[moodle] / moodle / lib / kses.php Repository:

Diff of /moodle/lib/kses.php

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 1.3.2.3, Sat Mar 1 22:13:14 2008 WST revision 1.9, Mon Nov 2 00:48:45 2009 WST

By skodak:

MDL-20700 coding style cleanup - cvs keywords removed, closign php tag removed, trailing whitespace cleanup

# Line 1  Line 1 
1  <?php  <?php
2    /**
3  # kses 0.2.2 - HTML/XHTML filter that only allows some elements and attributes   * kses 0.2.2 - HTML/XHTML filter that only allows some elements and attributes
4  # Copyright (C) 2002, 2003, 2005  Ulf Harnhammar   * Copyright (C) 2002, 2003, 2005  Ulf Harnhammar
5  #   *
6  # This program is free software and open source software; you can redistribute   * This program is free software and open source software; you can redistribute
7  # it and/or modify it under the terms of the GNU General Public License as   * it and/or modify it under the terms of the GNU General Public License as
8  # published by the Free Software Foundation; either version 2 of the License,   * published by the Free Software Foundation; either version 3 of the License,
9  # or (at your option) any later version.   * or (at your option) any later version.
10  #   *
11  # This program is distributed in the hope that it will be useful, but WITHOUT   * This program is distributed in the hope that it will be useful, but WITHOUT
12  # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or   * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13  # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for   * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
14  # more details.   * more details.
15  #   *
16  # You should have received a copy of the GNU General Public License along   * You should have received a copy of the GNU General Public License along
17  # with this program; if not, write to the Free Software Foundation, Inc.,   * with this program; if not, write to the Free Software Foundation, Inc.,
18  # 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA  or visit   * 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA  or visit
19  # http://www.gnu.org/licenses/gpl.html   * http://www.gnu.org/licenses/gpl.html
20  #   *
21  # *** CONTACT INFORMATION ***   * *** CONTACT INFORMATION ***
22  #   *
23  # E-mail:      metaur at users dot sourceforge dot net   * E-mail:      metaur at users dot sourceforge dot net
24  # Web page:    http://sourceforge.net/projects/kses   * Web page:    http://sourceforge.net/projects/kses
25  # Paper mail:  Ulf Harnhammar   * Paper mail:  Ulf Harnhammar
26  #              Ymergatan 17 C   *              Ymergatan 17 C
27  #              753 25  Uppsala   *              753 25  Uppsala
28  #              SWEDEN   *              SWEDEN
29  #   *
30  # [kses strips evil scripts!]   * [kses strips evil scripts!]
31     *
32     * @package   moodlecore
33     * @copyright Ulf Harnhammar  {@link http://sourceforge.net/projects/kses}
34     * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
35     */
36    
37    /**
38     * This function makes sure that only the allowed HTML element names, attribute
39     * names and attribute values plus only sane HTML entities will occur in
40     * $string. You have to remove any slashes from PHP's magic quotes before you
41     * call this function.
42     *
43     * @param string $string
44     * @param string $allowed_html
45     * @param array $allowed_protocols
46     * @return string
47     */
48  function kses($string, $allowed_html, $allowed_protocols =  function kses($string, $allowed_html, $allowed_protocols =
49                 array('http', 'https', 'ftp', 'news', 'nntp', 'telnet',                 array('http', 'https', 'ftp', 'news', 'nntp', 'telnet',
50                       'gopher', 'mailto'))                       'gopher', 'mailto'))
# Line 49  Line 64 
64  } # function kses  } # function kses
65    
66    
67    /**
68     * You add any kses hooks here
69     *
70     * @param string $string
71     * @return string
72     */
73  function kses_hook($string)  function kses_hook($string)
74  ###############################################################################  ###############################################################################
75  # You add any kses hooks here.  # You add any kses hooks here.
# Line 57  Line 78 
78    return $string;    return $string;
79  } # function kses_hook  } # function kses_hook
80    
81    /**
82     * This function returns kses' version number.
83     *
84     * @return string
85     */
86  function kses_version()  function kses_version()
87  ###############################################################################  ###############################################################################
88  # This function returns kses' version number.  # This function returns kses' version number.
# Line 67  Line 92 
92  } # function kses_version  } # function kses_version
93    
94    
95    /**
96     * This function searches for HTML tags, no matter how malformed. It also
97     * matches stray ">" characters.
98     *
99     * @param string $string
100     * @param string $allowed_html
101     * @param array $allowed_protocols
102     * @return string
103     */
104  function kses_split($string, $allowed_html, $allowed_protocols)  function kses_split($string, $allowed_html, $allowed_protocols)
105  ###############################################################################  ###############################################################################
106  # This function searches for HTML tags, no matter how malformed. It also  # This function searches for HTML tags, no matter how malformed. It also
# Line 82  Line 116 
116                        $string);                        $string);
117  } # function kses_split  } # function kses_split
118    
119    /**
120     * This function does a lot of work. It rejects some very malformed things
121     * like <:::>. It returns an empty string, if the element isn't allowed (look
122     * ma, no strip_tags()!). Otherwise it splits the tag into an element and an
123     * attribute list.
124     *
125     * @param string $string
126     * @param string $allowed_html
127     * @param array $allowed_protocols
128     * @return string
129     */
130  function kses_split2($string, $allowed_html, $allowed_protocols)  function kses_split2($string, $allowed_html, $allowed_protocols)
131  ###############################################################################  ###############################################################################
132  # This function does a lot of work. It rejects some very malformed things  # This function does a lot of work. It rejects some very malformed things
# Line 117  Line 161 
161                     $allowed_protocols);                     $allowed_protocols);
162  } # function kses_split2  } # function kses_split2
163    
164    /**
165     * This function removes all attributes, if none are allowed for this element.
166     * If some are allowed it calls kses_hair() to split them further, and then it
167     * builds up new HTML code from the data that kses_hair() returns. It also
168     * removes "<" and ">" characters, if there are any left. One more thing it
169     * does is to check if the tag has a closing XHTML slash, and if it does,
170     * it puts one in the returned code as well.
171     *
172     * @param string $element
173     * @param string $attr
174     * @param string $allowed_html
175     * @param array $allowed_protocols
176     * @return string
177     */
178  function kses_attr($element, $attr, $allowed_html, $allowed_protocols)  function kses_attr($element, $attr, $allowed_html, $allowed_protocols)
179  ###############################################################################  ###############################################################################
180  # This function removes all attributes, if none are allowed for this element.  # This function removes all attributes, if none are allowed for this element.
# Line 182  Line 239 
239    return "<$element$attr2$xhtml_slash>";    return "<$element$attr2$xhtml_slash>";
240  } # function kses_attr  } # function kses_attr
241    
242    /**
243     * This function does a lot of work. It parses an attribute list into an array
244     * with attribute data, and tries to do the right thing even if it gets weird
245     * input. It will add quotes around attribute values that don't have any quotes
246     * or apostrophes around them, to make it easier to produce HTML code that will
247     * conform to W3C's HTML specification. It will also remove bad URL protocols
248     * from attribute values.
249     *
250     * @param string $attr
251     * @param array $allowed_protocols
252     * @return array
253     */
254  function kses_hair($attr, $allowed_protocols)  function kses_hair($attr, $allowed_protocols)
255  ###############################################################################  ###############################################################################
256  # This function does a lot of work. It parses an attribute list into an array  # This function does a lot of work. It parses an attribute list into an array
# Line 307  Line 375 
375    return $attrarr;    return $attrarr;
376  } # function kses_hair  } # function kses_hair
377    
378    /**
379     * This function performs different checks for attribute values. The currently
380     * implemented checks are "maxlen", "minlen", "maxval", "minval" and "valueless"
381     * with even more checks to come soon.
382     *
383     * @param string $value
384     * @param string $vless
385     * @param string $checkname
386     * @param string $checkvalue
387     * @return bool
388     */
389  function kses_check_attr_val($value, $vless, $checkname, $checkvalue)  function kses_check_attr_val($value, $vless, $checkname, $checkvalue)
390  ###############################################################################  ###############################################################################
391  # This function performs different checks for attribute values. The currently  # This function performs different checks for attribute values. The currently
# Line 373  Line 451 
451    return $ok;    return $ok;
452  } # function kses_check_attr_val  } # function kses_check_attr_val
453    
454    /**
455     * This function removes all non-allowed protocols from the beginning of
456     * $string. It ignores whitespace and the case of the letters, and it does
457     * understand HTML entities. It does its work in a while loop, so it won't be
458     * fooled by a string like "javascript:javascript:alert(57)".
459     *
460     * @param string $string
461     * @param array $$allowed_protocols
462     * @return string
463     */
464  function kses_bad_protocol($string, $allowed_protocols)  function kses_bad_protocol($string, $allowed_protocols)
465  ###############################################################################  ###############################################################################
466  # This function removes all non-allowed protocols from the beginning of  # This function removes all non-allowed protocols from the beginning of
# Line 383  Line 470 
470  ###############################################################################  ###############################################################################
471  {  {
472    $string = kses_no_null($string);    $string = kses_no_null($string);
473    $string = preg_replace('/\xad+/', '', $string); # deals with Opera "feature"    $string = preg_replace('/([^\xc3-\xcf])\xad+/', '\\1', $string); # deals with Opera "feature" -- moodle utf8 fix
474    $string2 = $string.'a';    $string2 = $string.'a';
475    
476    while ($string != $string2)    while ($string != $string2)
# Line 395  Line 482 
482    return $string;    return $string;
483  } # function kses_bad_protocol  } # function kses_bad_protocol
484    
485    /**
486     * This function removes any NULL characters in $string.
487     *
488     * @param string $string
489     * @return string
490     */
491  function kses_no_null($string)  function kses_no_null($string)
492  ###############################################################################  ###############################################################################
493  # This function removes any NULL characters in $string.  # This function removes any NULL characters in $string.
# Line 408  Line 500 
500  } # function kses_no_null  } # function kses_no_null
501    
502    
503    /**
504     * This function changes the character sequence  \"  to just  "
505     * It leaves all other slashes alone. It's really weird, but the quoting from
506     * preg_replace(//e) seems to require this.
507     *
508     * @param string $string
509     * @return string
510     */
511  function kses_stripslashes($string)  function kses_stripslashes($string)
512  ###############################################################################  ###############################################################################
513  # This function changes the character sequence  \"  to just  "  # This function changes the character sequence  \"  to just  "
# Line 419  Line 519 
519  } # function kses_stripslashes  } # function kses_stripslashes
520    
521    
522    /**
523     * This function goes through an array, and changes the keys to all lower case.
524     *
525     * @param array $inarray
526     * @return array
527     */
528  function kses_array_lc($inarray)  function kses_array_lc($inarray)
529  ###############################################################################  ###############################################################################
530  # This function goes through an array, and changes the keys to all lower case.  # This function goes through an array, and changes the keys to all lower case.
# Line 441  Line 547 
547    return $outarray;    return $outarray;
548  } # function kses_array_lc  } # function kses_array_lc
549    
550    /**
551     * This function removes the HTML JavaScript entities found in early versions of
552     * Netscape 4.
553     *
554     * @param string $string
555     */
556  function kses_js_entities($string)  function kses_js_entities($string)
557  ###############################################################################  ###############################################################################
558  # This function removes the HTML JavaScript entities found in early versions of  # This function removes the HTML JavaScript entities found in early versions of
# Line 451  Line 562 
562    return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);    return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);
563  } # function kses_js_entities  } # function kses_js_entities
564    
565    /**
566     * This function deals with parsing errors in kses_hair(). The general plan is
567     * to remove everything to and including some whitespace, but it deals with
568     * quotes and apostrophes as well.
569     *
570     * @param string $string
571     * @return string
572     */
573  function kses_html_error($string)  function kses_html_error($string)
574  ###############################################################################  ###############################################################################
575  # This function deals with parsing errors in kses_hair(). The general plan is  # This function deals with parsing errors in kses_hair(). The general plan is
# Line 462  Line 580 
580    return preg_replace('/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $string);    return preg_replace('/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $string);
581  } # function kses_html_error  } # function kses_html_error
582    
583    /**
584     * This function searches for URL protocols at the beginning of $string, while
585     * handling whitespace and HTML entities.
586     *
587     * @param string $string
588     * @param string $allowed_protocols
589     * @return string
590     */
591  function kses_bad_protocol_once($string, $allowed_protocols)  function kses_bad_protocol_once($string, $allowed_protocols)
592  ###############################################################################  ###############################################################################
593  # This function searches for URL protocols at the beginning of $string, while  # This function searches for URL protocols at the beginning of $string, while
# Line 477  Line 602 
602    return $string;    return $string;
603  } # function kses_bad_protocol_once  } # function kses_bad_protocol_once
604    
605    /**
606     * This function processes URL protocols, checks to see if they're in the white-
607     * list or not, and returns different data depending on the answer.
608     *
609     * @param string $string
610     * @param string $allowed_protocols
611     * @return string
612     */
613  function kses_bad_protocol_once2($string, $allowed_protocols)  function kses_bad_protocol_once2($string, $allowed_protocols)
614  ###############################################################################  ###############################################################################
615  # This function processes URL protocols, checks to see if they're in the white-  # This function processes URL protocols, checks to see if they're in the white-
# Line 505  Line 637 
637      return '';      return '';
638  } # function kses_bad_protocol_once2  } # function kses_bad_protocol_once2
639    
640    /**
641     * This function normalizes HTML entities. It will convert "AT&T" to the correct
642     * "AT&amp;T", "&#00058;" to "&#58;", "&#XYZZY;" to "&amp;#XYZZY;" and so on.
643     *
644     * @param string $string
645     * @return string
646     */
647  function kses_normalize_entities($string)  function kses_normalize_entities($string)
648  ###############################################################################  ###############################################################################
649  # This function normalizes HTML entities. It will convert "AT&T" to the correct  # This function normalizes HTML entities. It will convert "AT&T" to the correct
# Line 528  Line 666 
666    return $string;    return $string;
667  } # function kses_normalize_entities  } # function kses_normalize_entities
668    
669    /**
670     * This function helps kses_normalize_entities() to only accept 16 bit values
671     * and nothing more for &#number; entities.
672     *
673     * @param int $i
674     * @return string
675     */
676  function kses_normalize_entities2($i)  function kses_normalize_entities2($i)
677  ###############################################################################  ###############################################################################
678  # This function helps kses_normalize_entities() to only accept 16 bit values  # This function helps kses_normalize_entities() to only accept 16 bit values
# Line 538  Line 682 
682    return (($i > 65535) ? "&amp;#$i;" : "&#$i;");    return (($i > 65535) ? "&amp;#$i;" : "&#$i;");
683  } # function kses_normalize_entities2  } # function kses_normalize_entities2
684    
685    /**
686     * This function decodes numeric HTML entities (&#65; and &#x41;). It doesn't
687     * do anything with other entities like &auml;, but we don't need them in the
688     * URL protocol whitelisting system anyway.
689     *
690     * @param string $string
691     * @return string
692     */
693  function kses_decode_entities($string)  function kses_decode_entities($string)
694  ###############################################################################  ###############################################################################
695  # This function decodes numeric HTML entities (&#65; and &#x41;). It doesn't  # This function decodes numeric HTML entities (&#65; and &#x41;). It doesn't
Legend:
Removed from v.1.3.2.3  
changed lines
  Added in v.1.9
Moodle CVS Admin
 ViewVC Help
Powered by ViewVC 1.0.7