<html>
<head>
<title>File Source for input_filter.php</title>
<link rel="stylesheet" type="text/css" href="../media/style.css">
</head>
<body>
<table border="0" cellspacing="0" cellpadding="0" height="48" width="100%">
<tr>
<td class="header_top">PHPonTrax</td>
</tr>
<tr><td class="header_line"><img src="../media/empty.png" width="1" height="1" border="0" alt="" /></td></tr>
<tr>
<td class="header_menu">
[ <a href="../classtrees_PHPonTrax.html" class="menu">class tree: PHPonTrax</a> ]
[ <a href="../elementindex_PHPonTrax.html" class="menu">index: PHPonTrax</a> ]
[ <a href="../elementindex.html" class="menu">all elements</a> ]
</td>
</tr>
<tr><td class="header_line"><img src="../media/empty.png" width="1" height="1" border="0" alt="" /></td></tr>
</table>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr valign="top">
<td width="200" class="menu">
<div id="todolist">
<p><a href="../todolist.html">Todo List</a></p>
</div>
<b>Packages:</b><br />
<a href="../li_PHPonTrax.html">PHPonTrax</a><br />
<a href="../li_PHPonTraxTest.html">PHPonTraxTest</a><br />
<br /><br />
</td>
<td>
<table cellpadding="10" cellspacing="0" width="100%" border="0"><tr><td valign="top">
<h1 align="center">Source for file input_filter.php</h1>
<p>Documentation is available at <a href="../PHPonTrax/_vendor_trax_input_filter_php.html">input_filter.php</a></p>
<div class="php">
<div class="listing"><pre><ol><li><a name="a1"></a><span class="src-php"><?php</span></li>
<li><a name="a2"></a><span class="src-doc">/**</span></li>
<li><a name="a3"></a><span class="src-doc"> * File containing the InputFilter class</span></li>
<li><a name="a4"></a><span class="src-doc"> *</span></li>
<li><a name="a5"></a><span class="src-doc"> * (PHP 5)</span></li>
<li><a name="a6"></a><span class="src-doc"> *</span></li>
<li><a name="a7"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@package</span><span class="src-doc"> PHPonTrax</span></li>
<li><a name="a8"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@version</span><span class="src-doc"> $Id$</span></li>
<li><a name="a9"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@author</span><span class="src-doc"> Daniel Morris</span></li>
<li><a name="a10"></a><span class="src-doc"> * contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider,</span></li>
<li><a name="a11"></a><span class="src-doc"> * Chris Tobin and Andrew Eddie.</span></li>
<li><a name="a12"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@copyright</span><span class="src-doc"> Daniel Morris <hide@address.com></span></li>
<li><a name="a13"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@license</span><span class="src-doc"> http://opensource.org/licenses/gpl-license.php GNU Public License</span></li>
<li><a name="a14"></a><span class="src-doc"> */</span></li>
<li><a name="a15"></a> </li>
<li><a name="a16"></a><span class="src-doc">/**</span></li>
<li><a name="a17"></a><span class="src-doc"> * Filter user input to remove potential security threats</span></li>
<li><a name="a18"></a><span class="src-doc"> *</span></li>
<li><a name="a19"></a><span class="src-doc"> * InputFilter has three public methods that are useful in protecting</span></li>
<li><a name="a20"></a><span class="src-doc"> * a web site from potential security threats from user input.</span></li>
<li><a name="a21"></a><span class="src-doc"> * <ul></span></li>
<li><a name="a22"></a><span class="src-doc"> * <li></span><span class="src-doc-inlinetag">{@link safeSQL()}</span><span class="src-doc"> protects SQL from the user.</li></span></li>
<li><a name="a23"></a><span class="src-doc"> * <li></span><span class="src-doc-inlinetag">{@link process()}</span><span class="src-doc"> protects HTML tags and attributes from the</span></li>
<li><a name="a24"></a><span class="src-doc"> * user.</li></span></li>
<li><a name="a25"></a><span class="src-doc"> * <li></span><span class="src-doc-inlinetag">{@link process_all()}</span><span class="src-doc"> applies </span><span class="src-doc-inlinetag">{@link process()}</span><span class="src-doc"> to all</span></li>
<li><a name="a26"></a><span class="src-doc"> * possible sources of user input</li></span></li>
<li><a name="a27"></a><span class="src-doc"> * </ul></span></li>
<li><a name="a28"></a><span class="src-doc"> * For usage instructions see</span></li>
<li><a name="a29"></a><span class="src-doc"> * </span><span class="src-doc-inlinetag">{@tutorial PHPonTrax/InputFilter.cls the class tutorial}</span><span class="src-doc">.</span></li>
<li><a name="a30"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@todo</span><span class="src-doc"> Check FIXMEs</span></li>
<li><a name="a31"></a><span class="src-doc"> */</span></li>
<li><a name="a32"></a><span class="src-key">class </span><a href="../PHPonTrax/InputFilter.html">InputFilter</a> <span class="src-sym">{</span></li>
<li><a name="a33"></a> </li>
<li><a name="a34"></a> <span class="src-doc">/**</span></li>
<li><a name="a35"></a><span class="src-doc"> * User-provided list of tags to either accept or reject</span></li>
<li><a name="a36"></a><span class="src-doc"> *</span></li>
<li><a name="a37"></a><span class="src-doc"> * Whether the tags in this list are accepted or rejected is</span></li>
<li><a name="a38"></a><span class="src-doc"> * determined by the value of </span><span class="src-doc-inlinetag">{@link $tagsMethod}</span><span class="src-doc">.</span></li>
<li><a name="a39"></a><span class="src-doc"> * <b>FIXME:</b> static declaration must be after visibility declaration</span></li>
<li><a name="a40"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@var </span><span class="src-doc-type">string[] </span></li>
<li><a name="a41"></a><span class="src-doc"> */</span></li>
<li><a name="a42"></a> <span class="src-key">static </span><span class="src-key">protected </span><a href="../PHPonTrax/InputFilter.html#var$tagsArray">$tagsArray</a> = <span class="src-key">array</span><span class="src-sym">(</span><span class="src-sym">)</span><span class="src-sym">; </span><span class="src-comm">// default = empty array</span></li>
<li><a name="a43"></a> </li>
<li><a name="a43"></a> </li>
<li><a name="a44"></a> <span class="src-doc">/**</span></li>
<li><a name="a45"></a><span class="src-doc"> * User-provided list of attributes to either accept or reject</span></li>
<li><a name="a46"></a><span class="src-doc"> *</span></li>
<li><a name="a47"></a><span class="src-doc"> * Whether the attributes in this list are accepted or rejected is</span></li>
<li><a name="a48"></a><span class="src-doc"> * determined by the value of </span><span class="src-doc-inlinetag">{@link $attrMethod}</span><span class="src-doc">.</span></li>
<li><a name="a49"></a><span class="src-doc"> * <b>FIXME:</b> static declaration must be after visibility declaration</span></li>
<li><a name="a50"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@var </span><span class="src-doc-type">string[] </span></li>
<li><a name="a51"></a><span class="src-doc"> */</span></li>
<li><a name="a52"></a> <span class="src-key">static </span><span class="src-key">protected </span><a href="../PHPonTrax/InputFilter.html#var$attrArray">$attrArray</a> = <span class="src-key">array</span><span class="src-sym">(</span><span class="src-sym">)</span><span class="src-sym">; </span><span class="src-comm">// default = empty array</span></li>
<li><a name="a53"></a> </li>
<li><a name="a53"></a> </li>
<li><a name="a54"></a> <span class="src-doc">/**</span></li>
<li><a name="a55"></a><span class="src-doc"> * How to apply user-provided tags list</span></li>
<li><a name="a56"></a><span class="src-doc"> *</span></li>
<li><a name="a57"></a><span class="src-doc"> * Which method to use when applying the list of tags provided by</span></li>
<li><a name="a58"></a><span class="src-doc"> * the user and stored in </span><span class="src-doc-inlinetag">{@link $tagsArray}</span><span class="src-doc">.</span></li>
<li><a name="a59"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@var </span><span class="src-doc-type">boolean </span><span class="src-doc">Tested by </span><span class="src-doc-inlinetag">{@link filterTags()}</span><span class="src-doc"> to see whether the</span></li>
<li><a name="a60"></a><span class="src-doc"> * user-provide list of tags in </span><span class="src-doc-inlinetag">{@link $tagsArray}</span></li>
<li><a name="a61"></a><span class="src-doc"> * describes those tags which are forbidden, or</span></li>
<li><a name="a62"></a><span class="src-doc"> * those tags which are permitted. Default false.</span></li>
<li><a name="a63"></a><span class="src-doc"> * <ul></span></li>
<li><a name="a64"></a><span class="src-doc"> * <li>true => Remove those tags which are in</span></li>
<li><a name="a65"></a><span class="src-doc"> * </span><span class="src-doc-inlinetag">{@link $tagsArray}</span><span class="src-doc">.</li></span></li>
<li><a name="a66"></a><span class="src-doc"> * <li>false => Allow only those tags which are listed in</span></li>
<li><a name="a67"></a><span class="src-doc"> * </span><span class="src-doc-inlinetag">{@link $tagsArray}</span><span class="src-doc">.</li></span></li>
<li><a name="a68"></a><span class="src-doc"> * </ul></span></li>
<li><a name="a69"></a><span class="src-doc"> * <b>FIXME:</b> static declaration must be after visibility declaration</span></li>
<li><a name="a70"></a><span class="src-doc"> */</span></li>
<li><a name="a71"></a> <span class="src-key">static </span><span class="src-key">protected </span><a href="../PHPonTrax/InputFilter.html#var$tagsMethod">$tagsMethod</a> = <span class="src-num">0</span><span class="src-sym">; </span><span class="src-comm">// default = 0</span></li>
<li><a name="a72"></a> </li>
<li><a name="a72"></a> </li>
<li><a name="a73"></a> <span class="src-doc">/**</span></li>
<li><a name="a74"></a><span class="src-doc"> * How to apply user-provided attribute list</span></li>
<li><a name="a75"></a><span class="src-doc"> *</span></li>
<li><a name="a76"></a><span class="src-doc"> * Which method to use when applying the list of attributes</span></li>
<li><a name="a77"></a><span class="src-doc"> * provided by the user and stored in </span><span class="src-doc-inlinetag">{@link $attrArray}</span><span class="src-doc">.</span></li>
<li><a name="a78"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@var </span><span class="src-doc-type">boolean </span><span class="src-doc">Tested by </span><span class="src-doc-inlinetag">{@link filterAttr()}</span><span class="src-doc"> to see whether the</span></li>
<li><a name="a79"></a><span class="src-doc"> * user-provide list of tags in </span><span class="src-doc-inlinetag">{@link $attrArray}</span></li>
<li><a name="a80"></a><span class="src-doc"> * describes those tags which are forbidden, or</span></li>
<li><a name="a81"></a><span class="src-doc"> * those tags which are permitted. Default false.</span></li>
<li><a name="a82"></a><span class="src-doc"> * <ul></span></li>
<li><a name="a83"></a><span class="src-doc"> * <li>true => Remove those tags which are in</span></li>
<li><a name="a84"></a><span class="src-doc"> * </span><span class="src-doc-inlinetag">{@link $attrArray}</span><span class="src-doc">.</li></span></li>
<li><a name="a85"></a><span class="src-doc"> * <li>false => Allow only those tags which are listed in</span></li>
<li><a name="a86"></a><span class="src-doc"> * </span><span class="src-doc-inlinetag">{@link $attrArray}</span><span class="src-doc">.</li></span></li>
<li><a name="a87"></a><span class="src-doc"> * </ul></span></li>
<li><a name="a88"></a><span class="src-doc"> * <b>FIXME:</b> static declaration must be after visibility declaration</span></li>
<li><a name="a89"></a><span class="src-doc"> */</span></li>
<li><a name="a90"></a> <span class="src-key">static </span><span class="src-key">protected </span><a href="../PHPonTrax/InputFilter.html#var$attrMethod">$attrMethod</a> = <span class="src-num">0</span><span class="src-sym">; </span><span class="src-comm">// default = 0</span></li>
<li><a name="a91"></a> </li>
<li><a name="a92"></a> </li>
<li><a name="a91"></a> </li>
<li><a name="a92"></a> </li>
<li><a name="a93"></a> <span class="src-doc">/**</span></li>
<li><a name="a94"></a><span class="src-doc"> * Whether to remove blacklisted tags and attributes</span></li>
<li><a name="a95"></a><span class="src-doc"> *</span></li>
<li><a name="a96"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@var </span><span class="src-doc-type">boolean </span><span class="src-doc">Tested by </span><span class="src-doc-inlinetag">{@link filterAttr()}</span><span class="src-doc"> and</span></li>
<li><a name="a97"></a><span class="src-doc"> * </span><span class="src-doc-inlinetag">{@link filterTags()}</span><span class="src-doc"> to see whether to remove</span></li>
<li><a name="a98"></a><span class="src-doc"> * blacklisted tags and attributes. Default true.</span></li>
<li><a name="a99"></a><span class="src-doc"> * <ul></span></li>
<li><a name="a100"></a><span class="src-doc"> * <li>true => Remove tags in </span><span class="src-doc-inlinetag">{@link $tagBlacklist}</span><span class="src-doc"> and</span></li>
<li><a name="a101"></a><span class="src-doc"> * attributes in </span><span class="src-doc-inlinetag">{@link $attrBlacklist}</span><span class="src-doc">, in</span></li>
<li><a name="a102"></a><span class="src-doc"> * addition to all other potentially suspect tags</span></li>
<li><a name="a103"></a><span class="src-doc"> * and attributes.</li></span></li>
<li><a name="a104"></a><span class="src-doc"> * <li>false => Remove potentially suspect tags and attributes</span></li>
<li><a name="a105"></a><span class="src-doc"> * without consulting</span><span class="src-doc-inlinetag">{@link $tagBlacklist}</span><span class="src-doc"> or</span></li>
<li><a name="a106"></a><span class="src-doc"> * </span><span class="src-doc-inlinetag">{@link $attrBlacklist}</span><span class="src-doc">.</li></span></li>
<li><a name="a107"></a><span class="src-doc"> * </ul></span></li>
<li><a name="a108"></a><span class="src-doc"> * <b>FIXME:</b> static declaration must be after visibility declaration</span></li>
<li><a name="a109"></a><span class="src-doc"> */</span></li>
<li><a name="a110"></a> <span class="src-key">static </span><span class="src-key">protected </span><a href="../PHPonTrax/InputFilter.html#var$xssAuto">$xssAuto</a> = <span class="src-num">1</span><span class="src-sym">; </span><span class="src-comm">// default = 1</span></li>
<li><a name="a111"></a> </li>
<li><a name="a111"></a> </li>
<li><a name="a112"></a> <span class="src-doc">/**</span></li>
<li><a name="a113"></a><span class="src-doc"> * List of tags to be removed</span></li>
<li><a name="a114"></a><span class="src-doc"> *</span></li>
<li><a name="a115"></a><span class="src-doc"> * If </span><span class="src-doc-inlinetag">{@link $xssAuto}</span><span class="src-doc"> is true, remove the tags in this list.</span></li>
<li><a name="a116"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@var </span><span class="src-doc-type">string[] </span></li>
<li><a name="a117"></a><span class="src-doc"> * </span><span class="src-doc"><b>FIXME:</b> static declaration must be after visibility declaration</span></li>
<li><a name="a118"></a><span class="src-doc"> */</span></li>
<li><a name="a119"></a> <span class="src-key">static </span><span class="src-key">protected </span><a href="../PHPonTrax/InputFilter.html#var$tagBlacklist">$tagBlacklist</a> =</li>
<li><a name="a120"></a> <span class="src-key">array</span><span class="src-sym">(</span><span class="src-str">'applet'</span><span class="src-sym">, </span><span class="src-str">'body'</span><span class="src-sym">, </span><span class="src-str">'bgsound'</span><span class="src-sym">, </span><span class="src-str">'base'</span><span class="src-sym">, </span><span class="src-str">'basefont'</span><span class="src-sym">, </span><span class="src-str">'embed'</span><span class="src-sym">,</span></li>
<li><a name="a121"></a> <span class="src-str">'frame'</span><span class="src-sym">, </span><span class="src-str">'frameset'</span><span class="src-sym">, </span><span class="src-str">'head'</span><span class="src-sym">, </span><span class="src-str">'html'</span><span class="src-sym">, </span><span class="src-str">'id'</span><span class="src-sym">, </span><span class="src-str">'iframe'</span><span class="src-sym">,</span></li>
<li><a name="a122"></a> <span class="src-str">'ilayer'</span><span class="src-sym">, </span><span class="src-str">'layer'</span><span class="src-sym">, </span><span class="src-str">'link'</span><span class="src-sym">, </span><span class="src-str">'meta'</span><span class="src-sym">, </span><span class="src-str">'name'</span><span class="src-sym">, </span><span class="src-str">'object'</span><span class="src-sym">,</span></li>
<li><a name="a123"></a> <span class="src-str">'script'</span><span class="src-sym">, </span><span class="src-str">'style'</span><span class="src-sym">, </span><span class="src-str">'title'</span><span class="src-sym">, </span><span class="src-str">'xml'</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a124"></a> </li>
<li><a name="a125"></a> <span class="src-doc">/**</span></li>
<li><a name="a126"></a><span class="src-doc"> * List of attributes to be removed</span></li>
<li><a name="a127"></a><span class="src-doc"> *</span></li>
<li><a name="a128"></a><span class="src-doc"> * If </span><span class="src-doc-inlinetag">{@link $xssAuto}</span><span class="src-doc"> is true, remove the attributes in this list.</span></li>
<li><a name="a129"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@var </span><span class="src-doc-type">string[] </span></li>
<li><a name="a130"></a><span class="src-doc"> * </span><span class="src-doc"><b>FIXME:</b> static declaration must be after visibility declaration</span></li>
<li><a name="a131"></a><span class="src-doc"> */</span></li>
<li><a name="a132"></a> <span class="src-key">static </span><span class="src-key">protected </span><a href="../PHPonTrax/InputFilter.html#var$attrBlacklist">$attrBlacklist</a> =</li>
<li><a name="a133"></a> <span class="src-key">array</span><span class="src-sym">(</span><span class="src-str">'action'</span><span class="src-sym">, </span><span class="src-str">'background'</span><span class="src-sym">, </span><span class="src-str">'codebase'</span><span class="src-sym">, </span><span class="src-str">'dynsrc'</span><span class="src-sym">, </span><span class="src-str">'lowsrc'</span><span class="src-sym">)</span><span class="src-sym">; </span></li>
<li><a name="a134"></a> </li>
<li><a name="a135"></a> <span class="src-doc">/** </span></li>
<li><a name="a136"></a><span class="src-doc"> * Constructor for InputFilter class.</span></li>
<li><a name="a137"></a><span class="src-doc"> *</span></li>
<li><a name="a138"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">string[] </span><span class="src-doc-var">$tagsArray </span><span class="src-doc"> User-provided list of tags to</span></li>
<li><a name="a139"></a><span class="src-doc"> * either accept or reject. Default: none</span></li>
<li><a name="a140"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">string[] </span><span class="src-doc-var">$attrArray </span><span class="src-doc"> User-provided list of attributes to</span></li>
<li><a name="a141"></a><span class="src-doc"> * either accept or reject. Default: none</span></li>
<li><a name="a142"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">boolean </span><span class="src-doc-var">$tagsMethod </span><span class="src-doc">How to apply the list of tags in $tagsArray:</span></li>
<li><a name="a143"></a><span class="src-doc"> * <ul></span></li>
<li><a name="a144"></a><span class="src-doc"> * <li>true => Remove those tags which are listed in</span></li>
<li><a name="a145"></a><span class="src-doc"> * $tagsArray.</li></span></li>
<li><a name="a146"></a><span class="src-doc"> * <li>false => Allow only those tags which are listed in</span></li>
<li><a name="a147"></a><span class="src-doc"> * $tagsArray.</li></span></li>
<li><a name="a148"></a><span class="src-doc"> * </ul></span></li>
<li><a name="a149"></a><span class="src-doc"> * Default: false</span></li>
<li><a name="a150"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">boolean </span><span class="src-doc-var">$attrMethod </span><span class="src-doc">How to apply the list of attributess in $attrArray:</span></li>
<li><a name="a151"></a><span class="src-doc"> * <ul></span></li>
<li><a name="a152"></a><span class="src-doc"> * <li>true => Remove those attributes which are listed in</span></li>
<li><a name="a153"></a><span class="src-doc"> * $attrArray.</li></span></li>
<li><a name="a154"></a><span class="src-doc"> * <li>false => Allow only those attributes which are listed in</span></li>
<li><a name="a155"></a><span class="src-doc"> * $attrArray.</li></span></li>
<li><a name="a156"></a><span class="src-doc"> * </ul></span></li>
<li><a name="a157"></a><span class="src-doc"> * Default: false</span></li>
<li><a name="a158"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">boolean </span><span class="src-doc-var">$xssAuto </span><span class="src-doc">Behavior of </span><span class="src-doc-inlinetag">{@link filterTags()}</span><span class="src-doc">:</span></li>
<li><a name="a159"></a><span class="src-doc"> * <ul></span></li>
<li><a name="a160"></a><span class="src-doc"> * <li>true => Remove tags in </span><span class="src-doc-inlinetag">{@link $tagBlacklist}</span><span class="src-doc"> and</span></li>
<li><a name="a161"></a><span class="src-doc"> * attributes in </span><span class="src-doc-inlinetag">{@link $attrBlacklist}</span><span class="src-doc">, in</span></li>
<li><a name="a162"></a><span class="src-doc"> * addition to all other potentially suspect tags</span></li>
<li><a name="a163"></a><span class="src-doc"> * and attributes.</li></span></li>
<li><a name="a164"></a><span class="src-doc"> * <li>false => Remove potentially suspect tags and attributes</span></li>
<li><a name="a165"></a><span class="src-doc"> * without consulting</span><span class="src-doc-inlinetag">{@link $tagBlacklist}</span><span class="src-doc"> or</span></li>
<li><a name="a166"></a><span class="src-doc"> * </span><span class="src-doc-inlinetag">{@link $attrBlacklist}</span><span class="src-doc">.</li></span></li>
<li><a name="a167"></a><span class="src-doc"> * </ul></span></li>
<li><a name="a168"></a><span class="src-doc"> * Default: true</span></li>
<li><a name="a169"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> $attrArray</span></li>
<li><a name="a170"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> $attrMethod</span></li>
<li><a name="a171"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> $tagsArray</span></li>
<li><a name="a172"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> $tagsMethod</span></li>
<li><a name="a173"></a><span class="src-doc"> */</span></li>
<li><a name="a174"></a> <span class="src-key">public </span><span class="src-key">function </span><a href="../PHPonTrax/InputFilter.html#method__construct">__construct</a><span class="src-sym">(</span><span class="src-var">$tagsArray </span>= <span class="src-key">array</span><span class="src-sym">(</span><span class="src-sym">)</span><span class="src-sym">, </span><span class="src-var">$attrArray </span>= <span class="src-key">array</span><span class="src-sym">(</span><span class="src-sym">)</span><span class="src-sym">,</span></li>
<li><a name="a175"></a> <span class="src-var">$tagsMethod </span>= <span class="src-num">0</span><span class="src-sym">, </span><span class="src-var">$attrMethod </span>= <span class="src-num">0</span><span class="src-sym">,</span></li>
<li><a name="a176"></a> <span class="src-var">$xssAuto </span>= <span class="src-num">1</span><span class="src-sym">) </span><span class="src-sym">{ </span></li>
<li><a name="a177"></a> <span class="src-comm">// make sure user defined arrays are in lowercase</span></li>
<li><a name="a178"></a> <span class="src-key">for </span><span class="src-sym">(</span><span class="src-var">$i </span>= <span class="src-num">0</span><span class="src-sym">; </span><span class="src-var">$i </span>< <a href="http://www.php.net/count">count</a><span class="src-sym">(</span><span class="src-var">$tagsArray</span><span class="src-sym">)</span><span class="src-sym">; </span><span class="src-var">$i</span>++<span class="src-sym">) </span><span class="src-var">$tagsArray</span><span class="src-sym">[</span><span class="src-var">$i</span><span class="src-sym">] </span>= <a href="http://www.php.net/strtolower">strtolower</a><span class="src-sym">(</span><span class="src-var">$tagsArray</span><span class="src-sym">[</span><span class="src-var">$i</span><span class="src-sym">]</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a179"></a> <span class="src-key">for </span><span class="src-sym">(</span><span class="src-var">$i </span>= <span class="src-num">0</span><span class="src-sym">; </span><span class="src-var">$i </span>< <a href="http://www.php.net/count">count</a><span class="src-sym">(</span><span class="src-var">$attrArray</span><span class="src-sym">)</span><span class="src-sym">; </span><span class="src-var">$i</span>++<span class="src-sym">) </span><span class="src-var">$attrArray</span><span class="src-sym">[</span><span class="src-var">$i</span><span class="src-sym">] </span>= <a href="http://www.php.net/strtolower">strtolower</a><span class="src-sym">(</span><span class="src-var">$attrArray</span><span class="src-sym">[</span><span class="src-var">$i</span><span class="src-sym">]</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a180"></a> <span class="src-comm">// assign to member vars</span></li>
<li><a name="a181"></a> <span class="src-id">self</span><span class="src-sym">::</span><span class="src-var">$tagsArray </span>= (array) <span class="src-var">$tagsArray</span><span class="src-sym">;</span></li>
<li><a name="a182"></a> <span class="src-id">self</span><span class="src-sym">::</span><span class="src-var">$attrArray </span>= (array) <span class="src-var">$attrArray</span><span class="src-sym">;</span></li>
<li><a name="a183"></a> <span class="src-id">self</span><span class="src-sym">::</span><span class="src-var">$tagsMethod </span>= <span class="src-var">$tagsMethod</span><span class="src-sym">;</span></li>
<li><a name="a184"></a> <span class="src-id">self</span><span class="src-sym">::</span><span class="src-var">$attrMethod </span>= <span class="src-var">$attrMethod</span><span class="src-sym">;</span></li>
<li><a name="a185"></a> <span class="src-id">self</span><span class="src-sym">::</span><span class="src-var">$xssAuto </span>= <span class="src-var">$xssAuto</span><span class="src-sym">;</span></li>
<li><a name="a186"></a> <span class="src-sym">}</span></li>
<li><a name="a187"></a> </li>
<li><a name="a188"></a> <span class="src-doc">/**</span></li>
<li><a name="a189"></a><span class="src-doc"> * Remove forbidden tags and attributes from user input</span></li>
<li><a name="a190"></a><span class="src-doc"> *</span></li>
<li><a name="a191"></a><span class="src-doc"> * Construct an InputFilter object. Then apply the</span></li>
<li><a name="a192"></a><span class="src-doc"> * </span><span class="src-doc-inlinetag">{@link process()}</span><span class="src-doc"> method to each of the user input arrays</span></li>
<li><a name="a193"></a><span class="src-doc"> * </span><span class="src-doc-inlinetag">{@link http://www.php.net/reserved.variables#reserved.variables.post $_POST}</span><span class="src-doc">,</span></li>
<li><a name="a194"></a><span class="src-doc"> * </span><span class="src-doc-inlinetag">{@link http://www.php.net/reserved.variables#reserved.variables.get $_GET}</span><span class="src-doc"> and</span></li>
<li><a name="a195"></a><span class="src-doc"> * </span><span class="src-doc-inlinetag">{@link http://www.php.net/reserved.variables#reserved.variables.request $_REQUEST}</span><span class="src-doc">.</span></li>
<li><a name="a196"></a><span class="src-doc"> * <b>FIXME:</b> isn't it partly redundant to do this to $_REQUEST?</span></li>
<li><a name="a197"></a><span class="src-doc"> * Shouldn't we do it to $_COOKIE instead?</span></li>
<li><a name="a198"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">string[] </span><span class="src-doc-var">$tagsArray </span><span class="src-doc"> User-provided list of tags to</span></li>
<li><a name="a199"></a><span class="src-doc"> * either accept or reject. Default: none</span></li>
<li><a name="a200"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">string[] </span><span class="src-doc-var">$attrArray </span><span class="src-doc"> User-provided list of attributes to</span></li>
<li><a name="a201"></a><span class="src-doc"> * either accept or reject. Default: none</span></li>
<li><a name="a202"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">boolean </span><span class="src-doc-var">$tagsMethod </span><span class="src-doc">How to apply the list of tags in $tagsArray:</span></li>
<li><a name="a203"></a><span class="src-doc"> * <ul></span></li>
<li><a name="a204"></a><span class="src-doc"> * <li>true => Remove those tags which are listed in</span></li>
<li><a name="a205"></a><span class="src-doc"> * $tagsArray.</li></span></li>
<li><a name="a206"></a><span class="src-doc"> * <li>false => Allow only those tags which are listed in</span></li>
<li><a name="a207"></a><span class="src-doc"> * $tagsArray.</li></span></li>
<li><a name="a208"></a><span class="src-doc"> * </ul></span></li>
<li><a name="a209"></a><span class="src-doc"> * Default: false</span></li>
<li><a name="a210"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">boolean </span><span class="src-doc-var">$attrMethod </span><span class="src-doc">How to apply the list of attributess in $attrArray:</span></li>
<li><a name="a211"></a><span class="src-doc"> * <ul></span></li>
<li><a name="a212"></a><span class="src-doc"> * <li>true => Remove those attributes which are listed in</span></li>
<li><a name="a213"></a><span class="src-doc"> * $attrArray.</li></span></li>
<li><a name="a214"></a><span class="src-doc"> * <li>false => Allow only those attributes which are listed in</span></li>
<li><a name="a215"></a><span class="src-doc"> * $attrArray.</li></span></li>
<li><a name="a216"></a><span class="src-doc"> * </ul></span></li>
<li><a name="a217"></a><span class="src-doc"> * Default: false</span></li>
<li><a name="a218"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">boolean </span><span class="src-doc-var">$xssAuto </span><span class="src-doc">Behavior of </span><span class="src-doc-inlinetag">{@link filterTags()}</span><span class="src-doc">:</span></li>
<li><a name="a219"></a><span class="src-doc"> * <ul></span></li>
<li><a name="a220"></a><span class="src-doc"> * <li>true => Remove tags in </span><span class="src-doc-inlinetag">{@link $tagBlacklist}</span><span class="src-doc"> and</span></li>
<li><a name="a221"></a><span class="src-doc"> * attributes in </span><span class="src-doc-inlinetag">{@link $attrBlacklist}</span><span class="src-doc">, in</span></li>
<li><a name="a222"></a><span class="src-doc"> * addition to all other potentially suspect tags</span></li>
<li><a name="a223"></a><span class="src-doc"> * and attributes.</li></span></li>
<li><a name="a224"></a><span class="src-doc"> * <li>false => Remove potentially suspect tags and attributes</span></li>
<li><a name="a225"></a><span class="src-doc"> * without consulting</span><span class="src-doc-inlinetag">{@link $tagBlacklist}</span><span class="src-doc"> or</span></li>
<li><a name="a226"></a><span class="src-doc"> * </span><span class="src-doc-inlinetag">{@link $attrBlacklist}</span><span class="src-doc">.</li></span></li>
<li><a name="a227"></a><span class="src-doc"> * </ul></span></li>
<li><a name="a228"></a><span class="src-doc"> * Default: true</span></li>
<li><a name="a229"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@author</span><span class="src-doc"> John Peterson</span></li>
<li><a name="a230"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> __construct()</span></li>
<li><a name="a231"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> process()</span></li>
<li><a name="a232"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@todo</span><span class="src-doc"> Check out FIXMEs</span></li>
<li><a name="a233"></a><span class="src-doc"> */</span></li>
<li><a name="a234"></a> <span class="src-key">public </span><span class="src-key">function </span><a href="../PHPonTrax/InputFilter.html#methodprocess_all">process_all</a><span class="src-sym">(</span><span class="src-var">$tagsArray </span>= <span class="src-key">array</span><span class="src-sym">(</span><span class="src-sym">)</span><span class="src-sym">, </span><span class="src-var">$attrArray </span>= <span class="src-key">array</span><span class="src-sym">(</span><span class="src-sym">)</span><span class="src-sym">,</span></li>
<li><a name="a235"></a> <span class="src-var">$tagsMethod </span>= <span class="src-num">0</span><span class="src-sym">, </span><span class="src-var">$attrMethod </span>= <span class="src-num">0</span><span class="src-sym">,</span></li>
<li><a name="a236"></a> <span class="src-var">$xssAuto </span>= <span class="src-num">1</span><span class="src-sym">) </span><span class="src-sym">{</span></li>
<li><a name="a237"></a> <span class="src-id">self</span><span class="src-sym">::</span><span class="src-id">__construct</span><span class="src-sym">(</span><span class="src-var">$tagsArray</span><span class="src-sym">, </span><span class="src-var">$attrArray</span><span class="src-sym">, </span><span class="src-var">$tagsMethod</span><span class="src-sym">,</span></li>
<li><a name="a238"></a> <span class="src-var">$attrMethod</span><span class="src-sym">, </span><span class="src-var">$xssAuto</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a239"></a> <span class="src-key">if</span><span class="src-sym">(</span><a href="http://www.php.net/count">count</a><span class="src-sym">(</span><span class="src-var">$_POST</span><span class="src-sym">)) </span><span class="src-sym">{</span></li>
<li><a name="a240"></a> <span class="src-var">$_POST </span>= <span class="src-id">self</span><span class="src-sym">::</span><span class="src-id">process</span><span class="src-sym">(</span><span class="src-var">$_POST</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a241"></a> <span class="src-sym">}</span></li>
<li><a name="a242"></a> <span class="src-key">if</span><span class="src-sym">(</span><a href="http://www.php.net/count">count</a><span class="src-sym">(</span><span class="src-var">$_GET</span><span class="src-sym">)) </span><span class="src-sym">{</span></li>
<li><a name="a243"></a> <span class="src-var">$_GET </span>= <span class="src-id">self</span><span class="src-sym">::</span><span class="src-id">process</span><span class="src-sym">(</span><span class="src-var">$_GET</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a244"></a> <span class="src-sym">}</span></li>
<li><a name="a245"></a> <span class="src-key">if</span><span class="src-sym">(</span><a href="http://www.php.net/count">count</a><span class="src-sym">(</span><span class="src-var">$_REQUEST</span><span class="src-sym">)) </span><span class="src-sym">{</span></li>
<li><a name="a246"></a> <span class="src-var">$_REQUEST </span>= <span class="src-id">self</span><span class="src-sym">::</span><span class="src-id">process</span><span class="src-sym">(</span><span class="src-var">$_REQUEST</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a247"></a> <span class="src-sym">}</span></li>
<li><a name="a248"></a> <span class="src-sym">}</span></li>
<li><a name="a249"></a> </li>
<li><a name="a250"></a> <span class="src-doc">/** </span></li>
<li><a name="a251"></a><span class="src-doc"> * Remove forbidden tags and attributes from array of strings</span></li>
<li><a name="a252"></a><span class="src-doc"> *</span></li>
<li><a name="a253"></a><span class="src-doc"> * Accept a string or array of strings. For each string in the</span></li>
<li><a name="a254"></a><span class="src-doc"> * source, remove the forbidden tags and attributes from the string.</span></li>
<li><a name="a255"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">mixed </span><span class="src-doc-var">$source </span><span class="src-doc">- input string/array-of-string to be 'cleaned'</span></li>
<li><a name="a256"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@return </span><span class="src-doc-type">mixed </span><span class="src-doc">'cleaned' version of input parameter</span></li>
<li><a name="a257"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> decode()</span></li>
<li><a name="a258"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> remove()</span></li>
<li><a name="a259"></a><span class="src-doc"> */</span></li>
<li><a name="a260"></a> <span class="src-key">public </span><span class="src-key">function </span><a href="../PHPonTrax/InputFilter.html#methodprocess">process</a><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">) </span><span class="src-sym">{</span></li>
<li><a name="a261"></a> <span class="src-comm">// clean all elements in this array</span></li>
<li><a name="a262"></a> <span class="src-key">if </span><span class="src-sym">(</span><a href="http://www.php.net/is_array">is_array</a><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">)) </span><span class="src-sym">{</span></li>
<li><a name="a263"></a> <span class="src-key">foreach</span><span class="src-sym">(</span><span class="src-var">$source </span><span class="src-key">as </span><span class="src-var">$key </span>=> <span class="src-var">$value</span><span class="src-sym">) </span><span class="src-sym">{</span></li>
<li><a name="a264"></a> <span class="src-comm">// for arrays in arrays</span></li>
<li><a name="a265"></a> <span class="src-key">if </span><span class="src-sym">(</span><a href="http://www.php.net/is_array">is_array</a><span class="src-sym">(</span><span class="src-var">$value</span><span class="src-sym">)) </span><span class="src-var">$source</span><span class="src-sym">[</span><span class="src-var">$key</span><span class="src-sym">] </span>= <span class="src-id">self</span><span class="src-sym">::</span><span class="src-id">process</span><span class="src-sym">(</span><span class="src-var">$value</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a266"></a> <span class="src-comm">// filter element for XSS and other 'bad' code etc.</span></li>
<li><a name="a267"></a> <span class="src-key">if </span><span class="src-sym">(</span><a href="http://www.php.net/is_string">is_string</a><span class="src-sym">(</span><span class="src-var">$value</span><span class="src-sym">)) </span><span class="src-var">$source</span><span class="src-sym">[</span><span class="src-var">$key</span><span class="src-sym">] </span>= <span class="src-id">self</span><span class="src-sym">::</span><span class="src-id">remove</span><span class="src-sym">(</span><span class="src-id">self</span><span class="src-sym">::</span><span class="src-id">decode</span><span class="src-sym">(</span><span class="src-var">$value</span><span class="src-sym">))</span><span class="src-sym">;</span></li>
<li><a name="a268"></a> <span class="src-sym">}</span></li>
<li><a name="a269"></a> <span class="src-key">return </span><span class="src-var">$source</span><span class="src-sym">;</span></li>
<li><a name="a270"></a> <span class="src-comm">// clean this string</span></li>
<li><a name="a271"></a> <span class="src-sym">} </span><span class="src-key">else </span><span class="src-key">if </span><span class="src-sym">(</span><a href="http://www.php.net/is_string">is_string</a><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">)) </span><span class="src-sym">{</span></li>
<li><a name="a272"></a> <span class="src-comm">// filter source for XSS and other 'bad' code etc.</span></li>
<li><a name="a273"></a> <span class="src-key">return </span><span class="src-id">self</span><span class="src-sym">::</span><span class="src-id">remove</span><span class="src-sym">(</span><span class="src-id">self</span><span class="src-sym">::</span><span class="src-id">decode</span><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">))</span><span class="src-sym">;</span></li>
<li><a name="a274"></a> <span class="src-comm">// return parameter as given</span></li>
<li><a name="a275"></a> <span class="src-sym">} </span><span class="src-key">else </span><span class="src-key">return </span><span class="src-var">$source</span><span class="src-sym">; </span></li>
<li><a name="a276"></a> <span class="src-sym">}</span></li>
<li><a name="a277"></a> </li>
<li><a name="a278"></a> <span class="src-doc">/** </span></li>
<li><a name="a279"></a><span class="src-doc"> * Remove forbidden tags and attributes from a string iteratively</span></li>
<li><a name="a280"></a><span class="src-doc"> *</span></li>
<li><a name="a281"></a><span class="src-doc"> * Call </span><span class="src-doc-inlinetag">{@link filterTags()}</span><span class="src-doc"> repeatedly until no change in the</span></li>
<li><a name="a282"></a><span class="src-doc"> * input is produced.</span></li>
<li><a name="a283"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">string </span><span class="src-doc-var">$source </span><span class="src-doc">Input string to be 'cleaned'</span></li>
<li><a name="a284"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@return </span><span class="src-doc-type">string </span><span class="src-doc">'cleaned' version of $source</span></li>
<li><a name="a285"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> filterTags()</span></li>
<li><a name="a286"></a><span class="src-doc"> */</span></li>
<li><a name="a287"></a> <span class="src-key">protected </span><span class="src-key">function </span><a href="../PHPonTrax/InputFilter.html#methodremove">remove</a><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">) </span><span class="src-sym">{</span></li>
<li><a name="a288"></a> <span class="src-comm">// FIXME: what do we use $loopCounter for?</span></li>
<li><a name="a289"></a> <span class="src-var">$loopCounter</span>=<span class="src-num">0</span><span class="src-sym">;</span></li>
<li><a name="a290"></a> <span class="src-comm">// provides nested-tag protection</span></li>
<li><a name="a291"></a> <span class="src-key">while</span><span class="src-sym">(</span><span class="src-var">$source </span>!= <span class="src-id">self</span><span class="src-sym">::</span><span class="src-id">filterTags</span><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">)) </span><span class="src-sym">{</span></li>
<li><a name="a292"></a> <span class="src-var">$source </span>= <span class="src-id">self</span><span class="src-sym">::</span><span class="src-id">filterTags</span><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a293"></a> <span class="src-var">$loopCounter</span>++<span class="src-sym">;</span></li>
<li><a name="a294"></a> <span class="src-sym">}</span></li>
<li><a name="a295"></a> <span class="src-key">return </span><span class="src-var">$source</span><span class="src-sym">;</span></li>
<li><a name="a296"></a> <span class="src-sym">} </span></li>
<li><a name="a297"></a> </li>
<li><a name="a298"></a> <span class="src-doc">/** </span></li>
<li><a name="a299"></a><span class="src-doc"> * Remove forbidden tags and attributes from a string</span></li>
<li><a name="a300"></a><span class="src-doc"> *</span></li>
<li><a name="a301"></a><span class="src-doc"> * Inspect the input for tags "<tagname ...>" and check the tag</span></li>
<li><a name="a302"></a><span class="src-doc"> * name against a list of forbidden tag names. Delete all tags</span></li>
<li><a name="a303"></a><span class="src-doc"> * with forbidden names. If </span><span class="src-doc-inlinetag">{@link $xssAuto}</span><span class="src-doc"> is true, delete all</span></li>
<li><a name="a304"></a><span class="src-doc"> * tags in </span><span class="src-doc-inlinetag">{@link $tagBlacklist}</span><span class="src-doc">. If there is a user-defined tag</span></li>
<li><a name="a305"></a><span class="src-doc"> * list in </span><span class="src-doc-inlinetag">{@link $tagsArray}</span><span class="src-doc">, process according to the value of</span></li>
<li><a name="a306"></a><span class="src-doc"> * </span><span class="src-doc-inlinetag">{@link $tagsMethod}</span><span class="src-doc">.</span></li>
<li><a name="a307"></a><span class="src-doc"> *</span></li>
<li><a name="a308"></a><span class="src-doc"> * If the tag name is OK, then call </span><span class="src-doc-inlinetag">{@link filterAttr()}</span><span class="src-doc"> to check</span></li>
<li><a name="a309"></a><span class="src-doc"> * all attributes of the tag and delete forbidden attributes.</span></li>
<li><a name="a310"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">string </span><span class="src-doc-var">$source </span><span class="src-doc">Input string to be 'cleaned'</span></li>
<li><a name="a311"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@return </span><span class="src-doc-type">string </span><span class="src-doc">Cleaned version of input parameter</span></li>
<li><a name="a312"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> filterAttr()</span></li>
<li><a name="a313"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> $tagBlacklist</span></li>
<li><a name="a314"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> $tagsArray</span></li>
<li><a name="a315"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> $tagsMethod</span></li>
<li><a name="a316"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> $xssAuto</span></li>
<li><a name="a317"></a><span class="src-doc"> */</span></li>
<li><a name="a318"></a> <span class="src-key">protected </span><span class="src-key">function </span><a href="../PHPonTrax/InputFilter.html#methodfilterTags">filterTags</a><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">) </span><span class="src-sym">{</span></li>
<li><a name="a319"></a> <span class="src-comm">// filter pass setup</span></li>
<li><a name="a320"></a> <span class="src-var">$preTag </span>= <span class="src-id">NULL</span><span class="src-sym">;</span></li>
<li><a name="a321"></a> <span class="src-var">$postTag </span>= <span class="src-var">$source</span><span class="src-sym">;</span></li>
<li><a name="a322"></a> <span class="src-comm">// find initial tag's position</span></li>
<li><a name="a323"></a> <span class="src-var">$tagOpen_start </span>= <a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">, </span><span class="src-str">'<'</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a324"></a> <span class="src-comm">// interate through string until no tags left</span></li>
<li><a name="a325"></a> <span class="src-key">while</span><span class="src-sym">(</span><span class="src-var">$tagOpen_start </span>!== <span class="src-id">FALSE</span><span class="src-sym">) </span><span class="src-sym">{</span></li>
<li><a name="a326"></a> <span class="src-comm">// process tag interatively</span></li>
<li><a name="a327"></a> <span class="src-var">$preTag </span>.= <a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$postTag</span><span class="src-sym">, </span><span class="src-num">0</span><span class="src-sym">, </span><span class="src-var">$tagOpen_start</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a328"></a> <span class="src-var">$postTag </span>= <a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$postTag</span><span class="src-sym">, </span><span class="src-var">$tagOpen_start</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a329"></a> <span class="src-var">$fromTagOpen </span>= <a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$postTag</span><span class="src-sym">, </span><span class="src-num">1</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a330"></a> <span class="src-comm">// end of tag</span></li>
<li><a name="a331"></a> <span class="src-var">$tagOpen_end </span>= <a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><span class="src-var">$fromTagOpen</span><span class="src-sym">, </span><span class="src-str">'>'</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a332"></a> <span class="src-key">if </span><span class="src-sym">(</span><span class="src-var">$tagOpen_end </span>=== <span class="src-id">false</span><span class="src-sym">) </span><span class="src-key">break</span><span class="src-sym">;</span></li>
<li><a name="a333"></a> <span class="src-comm">// next start of tag (for nested tag assessment)</span></li>
<li><a name="a334"></a> <span class="src-var">$tagOpen_nested </span>= <a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><span class="src-var">$fromTagOpen</span><span class="src-sym">, </span><span class="src-str">'<'</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a335"></a> <span class="src-key">if </span><span class="src-sym">((</span><span class="src-var">$tagOpen_nested </span>!== <span class="src-id">false</span><span class="src-sym">) </span>&& <span class="src-sym">(</span><span class="src-var">$tagOpen_nested </span>< <span class="src-var">$tagOpen_end</span><span class="src-sym">)) </span><span class="src-sym">{</span></li>
<li><a name="a336"></a> <span class="src-var">$preTag </span>.= <a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$postTag</span><span class="src-sym">, </span><span class="src-num">0</span><span class="src-sym">, </span><span class="src-sym">(</span><span class="src-var">$tagOpen_nested</span>+<span class="src-num">1</span><span class="src-sym">))</span><span class="src-sym">;</span></li>
<li><a name="a337"></a> <span class="src-var">$postTag </span>= <a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$postTag</span><span class="src-sym">, </span><span class="src-sym">(</span><span class="src-var">$tagOpen_nested</span>+<span class="src-num">1</span><span class="src-sym">))</span><span class="src-sym">;</span></li>
<li><a name="a338"></a> <span class="src-var">$tagOpen_start </span>= <a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><span class="src-var">$postTag</span><span class="src-sym">, </span><span class="src-str">'<'</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a339"></a> <span class="src-key">continue</span><span class="src-sym">;</span></li>
<li><a name="a340"></a> <span class="src-sym">} </span></li>
<li><a name="a341"></a> <span class="src-var">$tagOpen_nested </span>= <span class="src-sym">(</span><a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><span class="src-var">$fromTagOpen</span><span class="src-sym">, </span><span class="src-str">'<'</span><span class="src-sym">) </span>+ <span class="src-var">$tagOpen_start </span>+ <span class="src-num">1</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a342"></a> <span class="src-var">$currentTag </span>= <a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$fromTagOpen</span><span class="src-sym">, </span><span class="src-num">0</span><span class="src-sym">, </span><span class="src-var">$tagOpen_end</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a343"></a> <span class="src-var">$tagLength </span>= <a href="http://www.php.net/strlen">strlen</a><span class="src-sym">(</span><span class="src-var">$currentTag</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a344"></a> <span class="src-key">if </span><span class="src-sym">(</span><span class="src-sym">!</span><span class="src-var">$tagOpen_end</span><span class="src-sym">) </span><span class="src-sym">{</span></li>
<li><a name="a345"></a> <span class="src-var">$preTag </span>.= <span class="src-var">$postTag</span><span class="src-sym">;</span></li>
<li><a name="a346"></a> <span class="src-var">$tagOpen_start </span>= <a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><span class="src-var">$postTag</span><span class="src-sym">, </span><span class="src-str">'<'</span><span class="src-sym">)</span><span class="src-sym">; </span></li>
<li><a name="a347"></a> <span class="src-sym">}</span></li>
<li><a name="a348"></a> <span class="src-comm">// iterate through tag finding attribute pairs - setup</span></li>
<li><a name="a349"></a> <span class="src-var">$tagLeft </span>= <span class="src-var">$currentTag</span><span class="src-sym">;</span></li>
<li><a name="a350"></a> <span class="src-var">$attrSet </span>= <span class="src-key">array</span><span class="src-sym">(</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a351"></a> <span class="src-var">$currentSpace </span>= <a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><span class="src-var">$tagLeft</span><span class="src-sym">, </span><span class="src-str">' '</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a352"></a> <span class="src-comm">// is end tag</span></li>
<li><a name="a353"></a> <span class="src-key">if </span><span class="src-sym">(</span><a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$currentTag</span><span class="src-sym">, </span><span class="src-num">0</span><span class="src-sym">, </span><span class="src-num">1</span><span class="src-sym">) </span>== <span class="src-str">"/"</span><span class="src-sym">) </span><span class="src-sym">{</span></li>
<li><a name="a354"></a> <span class="src-var">$isCloseTag </span>= <span class="src-id">TRUE</span><span class="src-sym">;</span></li>
<li><a name="a355"></a> list<span class="src-sym">(</span><span class="src-var">$tagName</span><span class="src-sym">) </span>= <a href="http://www.php.net/explode">explode</a><span class="src-sym">(</span><span class="src-str">' '</span><span class="src-sym">, </span><span class="src-var">$currentTag</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a356"></a> <span class="src-var">$tagName </span>= <a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$tagName</span><span class="src-sym">, </span><span class="src-num">1</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a357"></a> <span class="src-comm">// is start tag</span></li>
<li><a name="a358"></a> <span class="src-sym">} </span><span class="src-key">else </span><span class="src-sym">{</span></li>
<li><a name="a359"></a> <span class="src-var">$isCloseTag </span>= <span class="src-id">FALSE</span><span class="src-sym">;</span></li>
<li><a name="a360"></a> list<span class="src-sym">(</span><span class="src-var">$tagName</span><span class="src-sym">) </span>= <a href="http://www.php.net/explode">explode</a><span class="src-sym">(</span><span class="src-str">' '</span><span class="src-sym">, </span><span class="src-var">$currentTag</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a361"></a> <span class="src-sym">} </span></li>
<li><a name="a362"></a> <span class="src-comm">// excludes all "non-regular" tagnames OR no tagname OR remove if xssauto is on and tag is blacklisted</span></li>
<li><a name="a363"></a> <span class="src-key">if </span><span class="src-sym">((</span><span class="src-sym">!</span><a href="http://www.php.net/preg_match">preg_match</a><span class="src-sym">(</span><span class="src-str">"</span><span class="src-str">/^<span class="src-sym">[</span><span class="src-id">a</span>-<span class="src-id">z</span><span class="src-sym">]</span><span class="src-sym">[</span><span class="src-id">a</span>-<span class="src-id">z0</span>-9<span class="src-sym">]</span>*$/<span class="src-id">i</span></span><span class="src-str">"</span><span class="src-sym">,</span><span class="src-var">$tagName</span><span class="src-sym">)) </span>|| <span class="src-sym">(</span><span class="src-sym">!</span><span class="src-var">$tagName</span><span class="src-sym">) </span>|| <span class="src-sym">((</span><a href="http://www.php.net/in_array">in_array</a><span class="src-sym">(</span><a href="http://www.php.net/strtolower">strtolower</a><span class="src-sym">(</span><span class="src-var">$tagName</span><span class="src-sym">)</span><span class="src-sym">, </span><span class="src-id">self</span><span class="src-sym">::</span><span class="src-var">$tagBlacklist</span><span class="src-sym">)) </span>&& <span class="src-sym">(</span><span class="src-id">self</span><span class="src-sym">::</span><span class="src-var">$xssAuto</span><span class="src-sym">))) </span><span class="src-sym">{</span></li>
<li><a name="a364"></a> <span class="src-var">$postTag </span>= <span class="src-id">substr</span><span class="src-sym">(</span><span class="src-var">$postTag</span><span class="src-sym">, </span><span class="src-sym">(</span><span class="src-var">$tagLength </span>+ <span class="src-num">2</span><span class="src-sym">))</span><span class="src-sym">;</span></li>
<li><a name="a365"></a> <span class="src-var">$tagOpen_start </span>= <a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><span class="src-var">$postTag</span><span class="src-sym">, </span><span class="src-str">'<'</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a366"></a> <span class="src-comm">// don't append this tag</span></li>
<li><a name="a367"></a> <span class="src-key">continue</span><span class="src-sym">;</span></li>
<li><a name="a368"></a> <span class="src-sym">}</span></li>
<li><a name="a369"></a> <span class="src-comm">// this while is needed to support attribute values with spaces in!</span></li>
<li><a name="a370"></a> <span class="src-key">while </span><span class="src-sym">(</span><span class="src-var">$currentSpace </span>!== <span class="src-id">FALSE</span><span class="src-sym">) </span><span class="src-sym">{</span></li>
<li><a name="a371"></a> <span class="src-var">$fromSpace </span>= <a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$tagLeft</span><span class="src-sym">, </span><span class="src-sym">(</span><span class="src-var">$currentSpace</span>+<span class="src-num">1</span><span class="src-sym">))</span><span class="src-sym">;</span></li>
<li><a name="a372"></a> <span class="src-var">$nextSpace </span>= <a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><span class="src-var">$fromSpace</span><span class="src-sym">, </span><span class="src-str">' '</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a373"></a> <span class="src-var">$openQuotes </span>= <a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><span class="src-var">$fromSpace</span><span class="src-sym">, </span><span class="src-str">'"'</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a374"></a> <span class="src-var">$closeQuotes </span>= <a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$fromSpace</span><span class="src-sym">, </span><span class="src-sym">(</span><span class="src-var">$openQuotes</span>+<span class="src-num">1</span><span class="src-sym">))</span><span class="src-sym">, </span><span class="src-str">'"'</span><span class="src-sym">) </span>+ <span class="src-var">$openQuotes </span>+ <span class="src-num">1</span><span class="src-sym">;</span></li>
<li><a name="a375"></a> <span class="src-comm">// another equals exists</span></li>
<li><a name="a376"></a> <span class="src-key">if </span><span class="src-sym">(</span><a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><span class="src-var">$fromSpace</span><span class="src-sym">, </span><span class="src-str">'='</span><span class="src-sym">) </span>!== <span class="src-id">FALSE</span><span class="src-sym">) </span><span class="src-sym">{</span></li>
<li><a name="a377"></a> <span class="src-comm">// opening and closing quotes exists</span></li>
<li><a name="a378"></a> <span class="src-key">if </span><span class="src-sym">((</span><span class="src-var">$openQuotes </span>!== <span class="src-id">FALSE</span><span class="src-sym">) </span>&& <span class="src-sym">(</span><a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$fromSpace</span><span class="src-sym">, </span><span class="src-sym">(</span><span class="src-var">$openQuotes</span>+<span class="src-num">1</span><span class="src-sym">))</span><span class="src-sym">, </span><span class="src-str">'"'</span><span class="src-sym">) </span>!== <span class="src-id">FALSE</span><span class="src-sym">))</span></li>
<li><a name="a379"></a> <span class="src-var">$attr </span>= <a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$fromSpace</span><span class="src-sym">, </span><span class="src-num">0</span><span class="src-sym">, </span><span class="src-sym">(</span><span class="src-var">$closeQuotes</span>+<span class="src-num">1</span><span class="src-sym">))</span><span class="src-sym">;</span></li>
<li><a name="a380"></a> <span class="src-comm">// one or neither exist</span></li>
<li><a name="a381"></a> <span class="src-key">else </span><span class="src-var">$attr </span>= <a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$fromSpace</span><span class="src-sym">, </span><span class="src-num">0</span><span class="src-sym">, </span><span class="src-var">$nextSpace</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a382"></a> <span class="src-comm">// no more equals exist</span></li>
<li><a name="a383"></a> <span class="src-sym">} </span><span class="src-key">else </span><span class="src-var">$attr </span>= <a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$fromSpace</span><span class="src-sym">, </span><span class="src-num">0</span><span class="src-sym">, </span><span class="src-var">$nextSpace</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a384"></a> <span class="src-comm">// last attr pair</span></li>
<li><a name="a385"></a> <span class="src-key">if </span><span class="src-sym">(</span><span class="src-sym">!</span><span class="src-var">$attr</span><span class="src-sym">) </span><span class="src-var">$attr </span>= <span class="src-var">$fromSpace</span><span class="src-sym">;</span></li>
<li><a name="a386"></a> <span class="src-comm">// add to attribute pairs array</span></li>
<li><a name="a387"></a> <span class="src-var">$attrSet</span><span class="src-sym">[</span><span class="src-sym">] </span>= <span class="src-var">$attr</span><span class="src-sym">;</span></li>
<li><a name="a388"></a> <span class="src-comm">// next inc</span></li>
<li><a name="a389"></a> <span class="src-var">$tagLeft </span>= <a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$fromSpace</span><span class="src-sym">, </span><a href="http://www.php.net/strlen">strlen</a><span class="src-sym">(</span><span class="src-var">$attr</span><span class="src-sym">))</span><span class="src-sym">;</span></li>
<li><a name="a390"></a> <span class="src-var">$currentSpace </span>= <a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><span class="src-var">$tagLeft</span><span class="src-sym">, </span><span class="src-str">' '</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a391"></a> <span class="src-sym">}</span></li>
<li><a name="a392"></a> <span class="src-comm">// appears in array specified by user</span></li>
<li><a name="a393"></a> <span class="src-var">$tagFound </span>= <a href="http://www.php.net/in_array">in_array</a><span class="src-sym">(</span><a href="http://www.php.net/strtolower">strtolower</a><span class="src-sym">(</span><span class="src-var">$tagName</span><span class="src-sym">)</span><span class="src-sym">, </span><span class="src-id">self</span><span class="src-sym">::</span><span class="src-var">$tagsArray</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a394"></a> <span class="src-comm">// remove this tag on condition</span></li>
<li><a name="a395"></a> <span class="src-key">if </span><span class="src-sym">((</span><span class="src-sym">!</span><span class="src-var">$tagFound </span>&& <span class="src-id">self</span><span class="src-sym">::</span><span class="src-var">$tagsMethod</span><span class="src-sym">) </span>|| <span class="src-sym">(</span><span class="src-var">$tagFound </span>&& <span class="src-sym">!</span><span class="src-id">self</span><span class="src-sym">::</span><span class="src-var">$tagsMethod</span><span class="src-sym">)) </span><span class="src-sym">{</span></li>
<li><a name="a396"></a> <span class="src-comm">// reconstruct tag with allowed attributes</span></li>
<li><a name="a397"></a> <span class="src-key">if </span><span class="src-sym">(</span><span class="src-sym">!</span><span class="src-var">$isCloseTag</span><span class="src-sym">) </span><span class="src-sym">{</span></li>
<li><a name="a398"></a> <span class="src-var">$attrSet </span>= <span class="src-id">self</span><span class="src-sym">::</span><span class="src-id">filterAttr</span><span class="src-sym">(</span><span class="src-var">$attrSet</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a399"></a> <span class="src-var">$preTag </span>.= <span class="src-str">'<' </span>. <span class="src-var">$tagName</span><span class="src-sym">;</span></li>
<li><a name="a400"></a> <span class="src-key">for </span><span class="src-sym">(</span><span class="src-var">$i </span>= <span class="src-num">0</span><span class="src-sym">; </span><span class="src-var">$i </span>< <a href="http://www.php.net/count">count</a><span class="src-sym">(</span><span class="src-var">$attrSet</span><span class="src-sym">)</span><span class="src-sym">; </span><span class="src-var">$i</span>++<span class="src-sym">)</span></li>
<li><a name="a401"></a> <span class="src-var">$preTag </span>.= <span class="src-str">' ' </span>. <span class="src-var">$attrSet</span><span class="src-sym">[</span><span class="src-var">$i</span><span class="src-sym">]</span><span class="src-sym">;</span></li>
<li><a name="a402"></a> <span class="src-comm">// reformat single tags to XHTML</span></li>
<li><a name="a403"></a> <span class="src-key">if </span><span class="src-sym">(</span><a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><span class="src-var">$fromTagOpen</span><span class="src-sym">, </span><span class="src-str">"</" </span>. <span class="src-var">$tagName</span><span class="src-sym">)) </span><span class="src-var">$preTag </span>.= <span class="src-str">'>'</span><span class="src-sym">;</span></li>
<li><a name="a404"></a> <span class="src-key">else </span><span class="src-var">$preTag </span>.= <span class="src-str">' />'</span><span class="src-sym">;</span></li>
<li><a name="a405"></a> <span class="src-comm">// just the tagname</span></li>
<li><a name="a406"></a> <span class="src-sym">} </span><span class="src-key">else </span><span class="src-var">$preTag </span>.= <span class="src-str">'</' </span>. <span class="src-var">$tagName </span>. <span class="src-str">'>'</span><span class="src-sym">;</span></li>
<li><a name="a407"></a> <span class="src-sym">}</span></li>
<li><a name="a408"></a> <span class="src-comm">// find next tag's start</span></li>
<li><a name="a409"></a> <span class="src-var">$postTag </span>= <a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$postTag</span><span class="src-sym">, </span><span class="src-sym">(</span><span class="src-var">$tagLength </span>+ <span class="src-num">2</span><span class="src-sym">))</span><span class="src-sym">;</span></li>
<li><a name="a410"></a> <span class="src-var">$tagOpen_start </span>= <a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><span class="src-var">$postTag</span><span class="src-sym">, </span><span class="src-str">'<'</span><span class="src-sym">)</span><span class="src-sym">; </span></li>
<li><a name="a411"></a> <span class="src-sym">}</span></li>
<li><a name="a412"></a> <span class="src-comm">// append any code after end of tags</span></li>
<li><a name="a413"></a> <span class="src-var">$preTag </span>.= <span class="src-var">$postTag</span><span class="src-sym">;</span></li>
<li><a name="a414"></a> <span class="src-key">return </span><span class="src-var">$preTag</span><span class="src-sym">;</span></li>
<li><a name="a415"></a> <span class="src-sym">}</span></li>
<li><a name="a416"></a> </li>
<li><a name="a417"></a> <span class="src-doc">/** </span></li>
<li><a name="a418"></a><span class="src-doc"> * Internal method to strip a tag of certain attributes</span></li>
<li><a name="a419"></a><span class="src-doc"> *</span></li>
<li><a name="a420"></a><span class="src-doc"> * Remove potentially dangerous attributes from a set of</span></li>
<li><a name="a421"></a><span class="src-doc"> * "attr=value" strings. Attributes considered dangerous are:</span></li>
<li><a name="a422"></a><span class="src-doc"> * <ul></span></li>
<li><a name="a423"></a><span class="src-doc"> * <li>Any attribute name containing any non-alphabetic</span></li>
<li><a name="a424"></a><span class="src-doc"> * character</li></span></li>
<li><a name="a425"></a><span class="src-doc"> * <li>Any attribute name beginning "on..."</li></span></li>
<li><a name="a426"></a><span class="src-doc"> * <li>If </span><span class="src-doc-inlinetag">{@link $xssAuto}</span><span class="src-doc"> is true, any attribute name in</span></li>
<li><a name="a427"></a><span class="src-doc"> * </span><span class="src-doc-inlinetag">{@link $attrBlacklist}</span><span class="src-doc"></li></span></li>
<li><a name="a428"></a><span class="src-doc"> * <li>Any attribute with a value containing the strings</span></li>
<li><a name="a429"></a><span class="src-doc"> * 'javascript:', 'behaviour:', 'vbscript:', 'mocha:',</span></li>
<li><a name="a430"></a><span class="src-doc"> * 'livescript:'</li></span></li>
<li><a name="a431"></a><span class="src-doc"> * <li>Any attribute whose name contains 'style' and whose</span></li>
<li><a name="a432"></a><span class="src-doc"> * value contains 'expression'.</li></span></li>
<li><a name="a433"></a><span class="src-doc"> * <li>If there is a user-provided list of attributes in</span></li>
<li><a name="a434"></a><span class="src-doc"> * </span><span class="src-doc-inlinetag">{@link $attrArray}</span><span class="src-doc">, process according to the value of</span></li>
<li><a name="a435"></a><span class="src-doc"> * </span><span class="src-doc-inlinetag">{@link $attrMethod}</span><span class="src-doc">.</li></span></li>
<li><a name="a436"></a><span class="src-doc"> * </ul></span></li>
<li><a name="a437"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">string[] </span><span class="src-doc-var">$attrSet </span><span class="src-doc">Array of strings "attr=value" parsed</span></li>
<li><a name="a438"></a><span class="src-doc"> * from a tag.</span></li>
<li><a name="a439"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@return </span><span class="src-doc-type">string[] </span><span class="src-doc">Input with potentially dangerous attributes</span></li>
<li><a name="a440"></a><span class="src-doc"> * removed</span></li>
<li><a name="a441"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> $attrArray</span></li>
<li><a name="a442"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> $attrBlacklist</span></li>
<li><a name="a443"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> $attrMethod</span></li>
<li><a name="a444"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> $xssAuto</span></li>
<li><a name="a445"></a><span class="src-doc"> */</span></li>
<li><a name="a446"></a> <span class="src-key">protected </span><span class="src-key">function </span><a href="../PHPonTrax/InputFilter.html#methodfilterAttr">filterAttr</a><span class="src-sym">(</span><span class="src-var">$attrSet</span><span class="src-sym">) </span><span class="src-sym">{ </span></li>
<li><a name="a447"></a> <span class="src-var">$newSet </span>= <span class="src-key">array</span><span class="src-sym">(</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a448"></a> <span class="src-comm">// process attributes</span></li>
<li><a name="a449"></a> <span class="src-key">for </span><span class="src-sym">(</span><span class="src-var">$i </span>= <span class="src-num">0</span><span class="src-sym">; </span><span class="src-var">$i </span><<a href="http://www.php.net/count">count</a><span class="src-sym">(</span><span class="src-var">$attrSet</span><span class="src-sym">)</span><span class="src-sym">; </span><span class="src-var">$i</span>++<span class="src-sym">) </span><span class="src-sym">{</span></li>
<li><a name="a450"></a> <span class="src-comm">// skip blank spaces in tag</span></li>
<li><a name="a451"></a> <span class="src-key">if </span><span class="src-sym">(</span><span class="src-sym">!</span><span class="src-var">$attrSet</span><span class="src-sym">[</span><span class="src-var">$i</span><span class="src-sym">]</span><span class="src-sym">) </span><span class="src-key">continue</span><span class="src-sym">;</span></li>
<li><a name="a452"></a> <span class="src-comm">// split into attr name and value</span></li>
<li><a name="a453"></a> <span class="src-var">$attrSubSet </span>= <a href="http://www.php.net/explode">explode</a><span class="src-sym">(</span><span class="src-str">'='</span><span class="src-sym">, </span><a href="http://www.php.net/trim">trim</a><span class="src-sym">(</span><span class="src-var">$attrSet</span><span class="src-sym">[</span><span class="src-var">$i</span><span class="src-sym">]</span><span class="src-sym">))</span><span class="src-sym">;</span></li>
<li><a name="a454"></a> list<span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">0</span><span class="src-sym">]</span><span class="src-sym">) </span>= <a href="http://www.php.net/explode">explode</a><span class="src-sym">(</span><span class="src-str">' '</span><span class="src-sym">, </span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">0</span><span class="src-sym">]</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a455"></a> <span class="src-comm">// removes all "non-regular" attr names AND also attr blacklisted</span></li>
<li><a name="a456"></a> <span class="src-key">if </span><span class="src-sym">((</span><span class="src-sym">!</span><a href="http://www.php.net/eregi">eregi</a><span class="src-sym">(</span><span class="src-str">"</span><span class="src-str">^<span class="src-sym">[</span><span class="src-id">a</span>-<span class="src-id">z</span><span class="src-sym">]</span>*$</span><span class="src-str">"</span><span class="src-sym">,</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">0</span><span class="src-sym">]</span><span class="src-sym">)) </span>|| <span class="src-sym">((</span><span class="src-id">self</span><span class="src-sym">::</span><span class="src-var">$xssAuto</span><span class="src-sym">) </span>&& <span class="src-sym">((</span><span class="src-id">in_array</span><span class="src-sym">(</span><a href="http://www.php.net/strtolower">strtolower</a><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">0</span><span class="src-sym">]</span><span class="src-sym">)</span><span class="src-sym">, </span><span class="src-id">self</span><span class="src-sym">::</span><span class="src-var">$attrBlacklist</span><span class="src-sym">)) </span>|| <span class="src-sym">(</span><span class="src-id">substr</span><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">0</span><span class="src-sym">]</span><span class="src-sym">, </span><span class="src-num">0</span><span class="src-sym">, </span><span class="src-num">2</span><span class="src-sym">) </span>== <span class="src-str">'on'</span><span class="src-sym">))))</span></li>
<li><a name="a457"></a> <span class="src-key">continue</span><span class="src-sym">;</span></li>
<li><a name="a458"></a> <span class="src-comm">// xss attr value filtering</span></li>
<li><a name="a459"></a> <span class="src-key">if </span><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">]</span><span class="src-sym">) </span><span class="src-sym">{</span></li>
<li><a name="a460"></a> <span class="src-comm">// strips unicode, hex, etc</span></li>
<li><a name="a461"></a> <span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">] </span>= <a href="http://www.php.net/str_replace">str_replace</a><span class="src-sym">(</span><span class="src-str">'&#'</span><span class="src-sym">, </span><span class="src-str">''</span><span class="src-sym">, </span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">]</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a462"></a> <span class="src-comm">// strip normal newline within attr value</span></li>
<li><a name="a463"></a> <span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">] </span>= <a href="http://www.php.net/preg_replace">preg_replace</a><span class="src-sym">(</span><span class="src-str">'/\s+/'</span><span class="src-sym">, </span><span class="src-str">''</span><span class="src-sym">, </span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">]</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a464"></a> <span class="src-comm">// strip double quotes</span></li>
<li><a name="a465"></a> <span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">] </span>= <a href="http://www.php.net/str_replace">str_replace</a><span class="src-sym">(</span><span class="src-str">'"'</span><span class="src-sym">, </span><span class="src-str">''</span><span class="src-sym">, </span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">]</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a466"></a> <span class="src-comm">// [requested feature] convert single quotes from either side to doubles (Single quotes shouldn't be used to pad attr value)</span></li>
<li><a name="a467"></a> <span class="src-key">if </span><span class="src-sym">((</span><a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">]</span><span class="src-sym">, </span><span class="src-num">0</span><span class="src-sym">, </span><span class="src-num">1</span><span class="src-sym">) </span>== <span class="src-str">"'"</span><span class="src-sym">) </span>&& <span class="src-sym">(</span><a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">]</span><span class="src-sym">, </span><span class="src-sym">(</span><a href="http://www.php.net/strlen">strlen</a><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">]</span><span class="src-sym">) </span>- <span class="src-num">1</span><span class="src-sym">)</span><span class="src-sym">, </span><span class="src-num">1</span><span class="src-sym">) </span>== <span class="src-str">"'"</span><span class="src-sym">))</span></li>
<li><a name="a468"></a> <span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">] </span>= <a href="http://www.php.net/substr">substr</a><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">]</span><span class="src-sym">, </span><span class="src-num">1</span><span class="src-sym">, </span><span class="src-sym">(</span><a href="http://www.php.net/strlen">strlen</a><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">]</span><span class="src-sym">) </span>- <span class="src-num">2</span><span class="src-sym">))</span><span class="src-sym">;</span></li>
<li><a name="a469"></a> <span class="src-comm">// strip slashes</span></li>
<li><a name="a470"></a> <span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">] </span>= <a href="http://www.php.net/stripslashes">stripslashes</a><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">]</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a471"></a> <span class="src-sym">}</span></li>
<li><a name="a472"></a> <span class="src-comm">// auto strip attr's with "javascript:</span></li>
<li><a name="a473"></a> <span class="src-key">if </span><span class="src-sym">( ((</span><a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><a href="http://www.php.net/strtolower">strtolower</a><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">]</span><span class="src-sym">)</span><span class="src-sym">, </span><span class="src-str">'expression'</span><span class="src-sym">) </span>!== <span class="src-id">false</span><span class="src-sym">) </span>&& <span class="src-sym">(</span><a href="http://www.php.net/strtolower">strtolower</a><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">0</span><span class="src-sym">]</span><span class="src-sym">) </span>== <span class="src-str">'style'</span><span class="src-sym">)) </span>||</li>
<li><a name="a474"></a> <span class="src-sym">(</span><a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><a href="http://www.php.net/strtolower">strtolower</a><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">]</span><span class="src-sym">)</span><span class="src-sym">, </span><span class="src-str">'javascript:'</span><span class="src-sym">) </span>!== <span class="src-id">false</span><span class="src-sym">) </span>||</li>
<li><a name="a475"></a> <span class="src-sym">(</span><a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><a href="http://www.php.net/strtolower">strtolower</a><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">]</span><span class="src-sym">)</span><span class="src-sym">, </span><span class="src-str">'behaviour:'</span><span class="src-sym">) </span>!== <span class="src-id">false</span><span class="src-sym">) </span>||</li>
<li><a name="a476"></a> <span class="src-sym">(</span><a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><a href="http://www.php.net/strtolower">strtolower</a><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">]</span><span class="src-sym">)</span><span class="src-sym">, </span><span class="src-str">'vbscript:'</span><span class="src-sym">) </span>!== <span class="src-id">false</span><span class="src-sym">) </span>||</li>
<li><a name="a477"></a> <span class="src-sym">(</span><a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><a href="http://www.php.net/strtolower">strtolower</a><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">]</span><span class="src-sym">)</span><span class="src-sym">, </span><span class="src-str">'mocha:'</span><span class="src-sym">) </span>!== <span class="src-id">false</span><span class="src-sym">) </span>||</li>
<li><a name="a478"></a> <span class="src-sym">(</span><a href="http://www.php.net/strpos">strpos</a><span class="src-sym">(</span><a href="http://www.php.net/strtolower">strtolower</a><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">]</span><span class="src-sym">)</span><span class="src-sym">, </span><span class="src-str">'livescript:'</span><span class="src-sym">) </span>!== <span class="src-id">false</span><span class="src-sym">) </span></li>
<li><a name="a479"></a> <span class="src-sym">) </span><span class="src-key">continue</span><span class="src-sym">;</span></li>
<li><a name="a480"></a> </li>
<li><a name="a481"></a> <span class="src-comm">// if matches user defined array</span></li>
<li><a name="a482"></a> <span class="src-var">$attrFound </span>= <a href="http://www.php.net/in_array">in_array</a><span class="src-sym">(</span><a href="http://www.php.net/strtolower">strtolower</a><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">0</span><span class="src-sym">]</span><span class="src-sym">)</span><span class="src-sym">, </span><span class="src-id">self</span><span class="src-sym">::</span><span class="src-var">$attrArray</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a483"></a> <span class="src-comm">// keep this attr on condition</span></li>
<li><a name="a484"></a> <span class="src-key">if </span><span class="src-sym">((</span><span class="src-sym">!</span><span class="src-var">$attrFound </span>&& <span class="src-id">self</span><span class="src-sym">::</span><span class="src-var">$attrMethod</span><span class="src-sym">) </span>|| <span class="src-sym">(</span><span class="src-var">$attrFound </span>&& <span class="src-sym">!</span><span class="src-id">self</span><span class="src-sym">::</span><span class="src-var">$attrMethod</span><span class="src-sym">)) </span><span class="src-sym">{</span></li>
<li><a name="a485"></a> <span class="src-comm">// attr has value</span></li>
<li><a name="a486"></a> <span class="src-key">if </span><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">]</span><span class="src-sym">) </span><span class="src-var">$newSet</span><span class="src-sym">[</span><span class="src-sym">] </span>= <span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">0</span><span class="src-sym">] </span>. <span class="src-str">'="' </span>. <span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">] </span>. <span class="src-str">'"'</span><span class="src-sym">;</span></li>
<li><a name="a487"></a> <span class="src-comm">// attr has decimal zero as value</span></li>
<li><a name="a488"></a> <span class="src-key">else </span><span class="src-key">if </span><span class="src-sym">(</span><span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">1</span><span class="src-sym">] </span>== <span class="src-str">"0"</span><span class="src-sym">) </span><span class="src-var">$newSet</span><span class="src-sym">[</span><span class="src-sym">] </span>= <span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">0</span><span class="src-sym">] </span>. <span class="src-str">'="0"'</span><span class="src-sym">;</span></li>
<li><a name="a489"></a> <span class="src-comm">// reformat single attributes to XHTML</span></li>
<li><a name="a490"></a> <span class="src-key">else </span><span class="src-var">$newSet</span><span class="src-sym">[</span><span class="src-sym">] </span>= <span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">0</span><span class="src-sym">] </span>. <span class="src-str">'="' </span>. <span class="src-var">$attrSubSet</span><span class="src-sym">[</span><span class="src-num">0</span><span class="src-sym">] </span>. <span class="src-str">'"'</span><span class="src-sym">;</span></li>
<li><a name="a491"></a> <span class="src-sym">} </span></li>
<li><a name="a492"></a> <span class="src-sym">}</span></li>
<li><a name="a493"></a> <span class="src-key">return </span><span class="src-var">$newSet</span><span class="src-sym">;</span></li>
<li><a name="a494"></a> <span class="src-sym">}</span></li>
<li><a name="a495"></a> </li>
<li><a name="a496"></a> <span class="src-doc">/** </span></li>
<li><a name="a497"></a><span class="src-doc"> * Convert HTML entities to characters</span></li>
<li><a name="a498"></a><span class="src-doc"> *</span></li>
<li><a name="a499"></a><span class="src-doc"> * Convert input string containing HTML entities to the</span></li>
<li><a name="a500"></a><span class="src-doc"> * corresponding character (&amp; => &). ISO 8859-1 character</span></li>
<li><a name="a501"></a><span class="src-doc"> * set is assumed.</span></li>
<li><a name="a502"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">string </span><span class="src-doc-var">$source </span><span class="src-doc">Character string containing HTML entities</span></li>
<li><a name="a503"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@return </span><span class="src-doc-type">string </span><span class="src-doc">Input string, with entities converted to characters</span></li>
<li><a name="a504"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> chr()</span></li>
<li><a name="a505"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> html_entity_decode()</span></li>
<li><a name="a506"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> preg_replace()</span></li>
<li><a name="a507"></a><span class="src-doc"> */</span></li>
<li><a name="a508"></a> <span class="src-key">protected </span><span class="src-key">function </span><a href="../PHPonTrax/InputFilter.html#methoddecode">decode</a><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">) </span><span class="src-sym">{</span></li>
<li><a name="a509"></a> <span class="src-comm">// url decode</span></li>
<li><a name="a510"></a> <span class="src-var">$source </span>= <span class="src-id">html_entity_decode</span><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">, </span><span class="src-id">ENT_QUOTES</span><span class="src-sym">, </span><span class="src-str">"ISO-8859-1"</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a511"></a> <span class="src-comm">// convert decimal &#DDD; to character DDD</span></li>
<li><a name="a512"></a> <span class="src-var">$source </span>= <a href="http://www.php.net/preg_replace">preg_replace</a><span class="src-sym">(</span><span class="src-str">'/&#(\d+);/me'</span><span class="src-sym">,</span><span class="src-str">"chr(\\1)"</span><span class="src-sym">, </span><span class="src-var">$source</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a513"></a> <span class="src-comm">// convert hex &#xXXX; to character XXX</span></li>
<li><a name="a514"></a> <span class="src-var">$source </span>= <a href="http://www.php.net/preg_replace">preg_replace</a><span class="src-sym">(</span><span class="src-str">'/&#x([a-f0-9]+);/mei'</span><span class="src-sym">,</span><span class="src-str">"chr(0x\\1)"</span><span class="src-sym">, </span><span class="src-var">$source</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a515"></a> <span class="src-key">return </span><span class="src-var">$source</span><span class="src-sym">;</span></li>
<li><a name="a516"></a> <span class="src-sym">}</span></li>
<li><a name="a517"></a> </li>
<li><a name="a518"></a> <span class="src-doc">/** </span></li>
<li><a name="a519"></a><span class="src-doc"> * Remove HTML entities and magic quotes, insert SQL special</span></li>
<li><a name="a520"></a><span class="src-doc"> * character escapes</span></li>
<li><a name="a521"></a><span class="src-doc"> *</span></li>
<li><a name="a522"></a><span class="src-doc"> * If the input is a string or an array of strings, then each</span></li>
<li><a name="a523"></a><span class="src-doc"> * string is edited to convert any HTML entities to the</span></li>
<li><a name="a524"></a><span class="src-doc"> * corresponding character and remove slashes inserted by</span></li>
<li><a name="a525"></a><span class="src-doc"> * </span><span class="src-doc-inlinetag">{@link http://www.php.net/manual/en/security.magicquotes.php magic quotes}</span><span class="src-doc">,</span></li>
<li><a name="a526"></a><span class="src-doc"> * then the result has SQL special characters</span></li>
<li><a name="a527"></a><span class="src-doc"> * escaped.</span></li>
<li><a name="a528"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">mixed </span><span class="src-doc-var">$source </span><span class="src-doc">Input to be 'cleaned'</span></li>
<li><a name="a529"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">resource </span><span class="src-doc-var">$connection </span><span class="src-doc"> An open MySQL connection</span></li>
<li><a name="a530"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@return </span><span class="src-doc-type">mixed </span><span class="src-doc">$source with HTML entities and GPC magic quotes</span></li>
<li><a name="a531"></a><span class="src-doc"> * removed from, and SQL special character escapes</span></li>
<li><a name="a532"></a><span class="src-doc"> * inserted in, the string or array of strings.</span></li>
<li><a name="a533"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> decode()</span></li>
<li><a name="a534"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> quoteSmart()</span></li>
<li><a name="a535"></a><span class="src-doc"> */</span></li>
<li><a name="a536"></a> <span class="src-key">public </span><span class="src-key">function </span><a href="../PHPonTrax/InputFilter.html#methodsafeSQL">safeSQL</a><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">, </span><span class="src-sym">&</span><span class="src-var">$connection</span><span class="src-sym">) </span><span class="src-sym">{</span></li>
<li><a name="a537"></a> <span class="src-comm">// clean all elements in this array</span></li>
<li><a name="a538"></a> <span class="src-key">if </span><span class="src-sym">(</span><a href="http://www.php.net/is_array">is_array</a><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">)) </span><span class="src-sym">{</span></li>
<li><a name="a539"></a> <span class="src-key">foreach</span><span class="src-sym">(</span><span class="src-var">$source </span><span class="src-key">as </span><span class="src-var">$key </span>=> <span class="src-var">$value</span><span class="src-sym">)</span></li>
<li><a name="a540"></a> <span class="src-comm">// filter element for SQL injection</span></li>
<li><a name="a541"></a> <span class="src-key">if </span><span class="src-sym">(</span><a href="http://www.php.net/is_string">is_string</a><span class="src-sym">(</span><span class="src-var">$value</span><span class="src-sym">)) </span><span class="src-var">$source</span><span class="src-sym">[</span><span class="src-var">$key</span><span class="src-sym">] </span>= <span class="src-id">self</span><span class="src-sym">::</span><span class="src-id">quoteSmart</span><span class="src-sym">(</span><span class="src-id">self</span><span class="src-sym">::</span><span class="src-id">decode</span><span class="src-sym">(</span><span class="src-var">$value</span><span class="src-sym">)</span><span class="src-sym">, </span><span class="src-var">$connection</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a542"></a> <span class="src-key">return </span><span class="src-var">$source</span><span class="src-sym">;</span></li>
<li><a name="a543"></a> <span class="src-comm">// clean this string</span></li>
<li><a name="a544"></a> <span class="src-sym">} </span><span class="src-key">else </span><span class="src-key">if </span><span class="src-sym">(</span><a href="http://www.php.net/is_string">is_string</a><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">)) </span><span class="src-sym">{</span></li>
<li><a name="a545"></a> <span class="src-comm">// filter source for SQL injection</span></li>
<li><a name="a546"></a> <span class="src-key">if </span><span class="src-sym">(</span><a href="http://www.php.net/is_string">is_string</a><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">)) </span><span class="src-key">return </span><span class="src-id">self</span><span class="src-sym">::</span><span class="src-id">quoteSmart</span><span class="src-sym">(</span><span class="src-id">self</span><span class="src-sym">::</span><span class="src-id">decode</span><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">)</span><span class="src-sym">, </span><span class="src-var">$connection</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a547"></a> <span class="src-comm">// return parameter as given</span></li>
<li><a name="a548"></a> <span class="src-sym">} </span><span class="src-key">else </span><span class="src-key">return </span><span class="src-var">$source</span><span class="src-sym">; </span></li>
<li><a name="a549"></a> <span class="src-sym">}</span></li>
<li><a name="a550"></a> </li>
<li><a name="a551"></a> <span class="src-doc">/** </span></li>
<li><a name="a552"></a><span class="src-doc"> * Remove GPC magic quotes from input string & escape SQL special</span></li>
<li><a name="a553"></a><span class="src-doc"> * characters</span></li>
<li><a name="a554"></a><span class="src-doc"> *</span></li>
<li><a name="a555"></a><span class="src-doc"> * The input is a string that came from a GET or POST HTTP</span></li>
<li><a name="a556"></a><span class="src-doc"> * operation, or a cookie. If GPC magic quotes are currently in</span></li>
<li><a name="a557"></a><span class="src-doc"> * effect, the resulting slashes are stripped. Then any SQL</span></li>
<li><a name="a558"></a><span class="src-doc"> * special characters in the string are escaped, taking into</span></li>
<li><a name="a559"></a><span class="src-doc"> * account the character set in use on $connection.</span></li>
<li><a name="a560"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@author</span><span class="src-doc"> Chris Tobin, Daniel Morris</span></li>
<li><a name="a561"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">string </span><span class="src-doc-var">$source </span><span class="src-doc">Input string to be converted</span></li>
<li><a name="a562"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">resource </span><span class="src-doc-var">$connection </span><span class="src-doc">An open MySQL connection</span></li>
<li><a name="a563"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@return </span><span class="src-doc-type">string </span><span class="src-doc">Input string with any GPC magic quotes stripped</span></li>
<li><a name="a564"></a><span class="src-doc"> * and SQL special characters escaped</span></li>
<li><a name="a565"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> escapeString()</span></li>
<li><a name="a566"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> get_magic_quotes_gpc()</span></li>
<li><a name="a567"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> stripslashes()</span></li>
<li><a name="a568"></a><span class="src-doc"> */</span></li>
<li><a name="a569"></a> <span class="src-key">protected </span><span class="src-key">function </span><a href="../PHPonTrax/InputFilter.html#methodquoteSmart">quoteSmart</a><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">, </span><span class="src-sym">&</span><span class="src-var">$connection</span><span class="src-sym">) </span><span class="src-sym">{</span></li>
<li><a name="a570"></a> <span class="src-comm">// strip slashes</span></li>
<li><a name="a571"></a> <span class="src-key">if </span><span class="src-sym">(</span><a href="http://www.php.net/get_magic_quotes_gpc">get_magic_quotes_gpc</a><span class="src-sym">(</span><span class="src-sym">)) </span><span class="src-var">$source </span>= <a href="http://www.php.net/stripslashes">stripslashes</a><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a572"></a> <span class="src-comm">// quote both numeric and text</span></li>
<li><a name="a573"></a> <span class="src-var">$source </span>= <span class="src-id">self</span><span class="src-sym">::</span><span class="src-id">escapeString</span><span class="src-sym">(</span><span class="src-var">$source</span><span class="src-sym">, </span><span class="src-var">$connection</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a574"></a> <span class="src-key">return </span><span class="src-var">$source</span><span class="src-sym">;</span></li>
<li><a name="a575"></a> <span class="src-sym">}</span></li>
<li><a name="a576"></a> </li>
<li><a name="a577"></a> <span class="src-doc">/** </span></li>
<li><a name="a578"></a><span class="src-doc"> * Escape SQL special characters in string</span></li>
<li><a name="a579"></a><span class="src-doc"> *</span></li>
<li><a name="a580"></a><span class="src-doc"> * Escape SQL special characters in the input string, taking into</span></li>
<li><a name="a581"></a><span class="src-doc"> * account the character set of the connection.</span></li>
<li><a name="a582"></a><span class="src-doc"> *</span></li>
<li><a name="a583"></a><span class="src-doc"> * <b>FIXME:</b> since we require PHP 5 can't we remove the use</span></li>
<li><a name="a584"></a><span class="src-doc"> * of mysql_esacape_string()?</span></li>
<li><a name="a585"></a><span class="src-doc"> *</span></li>
<li><a name="a586"></a><span class="src-doc"> * <b>FIXME:</b>Shouldn't we pass the connection to</span></li>
<li><a name="a587"></a><span class="src-doc"> * mysql_real_escape_string()?</span></li>
<li><a name="a588"></a><span class="src-doc"> *</span></li>
<li><a name="a589"></a><span class="src-doc"> * <b>FIXME:</b>Is this really RDBMS independent?</span></li>
<li><a name="a590"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@todo</span><span class="src-doc"> Check FIXMEs</span></li>
<li><a name="a591"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@author</span><span class="src-doc"> Chris Tobin, Daniel Morris</span></li>
<li><a name="a592"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">string </span><span class="src-doc-var">$string </span><span class="src-doc"> String to be protected</span></li>
<li><a name="a593"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@param </span><span class="src-doc-type">resource </span><span class="src-doc-var">$connection </span><span class="src-doc">- An open MySQL connection</span></li>
<li><a name="a594"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@return </span><span class="src-doc-type">string </span><span class="src-doc">Value of $string with characters special in</span></li>
<li><a name="a595"></a><span class="src-doc"> * SQL escaped by '\'s</span></li>
<li><a name="a596"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> mysql_escape_string()</span></li>
<li><a name="a597"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> mysql_real_escape_string()</span></li>
<li><a name="a598"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> phpversion()</span></li>
<li><a name="a599"></a><span class="src-doc"> * </span><span class="src-doc-coretag">@uses</span><span class="src-doc"> version_compare()</span></li>
<li><a name="a600"></a><span class="src-doc"> */ </span></li>
<li><a name="a601"></a> <span class="src-key">protected </span><span class="src-key">function </span><a href="../PHPonTrax/InputFilter.html#methodescapeString">escapeString</a><span class="src-sym">(</span><span class="src-var">$string</span><span class="src-sym">, </span><span class="src-sym">&</span><span class="src-var">$connection</span><span class="src-sym">) </span><span class="src-sym">{</span></li>
<li><a name="a602"></a> <span class="src-comm">// depreciated function</span></li>
<li><a name="a603"></a> <span class="src-key">if </span><span class="src-sym">(</span><a href="http://www.php.net/version_compare">version_compare</a><span class="src-sym">(</span><a href="http://www.php.net/phpversion">phpversion</a><span class="src-sym">(</span><span class="src-sym">)</span><span class="src-sym">,</span><span class="src-str">"4.3.0"</span><span class="src-sym">, </span><span class="src-str">"<"</span><span class="src-sym">))</span></li>
<li><a name="a604"></a> <span class="src-key">return </span><a href="http://www.php.net/mysql_escape_string">mysql_escape_string</a><span class="src-sym">(</span><span class="src-var">$string</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a605"></a> <span class="src-comm">// current function</span></li>
<li><a name="a606"></a> <span class="src-key">else</span></li>
<li><a name="a607"></a> <span class="src-key">return </span><a href="http://www.php.net/mysql_real_escape_string">mysql_real_escape_string</a><span class="src-sym">(</span><span class="src-var">$string</span><span class="src-sym">)</span><span class="src-sym">;</span></li>
<li><a name="a608"></a> <span class="src-sym">}</span></li>
<li><a name="a609"></a><span class="src-sym">}</span></li>
<li><a name="a610"></a> </li>
<li><a name="a611"></a><span class="src-comm">// -- set Emacs parameters --</span></li>
<li><a name="a612"></a><span class="src-comm">// Local variables:</span></li>
<li><a name="a613"></a><span class="src-comm">// tab-width: 4</span></li>
<li><a name="a614"></a><span class="src-comm">// c-basic-offset: 4</span></li>
<li><a name="a615"></a><span class="src-comm">// c-hanging-comment-ender-p: nil</span></li>
<li><a name="a616"></a><span class="src-comm">// indent-tabs-mode: nil</span></li>
<li><a name="a617"></a><span class="src-comm">// End:</span></li>
<li><a name="a618"></a><span class="src-php">?></span></li>
</ol></pre></div>
</div>
<div class="credit">
<hr />
Documentation generated on Thu, 04 May 2006 19:47:49 -0600 by <a href="http://www.phpdoc.org">phpDocumentor 1.3.0RC4</a>
</div>
</td></tr></table>
</td>
</tr>
</table>
</body>
</html>