safe.php

来自「php 开发的内容管理系统」· PHP 代码 · 共 670 行 · 第 1/2 页

                if ($name == 'style') {
                   
                   // removes insignificant backslahes
                   $value = str_replace("\\", '', $value);

                   // removes CSS comments
                   while (1)
                   {
                     $_value = preg_replace("!/\*.*?\*/!s", '', $value);
                     if ($_value == $value) break;
                     $value = $_value;
                   }
                   
                   // replace all & to &
                   $value = str_replace('&', '&', $value);
                   $value = str_replace('&', '&', $value);

                   foreach ($this->_cssRegexps as $css) {
                       if (preg_match($css, $value)) { 
                           continue 2;
                       }
                   }
                   foreach ($this->_protoRegexps as $proto) {
                       if (preg_match($proto, $value)) {
                           continue 2;
                       }
                   }
                }

                $tempval = preg_replace('/&#(\d+);?/me', "chr('\\1')", $value); //"'
                $tempval = preg_replace('/&#x([0-9a-f]+);?/mei', "chr(hexdec('\\1'))", $tempval);

                if ((in_array($name, $this->protocolAttributes)) && 
                    (strpos($tempval, ':') !== false)) 
                {
                    if ($this->protocolFiltering == 'black') {
                        foreach ($this->_protoRegexps as $proto) {
                            if (preg_match($proto, $tempval)) continue 2;
                        }
                    } else {
                        $_tempval = explode(':', $tempval);
                        $proto = $_tempval[0];
                        if (!in_array($proto, $this->whiteProtocols)) {
                            continue;
                        }
                    }
                }

                $value = str_replace("\"", """, $value);
                $this->_xhtml .= ' ' . $name . '="' . $value . '"';
            }
        }
        return true;
    }

    /**
     * Opening tag handler - called from HTMLSax
     *
     * @param object $parser HTML Parser
     * @param string $name   tag name
     * @param array  $attrs  tag attributes
     * @return boolean
     * @access private
     */
    function _openHandler(&$parser, $name, $attrs) 
    {
        $name = strtolower($name);

        if (in_array($name, $this->deleteTagsContent)) {
            array_push($this->_dcStack, $name);
            $this->_dcCounter[$name] = isset($this->_dcCounter[$name]) ? $this->_dcCounter[$name]+1 : 1;
        }
        if (count($this->_dcStack) != 0) {
            return true;
        }

        if (in_array($name, $this->deleteTags)) {
            return true;
        }
        
        if (!preg_match("/^[a-z0-9]+$/i", $name)) {
            if (preg_match("!(?:\@|://)!i", $name)) {
                $this->_xhtml .= '<' . $name . '>';
            }
            return true;
        }

        if (in_array($name, $this->singleTags)) {
            $this->_xhtml .= '<' . $name;
            $this->_writeAttrs($attrs);
            $this->_xhtml .= ' />';
            return true;
        }

        // TABLES: cannot open table elements when we are not inside table
        if ((isset($this->_counter['table'])) && ($this->_counter['table'] <= 0) 
            && (in_array($name, $this->tableTags))) 
        {
            return true;
        }

        // PARAGRAPHS: close paragraph when closeParagraph tags opening
        if ((in_array($name, $this->closeParagraph)) && (in_array('p', $this->_stack))) {
            $this->_closeHandler($parser, 'p');
        }

        // LISTS: we should close <li> if <li> of the same level opening
        if ($name == 'li' && count($this->_liStack) && 
            $this->_listScope == $this->_liStack[count($this->_liStack)-1]) 
        {
            $this->_closeHandler($parser, 'li');
        }

        // LISTS: we want to know on what nesting level of lists we are
        if (in_array($name, $this->listTags)) {
            $this->_listScope++;
        }
        if ($name == 'li') {
            array_push($this->_liStack, $this->_listScope);
        }
            
        $this->_xhtml .= '<' . $name;
        $this->_writeAttrs($attrs);
        $this->_xhtml .= '>';
        array_push($this->_stack,$name);
        $this->_counter[$name] = isset($this->_counter[$name]) ? $this->_counter[$name]+1 : 1;
        return true;
    }

    /**
     * Closing tag handler - called from HTMLSax
     *
     * @param object $parsers HTML parser
     * @param string $name    tag name
     * @return boolean
     * @access private
     */
    function _closeHandler(&$parser, $name) 
    {

        $name = strtolower($name);

        if (isset($this->_dcCounter[$name]) && ($this->_dcCounter[$name] > 0) && 
            (in_array($name, $this->deleteTagsContent))) 
        {
           while ($name != ($tag = array_pop($this->_dcStack))) {
            $this->_dcCounter[$tag]--;
           }

           $this->_dcCounter[$name]--;
        }

        if (count($this->_dcStack) != 0) {
            return true;
        }

        if ((isset($this->_counter[$name])) && ($this->_counter[$name] > 0)) {
           while ($name != ($tag = array_pop($this->_stack))) {
               $this->_closeTag($tag);
           }

           $this->_closeTag($name);
        }
        return true;
    }

    /**
     * Closes tag 
     *
     * @param string $tag tag name
     * @return boolean
     * @access private
     */
    function _closeTag($tag) 
    {
        if (!in_array($tag, $this->noClose)) {
            $this->_xhtml .= '</' . $tag . '>';
        }

        $this->_counter[$tag]--;

        if (in_array($tag, $this->listTags)) {
            $this->_listScope--;
        }

        if ($tag == 'li') {
            array_pop($this->_liStack);
        }
        return true;
    }

    /**
     * Character data handler - called from HTMLSax
     *
     * @param object $parser HTML parser
     * @param string $data   textual data
     * @return boolean
     * @access private
     */
    function _dataHandler(&$parser, $data) 
    {
        if (count($this->_dcStack) == 0) {
            $this->_xhtml .= $data;
        }
        return true;
    }

    /**
     * Escape handler - called from HTMLSax
     *
     * @param object $parser HTML parser
     * @param string $data   comments or other type of data
     * @return boolean
     * @access private
     */
    function _escapeHandler(&$parser, $data) 
    {
        return true;
    }

    /**
     * Returns the XHTML document
     *
     * @return string Processed (X)HTML document
     * @access public
     */
    function getXHTML () 
    {
        while ($tag = array_pop($this->_stack)) {
            $this->_closeTag($tag);
        }
        
        return $this->_xhtml;
    }

    /**
     * Clears current document data
     *
     * @return boolean
     * @access public
     */
    function clear() 
    {
        $this->_xhtml = '';
        return true;
    }

    /**
     * Main parsing fuction
     *
     * @param string $doc HTML document for processing
     * @return string Processed (X)HTML document
     * @access public
     */
    function parse($doc) 
    {

       // Save all '<' symbols
       $doc = preg_replace("/<(?=[^a-zA-Z\/\!\?\%])/", '&lt;', $doc);

       // Web documents shouldn't contains \x00 symbol
       $doc = str_replace("\x00", '', $doc);

       // Opera6 bug workaround
       $doc = str_replace("\xC0\xBC", '&lt;', $doc);

       // UTF-7 encoding ASCII decode
       $doc = $this->repackUTF7($doc);

       // Instantiate the parser
       $parser=& new XML_HTMLSax3();

       // Set up the parser
       $parser->set_object($this);

       $parser->set_element_handler('_openHandler','_closeHandler');
       $parser->set_data_handler('_dataHandler');
       $parser->set_escape_handler('_escapeHandler');

       $parser->parse($doc);

       return $this->getXHTML();

    }


    /**
     * UTF-7 decoding fuction
     *
     * @param string $str HTML document for recode ASCII part of UTF-7 back to ASCII
     * @return string Decoded document
     * @access private
     */
    function repackUTF7($str)
    {
       return preg_replace_callback('!\+([0-9a-zA-Z/]+)\-!', array($this, 'repackUTF7Callback'), $str);
    }

    /**
     * Additional UTF-7 decoding fuction
     *
     * @param string $str String for recode ASCII part of UTF-7 back to ASCII
     * @return string Recoded string
     * @access private
     */
    function repackUTF7Callback($str)
    {
       $str = base64_decode($str[1]);
       $str = preg_replace_callback('/^((?:\x00.)*)((?:[^\x00].)+)/', array($this, 'repackUTF7Back'), $str);
       return preg_replace('/\x00(.)/', '$1', $str);
    }

    /**
     * Additional UTF-7 encoding fuction
     *
     * @param string $str String for recode ASCII part of UTF-7 back to ASCII
     * @return string Recoded string
     * @access private
     */
    function repackUTF7Back($str)
    {
       return $str[1].'+'.rtrim(base64_encode($str[2]), '=').'-';
    }
}

/*
 * Local variables:
 * tab-width: 4
 * c-basic-offset: 4
 * c-hanging-comment-ender-p: nil
 * End:
 */

?>