includes/functions.php
changeset 15 ad5986a53197
parent 14 ce6053bb48d8
child 16 64e0d3d4cf14
equal deleted inserted replaced
14:ce6053bb48d8 15:ad5986a53197
  1441       }
  1441       }
  1442     }
  1442     }
  1443     
  1443     
  1444   }
  1444   }
  1445   
  1445   
       
  1446   // Vulnerability from ha.ckers.org/xss.html:
       
  1447   // <script src="http://foo.com/xss.js"
       
  1448   // <
       
  1449   // The rule is so specific because everything else will have been filtered by now
       
  1450   $html = preg_replace('/<(script|iframe)(.+?)src=([^>]*)</i', '&lt;\\1\\2src=\\3&lt;', $html);
       
  1451   
  1446   return $html;
  1452   return $html;
  1447   
  1453   
  1448 }
  1454 }
  1449 
  1455 
  1450 function htmlalternatives($string)
  1456 function htmlalternatives($string)
  1832  */
  1838  */
  1833 
  1839 
  1834 function sanitize_page_id($page_id)
  1840 function sanitize_page_id($page_id)
  1835 {
  1841 {
  1836   
  1842   
  1837   // First, replace spaces with underscores  
  1843   // Remove character escapes
  1838   $page_id = str_replace(' ', '_', $page_id);
  1844   $page_id = dirtify_page_id($page_id);
  1839   
       
  1840   preg_match_all('/\.[A-Fa-f0-9][A-Fa-f0-9]/', $page_id, $matches);
       
  1841   
       
  1842   foreach ( $matches[0] as $id => $char )
       
  1843   {
       
  1844     $char = substr($char, 1);
       
  1845     $char = strtolower($char);
       
  1846     $char = intval(hexdec($char));
       
  1847     $char = chr($char);
       
  1848     $page_id = str_replace($matches[0][$id], $char, $page_id);
       
  1849   }
       
  1850   
  1845   
  1851   $pid_clean = preg_replace('/[\w\/:;\(\)@\[\]_-]/', 'X', $page_id);
  1846   $pid_clean = preg_replace('/[\w\/:;\(\)@\[\]_-]/', 'X', $page_id);
  1852   $pid_dirty = enano_str_split($pid_clean, 1);
  1847   $pid_dirty = enano_str_split($pid_clean, 1);
  1853   
  1848   
  1854   foreach ( $pid_dirty as $id => $char )
  1849   foreach ( $pid_dirty as $id => $char )
  1885   
  1880   
  1886   return $page_id_cleaned;
  1881   return $page_id_cleaned;
  1887 }
  1882 }
  1888 
  1883 
  1889 /**
  1884 /**
       
  1885  * Removes character escapes in a page ID string
       
  1886  * @param string Page ID string to dirty up
       
  1887  * @return string
       
  1888  */
       
  1889 
       
  1890 function dirtify_page_id($page_id)
       
  1891 {
       
  1892   // First, replace spaces with underscores  
       
  1893   $page_id = str_replace(' ', '_', $page_id);
       
  1894   
       
  1895   preg_match_all('/\.[A-Fa-f0-9][A-Fa-f0-9]/', $page_id, $matches);
       
  1896   
       
  1897   foreach ( $matches[0] as $id => $char )
       
  1898   {
       
  1899     $char = substr($char, 1);
       
  1900     $char = strtolower($char);
       
  1901     $char = intval(hexdec($char));
       
  1902     $char = chr($char);
       
  1903     $page_id = str_replace($matches[0][$id], $char, $page_id);
       
  1904   }
       
  1905   
       
  1906   return $page_id;
       
  1907 }
       
  1908 
       
  1909 /**
  1890  * Inserts commas into a number to make it more human-readable. Floating point-safe.
  1910  * Inserts commas into a number to make it more human-readable. Floating point-safe.
  1891  * @param int The number to process
  1911  * @param int The number to process
  1892  * @return string Input number with commas added
  1912  * @return string Input number with commas added
  1893  */
  1913  */
  1894 
  1914