old_data = $data; $data = preg_replace('#]*+>#i', '', $data); } while ($old_data !== $data); return $data; } function XMLArray_clean(&$xml, $lvl = 0) { if(is_string($xml)) { }elseif(is_array($xml)) { if(count($xml) > 0) { foreach($xml as $k => $v) { if(is_string($v)) { $xml[$k] = $this->CleanString($v, $this->SyntaxByElement($k,'nojs')); } if($lvl < 10) { $this->XMLArray_clean($v, $lvl + 1); } } } }elseif(is_object($xml)) { $xml = (array) $xml; if(count($xml) > 0) { foreach($xml as $k => $v) { $v = (array) $v; if(count($v) > 0) { if($lvl < 10) { $this->XMLArray_clean($v, $lvl + 1); } }elseif((String)$v != '') { if(isset($xml->$k)) { //$xml->$k = $this->CleanString($v, $this->SyntaxByElement($k,'nojs')); } } } } } return $xml; } }