search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix checkRpItemsPosition
[ryzomcore.git] / web / public_php / webtt / cake / libs / sanitize.php
blob3878ac512f84d49b059bf23c7b2a66c67c533b9a
1 <?php
2 /**
3 * Washes strings from unwanted noise.
4 *
5 * Helpful methods to make unsafe strings usable.
6 *
7 * PHP versions 4 and 5
8 *
9 * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
10 * Copyright 2005-2010, Cake Software Foundation, Inc. (http://cakefoundation.org)
11 *
12 * Licensed under The MIT License
13 * Redistributions of files must retain the above copyright notice.
14 *
15 * @copyright Copyright 2005-2010, Cake Software Foundation, Inc. (http://cakefoundation.org)
16 * @link http://cakephp.org CakePHP(tm) Project
17 * @package cake
18 * @subpackage cake.cake.libs
19 * @since CakePHP(tm) v 0.10.0.1076
20 * @license MIT License (http://www.opensource.org/licenses/mit-license.php)
21 */
22
23 /**
24 * Data Sanitization.
25 *
26 * Removal of alpahnumeric characters, SQL-safe slash-added strings, HTML-friendly strings,
27 * and all of the above on arrays.
28 *
29 * @package cake
30 * @subpackage cake.cake.libs
31 */
32 class Sanitize {
33
34 /**
35 * Removes any non-alphanumeric characters.
36 *
37 * @param string $string String to sanitize
38 * @param array $allowed An array of additional characters that are not to be removed.
39 * @return string Sanitized string
40 * @access public
41 * @static
42 */
43 function paranoid($string, $allowed = array()) {
44 $allow = null;
45 if (!empty($allowed)) {
46 foreach ($allowed as $value) {
47 $allow .= "\\$value";
48 }
49 }
50
51 if (is_array($string)) {
52 $cleaned = array();
53 foreach ($string as $key => $clean) {
54 $cleaned[$key] = preg_replace("/[^{$allow}a-zA-Z0-9]/", '', $clean);
55 }
56 } else {
57 $cleaned = preg_replace("/[^{$allow}a-zA-Z0-9]/", '', $string);
58 }
59 return $cleaned;
60 }
61
62 /**
63 * Makes a string SQL-safe.
64 *
65 * @param string $string String to sanitize
66 * @param string $connection Database connection being used
67 * @return string SQL safe string
68 * @access public
69 * @static
70 */
71 function escape($string, $connection = 'default') {
72 $db =& ConnectionManager::getDataSource($connection);
73 if (is_numeric($string) || $string === null || is_bool($string)) {
74 return $string;
75 }
76 $string = substr($db->value($string), 1);
77 $string = substr($string, 0, -1);
78 return $string;
79 }
80
81 /**
82 * Returns given string safe for display as HTML. Renders entities.
83 *
84 * strip_tags() does not validating HTML syntax or structure, so it might strip whole passages
85 * with broken HTML.
86 *
87 * ### Options:
88 *
89 * - remove (boolean) if true strips all HTML tags before encoding
90 * - charset (string) the charset used to encode the string
91 * - quotes (int) see http://php.net/manual/en/function.htmlentities.php
92 *
93 * @param string $string String from where to strip tags
94 * @param array $options Array of options to use.
95 * @return string Sanitized string
96 * @access public
97 * @static
98 */
99 function html($string, $options = array()) {
100 static $defaultCharset = false;
101 if ($defaultCharset === false) {
102 $defaultCharset = Configure::read('App.encoding');
103 if ($defaultCharset === null) {
104 $defaultCharset = 'UTF-8';
105 }
106 }
107 $default = array(
108 'remove' => false,
109 'charset' => $defaultCharset,
110 'quotes' => ENT_QUOTES
111 );
112
113 $options = array_merge($default, $options);
114
115 if ($options['remove']) {
116 $string = strip_tags($string);
117 }
118
119 return htmlentities($string, $options['quotes'], $options['charset']);
120 }
121
122 /**
123 * Strips extra whitespace from output
124 *
125 * @param string $str String to sanitize
126 * @return string whitespace sanitized string
127 * @access public
128 * @static
129 */
130 function stripWhitespace($str) {
131 $r = preg_replace('/[\n\r\t]+/', '', $str);
132 return preg_replace('/\s{2,}/', ' ', $r);
133 }
134
135 /**
136 * Strips image tags from output
137 *
138 * @param string $str String to sanitize
139 * @return string Sting with images stripped.
140 * @access public
141 * @static
142 */
143 function stripImages($str) {
144 $str = preg_replace('/(<a[^>]*>)(<img[^>]+alt=")([^"]*)("[^>]*>)(<\/a>)/i', '$1$3$5<br />', $str);
145 $str = preg_replace('/(<img[^>]+alt=")([^"]*)("[^>]*>)/i', '$2<br />', $str);
146 $str = preg_replace('/<img[^>]*>/i', '', $str);
147 return $str;
148 }
149
150 /**
151 * Strips scripts and stylesheets from output
152 *
153 * @param string $str String to sanitize
154 * @return string String with <script>, <style>, <link> elements removed.
155 * @access public
156 * @static
157 */
158 function stripScripts($str) {
159 return preg_replace('/(<link[^>]+rel="[^"]*stylesheet"[^>]*>|<img[^>]*>|style="[^"]*")|<script[^>]*>.*?<\/script>|<style[^>]*>.*?<\/style>|<!--.*?-->/is', '', $str);
160 }
161
162 /**
163 * Strips extra whitespace, images, scripts and stylesheets from output
164 *
165 * @param string $str String to sanitize
166 * @return string sanitized string
167 * @access public
168 */
169 function stripAll($str) {
170 $str = Sanitize::stripWhitespace($str);
171 $str = Sanitize::stripImages($str);
172 $str = Sanitize::stripScripts($str);
173 return $str;
174 }
175
176 /**
177 * Strips the specified tags from output. First parameter is string from
178 * where to remove tags. All subsequent parameters are tags.
179 *
180 * Ex.`$clean = Sanitize::stripTags($dirty, 'b', 'p', 'div');`
181 *
182 * Will remove all `<b>`, `<p>`, and `<div>` tags from the $dirty string.
183 *
184 * @param string $str String to sanitize
185 * @param string $tag Tag to remove (add more parameters as needed)
186 * @return string sanitized String
187 * @access public
188 * @static
189 */
190 function stripTags() {
191 $params = params(func_get_args());
192 $str = $params[0];
193
194 for ($i = 1, $count = count($params); $i < $count; $i++) {
195 $str = preg_replace('/<' . $params[$i] . '\b[^>]*>/i', '', $str);
196 $str = preg_replace('/<\/' . $params[$i] . '[^>]*>/i', '', $str);
197 }
198 return $str;
199 }
200
201 /**
202 * Sanitizes given array or value for safe input. Use the options to specify
203 * the connection to use, and what filters should be applied (with a boolean
204 * value). Valid filters:
205 *
206 * - odd_spaces - removes any non space whitespace characters
207 * - encode - Encode any html entities. Encode must be true for the `remove_html` to work.
208 * - dollar - Escape `$` with `\$`
209 * - carriage - Remove `\r`
210 * - unicode -
211 * - escape - Should the string be SQL escaped.
212 * - backslash -
213 * - remove_html - Strip HTML with strip_tags. `encode` must be true for this option to work.
214 *
215 * @param mixed $data Data to sanitize
216 * @param mixed $options If string, DB connection being used, otherwise set of options
217 * @return mixed Sanitized data
218 * @access public
219 * @static
220 */
221 function clean($data, $options = array()) {
222 if (empty($data)) {
223 return $data;
224 }
225
226 if (is_string($options)) {
227 $options = array('connection' => $options);
228 } else if (!is_array($options)) {
229 $options = array();
230 }
231
232 $options = array_merge(array(
233 'connection' => 'default',
234 'odd_spaces' => true,
235 'remove_html' => false,
236 'encode' => true,
237 'dollar' => true,
238 'carriage' => true,
239 'unicode' => true,
240 'escape' => true,
241 'backslash' => true
242 ), $options);
243
244 if (is_array($data)) {
245 foreach ($data as $key => $val) {
246 $data[$key] = Sanitize::clean($val, $options);
247 }
248 return $data;
249 } else {
250 if ($options['odd_spaces']) {
251 $data = str_replace(chr(0xCA), '', str_replace(' ', ' ', $data));
252 }
253 if ($options['encode']) {
254 $data = Sanitize::html($data, array('remove' => $options['remove_html']));
255 }
256 if ($options['dollar']) {
257 $data = str_replace("\\\$", "$", $data);
258 }
259 if ($options['carriage']) {
260 $data = str_replace("\r", "", $data);
261 }
262
263 $data = str_replace("'", "'", str_replace("!", "!", $data));
264
265 if ($options['unicode']) {
266 $data = preg_replace("/&amp;#([0-9]+);/s", "&#\\1;", $data);
267 }
268 if ($options['escape']) {
269 $data = Sanitize::escape($data, $options['connection']);
270 }
271 if ($options['backslash']) {
272 $data = preg_replace("/\\\(?!&amp;#|\?#)/", "\\", $data);
273 }
274 return $data;
275 }
276 }
277
278 /**
279 * Formats column data from definition in DBO's $columns array
280 *
281 * @param Model $model The model containing the data to be formatted
282 * @access public
283 * @static
284 */
285 function formatColumns(&$model) {
286 foreach ($model->data as $name => $values) {
287 if ($name == $model->alias) {
288 $curModel =& $model;
289 } elseif (isset($model->{$name}) && is_object($model->{$name}) && is_subclass_of($model->{$name}, 'Model')) {
290 $curModel =& $model->{$name};
291 } else {
292 $curModel = null;
293 }
294
295 if ($curModel != null) {
296 foreach ($values as $column => $data) {
297 $colType = $curModel->getColumnType($column);
298
299 if ($colType != null) {
300 $db =& ConnectionManager::getDataSource($curModel->useDbConfig);
301 $colData = $db->columns[$colType];
302
303 if (isset($colData['limit']) && strlen(strval($data)) > $colData['limit']) {
304 $data = substr(strval($data), 0, $colData['limit']);
305 }
306
307 if (isset($colData['formatter']) || isset($colData['format'])) {
308
309 switch (strtolower($colData['formatter'])) {
310 case 'date':
311 $data = date($colData['format'], strtotime($data));
312 break;
313 case 'sprintf':
314 $data = sprintf($colData['format'], $data);
315 break;
316 case 'intval':
317 $data = intval($data);
318 break;
319 case 'floatval':
320 $data = floatval($data);
321 break;
322 }
323 }
324 $model->data[$name][$column]=$data;
325 /*
326 switch ($colType) {
327 case 'integer':
328 case 'int':
329 return $data;
330 break;
331 case 'string':
332 case 'text':
333 case 'binary':
334 case 'date':
335 case 'time':
336 case 'datetime':
337 case 'timestamp':
338 case 'date':
339 return "'" . $data . "'";
340 break;
341 }
342 */
343 }
344 }
345 }
346 }
347 }
348 }