2 /* vim: set expandtab sw=4 ts=4 sts=4: */
4 * This is in a separate script because it's called from a number of scripts
11 * Sanitizes $message, taking into account our special codes
14 * If you want to include result in element attribute, you should escape it.
18 * <p><?php echo PMA_sanitize($foo); ?></p>
20 * <a title="<?php echo PMA_sanitize($foo, true); ?>">bar</a>
22 * @uses preg_replace()
24 * @param string the message
25 * @param boolean whether to escape html in result
27 * @return string the sanitized message
31 function PMA_sanitize($message, $escape = false)
33 $replace_pairs = array(
36 '[i]' => '<em>', // deprecated by em
37 '[/i]' => '</em>', // deprecated by em
40 '[b]' => '<strong>', // deprecated by strong
41 '[/b]' => '</strong>', // deprecated by strong
42 '[strong]' => '<strong>',
43 '[/strong]' => '</strong>',
44 '[tt]' => '<code>', // deprecated by CODE or KBD
45 '[/tt]' => '</code>', // deprecated by CODE or KBD
47 '[/code]' => '</code>',
55 $message = strtr($message, $replace_pairs);
57 $pattern = '/\[a@([^"@]*)@([^]"]*)\]/';
59 if (preg_match_all($pattern, $message, $founds, PREG_SET_ORDER
)) {
61 'http', // default http:// links (and https://)
62 './Do', // ./Documentation
65 foreach ($founds as $found) {
66 // only http... and ./Do... allowed
67 if (! in_array(substr($found[1], 0, 4), $valid_links)) {
70 // a-z and _ allowed in target
71 if (! empty($found[2]) && preg_match('/[^a-z_]+/i', $found[2])) {
76 $message = preg_replace($pattern, '<a href="\1" target="\2">', $message);
80 $message = htmlspecialchars($message);