libraries/sanitizing.lib.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  *
   5  * @version $Id$
   6  */
   7
   8 /**
   9  * Sanitizes $message, taking into account our special codes
  10  * for formatting.
  11  *
  12  * If you want to include result in element attribute, you should escape it.
  13  *
  14  * Examples:
  15  *
  16  * <p><?php echo PMA_sanitize($foo); ?></p>
  17  *
  18  * <a title="<?php echo PMA_sanitize($foo, true); ?>">bar</a>
  19  *
  20  * @uses    preg_replace()
  21  * @uses    strtr()
  22  * @param   string   the message
  23  * @param   boolean  whether to escape html in result
  24  *
  25  * @return  string   the sanitized message
  26  *
  27  * @access  public
  28  */
  29 function PMA_sanitize($message, $escape = false)
  30 {
  31     $replace_pairs = array(
  32         '<'         => '&lt;',
  33         '>'         => '&gt;',
  34         '[i]'       => '<em>',      // deprecated by em
  35         '[/i]'      => '</em>',     // deprecated by em
  36         '[em]'      => '<em>',
  37         '[/em]'     => '</em>',
  38         '[b]'       => '<strong>',  // deprecated by strong
  39         '[/b]'      => '</strong>', // deprecated by strong
  40         '[strong]'  => '<strong>',
  41         '[/strong]' => '</strong>',
  42         '[tt]'      => '<code>',    // deprecated by CODE or KBD
  43         '[/tt]'     => '</code>',   // deprecated by CODE or KBD
  44         '[code]'    => '<code>',
  45         '[/code]'   => '</code>',
  46         '[kbd]'     => '<kbd>',
  47         '[/kbd]'    => '</kbd>',
  48         '[br]'      => '<br />',
  49         '[/a]'      => '</a>',
  50         '[sup]'      => '<sup>',
  51         '[/sup]'      => '</sup>',
  52     );
  53     $message = strtr($message, $replace_pairs);
  54
  55     $pattern = '/\[a@([^"@]*)@([^]"]*)\]/';
  56
  57     if (preg_match_all($pattern, $message, $founds, PREG_SET_ORDER)) {
  58         $valid_links = array(
  59             'http',  // default http:// links (and https://)
  60             './Do',  // ./Documentation
  61         );
  62
  63         foreach ($founds as $found) {
  64             // only http... and ./Do... allowed
  65             if (! in_array(substr($found[1], 0, 4), $valid_links)) {
  66                 return $message;
  67             }
  68             // a-z and _ allowed in target
  69             if (! empty($found[2]) && preg_match('/[^a-z_]+/i', $found[2])) {
  70                 return $message;
  71             }
  72         }
  73
  74         $message = preg_replace($pattern, '<a href="\1" target="\2">', $message);
  75     }
  76
  77     if ($escape) {
  78         $message = htmlspecialchars($message);
  79     }
  80
  81     return $message;
  82 }
  83 ?>