/mvc/components/sanitize
[return to app]1
<?php
2 /**
3 * Washes strings from unwanted noise.
4 *
5 * Helpful methods to make unsafe strings usable.
6 *
7 * This is CakePHP's sanitize class updated to PHP5 syntax for Vork
8 *
9 * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
10 * Copyright 2005-2010, Cake Software Foundation, Inc. (http://cakefoundation.org)
11 *
12 * Licensed under The MIT License
13 * Redistributions of files must retain the above copyright notice.
14 *
15 * @copyright Copyright 2005-2010, Cake Software Foundation, Inc. (http://cakefoundation.org)
16 * @link http://cakephp.org CakePHP(tm) Project
17 * @package cake
18 * @subpackage cake.cake.libs
19 * @since CakePHP(tm) v 0.10.0.1076
20 * @license MIT License (http://www.opensource.org/licenses/mit-license.php)
21 */
22
23 /**
24 * Data Sanitization.
25 *
26 * Removal of alpahnumeric characters, SQL-safe slash-added strings, HTML-friendly strings,
27 * and all of the above on arrays.
28 *
29 * @package cake
30 * @subpackage cake.cake.libs
31 */
32 class sanitizeComponent {
33 /**
34 * Removes any non-alphanumeric characters.
35 *
36 * @param string $string String to sanitize
37 * @param array $allowed An array of additional characters that are not to be removed.
38 * @return string Sanitized string
39 * @access public
40 * @static
41 */
42 public function paranoid($string, $allowed = array()) {
43 $allow = "";
44 if (is_array($allowed) && count($allowed) > 0) {
45 foreach ($allowed as $value) {
46 $allow .= "\\$value";
47 }
48 }
49
50 if (is_array($string)) {
51 $cleaned = array();
52 foreach ($string as $key => $clean) {
53 $cleaned[$key] = preg_replace("/[^{$allow}a-zA-Z0-9]/", '', $clean);
54 }
55 } else {
56 $cleaned = preg_replace("/[^{$allow}a-zA-Z0-9]/", '', $string);
57 }
58 return $cleaned;
59 }
60
61 /**
62 * Makes a string SQL-safe.
63 *
64 * @param string $string String to sanitize
65 * @return string SQL safe string
66 * @access public
67 * @static
68 */
69 public function escape($string) {
70 if (is_numeric($string) || $string === null || is_bool($string)) {
71 return $string;
72 }
73
74 try {
75 $connection = config::$db;
76 return $connection->cleanString($string);
77 } catch (Exception $e) {
78 return str_replace(
79 array('\\', "'"),
80 array('\\\\', "\\'"),
81 $string
82 );
83 }
84 }
85
86 /**
87 * Returns given string safe for display as HTML. Renders entities.
88 *
89 * strip_tags() does not validating HTML syntax or structure, so it might strip whole passages
90 * with broken HTML.
91 *
92 * ### Options:
93 *
94 * - remove (boolean) if true strips all HTML tags before encoding
95 * - charset (string) the charset used to encode the string
96 * - quotes (int) see http://php.net/manual/en/function.htmlentities.php
97 *
98 * @param string $string String from where to strip tags
99 * @param array $options Array of options to use.
100 * @return string Sanitized string
101 * @access public
102 * @static
103 */
104 public function html($string, $options = array()) {
105 $default = array(
106 'remove' => false,
107 'charset' => 'UTF-8',
108 'quotes' => ENT_QUOTES
109 );
110 $options = array_merge($default, $options);
111
112 if ($options['remove']) {
113 $string = strip_tags($string);
114 }
115
116 return htmlentities($string, $options['quotes'], $options['charset']);
117 }
118
119 /**
120 * Strips extra whitespace from output
121 *
122 * @param string $str String to sanitize
123 * @return string whitespace sanitized string
124 * @access public
125 * @static
126 */
127 public function stripWhitespace($str) {
128 $r = preg_replace('/[\n\r\t]+/', '', $str);
129 return preg_replace('/\s{2,}/', ' ', $r);
130 }
131
132 /**
133 * Strips image tags from output
134 *
135 * @param string $str String to sanitize
136 * @return string Sting with images stripped.
137 * @access public
138 * @static
139 */
140 public function stripImages($str) {
141 $str = preg_replace('/(<a[^>]*>)(<img[^>]+alt=")([^"]*)("[^>]*>)(<\/a>)/i', '$1$3$5<br />', $str);
142 $str = preg_replace('/(<img[^>]+alt=")([^"]*)("[^>]*>)/i', '$2<br />', $str);
143 $str = preg_replace('/<img[^>]*>/i', '', $str);
144 return $str;
145 }
146
147 /**
148 * Strips scripts and stylesheets from output
149 *
150 * @param string $str String to sanitize
151 * @return string String with <script>, <style>, <link> elements removed.
152 * @access public
153 * @static
154 */
155 public function stripScripts($str) {
156 return preg_replace('/(<link[^>]+rel="[^"]*stylesheet"[^>]*>' .
157 '|<img[^>]*>|style="[^"]*")' .
158 '|<script[^>]*>.*?<\/script>' .
159 '|<style[^>]*>.*?<\/style>|<!--.*?-->/is', '', $str);
160 }
161
162 /**
163 * Strips extra whitespace, images, scripts and stylesheets from output
164 *
165 * @param string $str String to sanitize
166 * @return string sanitized string
167 * @access public
168 */
169 public function stripAll($str) {
170 $str = Sanitize::stripWhitespace($str);
171 $str = Sanitize::stripImages($str);
172 $str = Sanitize::stripScripts($str);
173 return $str;
174 }
175
176 /**
177 * Strips the specified tags from output. First parameter is string from
178 * where to remove tags. All subsequent parameters are tags.
179 *
180 * Ex.`$clean = Sanitize::stripTags($dirty, 'b', 'p', 'div');`
181 *
182 * Will remove all `<b>`, `<p>`, and `<div>` tags from the $dirty string.
183 *
184 * @param string $str String to sanitize
185 * @param string $tag Tag to remove (add more parameters as needed)
186 * @return string sanitized String
187 * @access public
188 * @static
189 */
190 public function stripTags() {
191 $params = func_get_args();
192 $str = $params[0];
193
194 for ($i = 1; $i < count($params); $i++) {
195 $str = preg_replace('/<' . $params[$i] . '\b[^>]*>/i', '', $str);
196 $str = preg_replace('/<\/' . $params[$i] . '[^>]*>/i', '', $str);
197 }
198 return $str;
199 }
200
201 /**
202 * Sanitizes given array or value for safe input. Use the options to specify
203 * the connection to use, and what filters should be applied (with a boolean
204 * value). Valid filters:
205 *
206 * - odd_spaces - removes any non space whitespace characters
207 * - encode - Encode any html entities. Encode must be true for the `remove_html` to work.
208 * - dollar - Escape `$` with `\$`
209 * - carriage - Remove `\r`
210 * - unicode -
211 * - escape - Should the string be SQL escaped.
212 * - backslash -
213 * - remove_html - Strip HTML with strip_tags. `encode` must be true for this option to work.
214 *
215 * @param mixed $data Data to sanitize
216 * @param mixed $options If string, DB connection being used, otherwise set of options
217 * @return mixed Sanitized data
218 * @access public
219 * @static
220 */
221 public function clean($data, $options = array()) {
222 if (empty($data)) {
223 return $data;
224 }
225
226 if (!is_array($options)) {
227 $options = array();
228 }
229
230 $options = array_merge(array(
231 'connection' => null,
232 'odd_spaces' => true,
233 'remove_html' => false,
234 'encode' => true,
235 'dollar' => true,
236 'carriage' => true,
237 'unicode' => true,
238 'escape' => true,
239 'backslash' => true
240 ), $options);
241
242 if (is_array($data)) {
243 foreach ($data as $key => $val) {
244 $data[$key] = self::clean($val, $options);
245 }
246 return $data;
247 }
248 if ($options['odd_spaces']) {
249 $data = str_replace(chr(0xCA), '', str_replace(' ', ' ', $data));
250 }
251 if ($options['encode']) {
252 $data = self::html($data, array('remove' => $options['remove_html']));
253 }
254 if ($options['dollar']) {
255 $data = str_replace("\\\$", "$", $data);
256 }
257 if ($options['carriage']) {
258 $data = str_replace("\r", "", $data);
259 }
260
261 $data = str_replace("'", "'", str_replace("!", "!", $data));
262
263 if ($options['unicode']) {
264 $data = preg_replace("/&#([0-9]+);/s", "&#\\1;", $data);
265 }
266 if ($options['escape']) {
267 $data = self::escape($data);
268 }
269 if ($options['backslash']) {
270 $data = preg_replace("/\\\(?!&#|\?#)/", "\\", $data);
271 }
272 return $data;
273 }
274 }
275