📄 php5.class.kses.php
字号:
return true;
}
elseif(is_string($protocol_data))
{
$this->allowed_protocols = array();
$this->AddProtocol($protocol_data);
return true;
}
else
{
trigger_error("kses5::SetProtocols() did not receive a string or an array.", E_USER_WARNING);
return false;
}
}
/**
* Raw dump of allowed protocols
*
* This returns an indexed array of allowed protocols for a particular KSES
* instantiation.
*
* @access public
* @return array The list of allowed protocols.
* @since PHP5 OOP 1.0.2
*/
public function DumpProtocols()
{
return $this->allowed_protocols;
}
/**
* Raw dump of allowed (X)HTML elements
*
* This returns an indexed array of allowed (X)HTML elements and attributes
* for a particular KSES instantiation.
*
* @access public
* @return array The list of allowed elements.
* @since PHP5 OOP 1.0.2
*/
public function DumpElements()
{
return $this->allowed_html;
}
/**
* Adds valid (X)HTML with corresponding attributes that will be kept when stripping 'evil scripts'.
*
* This method accepts one argument that can be either a string
* or an array of strings. Invalid data will be ignored.
*
* @access public
* @param string $tag (X)HTML tag that will be allowed after stripping text.
* @param array $attribs Associative array of allowed attributes - key => attribute name - value => attribute parameter
* @return bool Status of Adding (X)HTML and attributes.
* @since PHP4 OOP 0.0.1
*/
public function AddHTML($tag = "", $attribs = array())
{
if(!is_string($tag))
{
trigger_error("kses5::AddHTML() requires the tag to be a string", E_USER_WARNING);
return false;
}
$tag = strtolower(trim($tag));
if($tag == "")
{
trigger_error("kses5::AddHTML() tried to add an empty/NULL tag", E_USER_WARNING);
return false;
}
if(!is_array($attribs))
{
trigger_error("kses5::AddHTML() requires an array (even an empty one) of attributes for '$tag'", E_USER_WARNING);
return false;
}
$new_attribs = array();
if(is_array($attribs) && count($attribs) > 0)
{
foreach($attribs as $idx1 => $val1)
{
$new_idx1 = strtolower($idx1);
$new_val1 = $attribs[$idx1];
if(is_array($new_val1) && count($attribs) > 0)
{
$tmp_val = array();
foreach($new_val1 as $idx2 => $val2)
{
$new_idx2 = strtolower($idx2);
$tmp_val[$new_idx2] = $val2;
}
$new_val1 = $tmp_val;
}
$new_attribs[$new_idx1] = $new_val1;
}
}
$this->allowed_html[$tag] = $new_attribs;
return true;
}
/**
* This method removes any NULL characters in $string.
*
* @access private
* @param string $string
* @return string String without any NULL/chr(173)
* @since PHP4 OOP 0.0.1
*/
private function removeNulls($string)
{
$string = preg_replace('/\0+/', '', $string);
$string = preg_replace('/(\\\\0)+/', '', $string);
return $string;
}
/**
* Normalizes HTML entities
*
* This function normalizes HTML entities. It will convert "AT&T" to the correct
* "AT&T", ":" to ":", "&#XYZZY;" to "&#XYZZY;" and so on.
*
* @access private
* @param string $string
* @return string String with normalized entities
* @since PHP4 OOP 0.0.1
*/
private function normalizeEntities($string)
{
# Disarm all entities by converting & to &
$string = str_replace('&', '&', $string);
# TODO: Change back (Keep?) the allowed entities in our entity white list
# Keeps entities that start with [A-Za-z]
$string = preg_replace(
'/&([A-Za-z][A-Za-z0-9]{0,19});/',
'&\\1;',
$string
);
# Change numeric entities to valid 16 bit values
$string = preg_replace(
'/&#0*([0-9]{1,5});/e',
'\$this->normalizeEntities16bit("\\1")',
$string
);
# Change &XHHHHHHH (Hex digits) to 16 bit hex values
$string = preg_replace(
'/&#([Xx])0*(([0-9A-Fa-f]{2}){1,2});/',
'&#\\1\\2;',
$string
);
return $string;
}
/**
* Helper method used by normalizeEntites()
*
* This method helps normalizeEntities() to only accept 16 bit values
* and nothing more for &#number; entities.
*
* This method helps normalize_entities() during a preg_replace()
* where a &#(0)*XXXXX; occurs. The '(0)*XXXXXX' value is converted to
* a number and the result is returned as a numeric entity if the number
* is less than 65536. Otherwise, the value is returned 'as is'.
*
* @access private
* @param string $i
* @return string Normalized numeric entity
* @see normalizeEntities()
* @since PHP4 OOP 0.0.1
*/
private function normalizeEntities16bit($i)
{
return (($i > 65535) ? "&#$i;" : "&#$i;");
}
/**
* Allows for additional user defined modifications to text.
*
* This method allows for additional modifications to be performed on
* a string that's being run through Parse(). Currently, it returns the
* input string 'as is'.
*
* This method is provided for users to extend the kses class for their own
* requirements.
*
* @access public
* @param string $string String to perfrom additional modifications on.
* @return string User modified string.
* @see Parse()
* @since PHP5 OOP 1.0.0
*/
private function filterKsesTextHook($string)
{
return $string;
}
/**
* Allows for additional user defined modifications to text.
*
* @deprecated use filterKsesTextHook()
* @param string $string
* @return string
* @see filterKsesTextHook()
* @since PHP4 OOP 0.0.1
*/
private function _hook($string)
{
return $this->filterKsesTextHook($string);
}
/**
* This method goes through an array, and changes the keys to all lower case.
*
* @access private
* @param array $in_array Associative array
* @return array Modified array
* @since PHP4 OOP 0.0.1
*/
private function makeArrayKeysLowerCase($in_array)
{
$out_array = array();
if(is_array($in_array) && count($in_array) > 0)
{
foreach ($in_array as $in_key => $in_val)
{
$out_key = strtolower($in_key);
$out_array[$out_key] = array();
if(is_array($in_val) && count($in_val) > 0)
{
foreach ($in_val as $in_key2 => $in_val2)
{
$out_key2 = strtolower($in_key2);
$out_array[$out_key][$out_key2] = $in_val2;
}
}
}
}
return $out_array;
}
/**
* This method strips out disallowed and/or mangled (X)HTML tags along with assigned attributes.
*
* This method does a lot of work. It rejects some very malformed things
* like <:::>. It returns an empty string if the element isn't allowed (look
* ma, no strip_tags()!). Otherwise it splits the tag into an element and an
* allowed attribute list.
*
* @access private
* @param string $string
* @return string Modified string minus disallowed/mangled (X)HTML and attributes
* @since PHP4 OOP 0.0.1
*/
private function stripTags($string)
{
$string = preg_replace('%\\\\"%', '"', $string);
if (substr($string, 0, 1) != '<')
{
# It matched a ">" character
return '>';
}
if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9]+)([^>]*)>?$%', $string, $matches))
{
# It's seriously malformed
return '';
}
$slash = trim($matches[1]);
$elem = $matches[2];
$attrlist = $matches[3];
if (
!isset($this->allowed_html[strtolower($elem)]) ||
!is_array($this->allowed_html[strtolower($elem)]))
{
# Found an HTML element not in the white list
return '';
}
if ($slash != '')
{
return "<$slash$elem>";
}
# No attributes are allowed for closing elements
return $this->stripAttributes("$slash$elem", $attrlist);
}
/**
* This method strips out disallowed attributes for (X)HTML tags.
*
* This method removes all attributes if none are allowed for this element.
* If some are allowed it calls combAttributes() to split them further, and then it
* builds up new HTML code from the data that combAttributes() returns. It also
* removes "<" and ">" characters, if there are any left. One more thing it
* does is to check if the tag has a closing XHTML slash, and if it does,
* it puts one in the returned code as well.
*
* @access private
* @param string $element (X)HTML tag to check
* @param string $attr Text containing attributes to check for validity.
* @return string Resulting valid (X)HTML or ''
* @see combAttributes()
* @since PHP4 OOP 0.0.1
*/
private function stripAttributes($element, $attr)
{
# Is there a closing XHTML slash at the end of the attributes?
$xhtml_slash = '';
if (preg_match('%\s/\s*$%', $attr))
{
$xhtml_slash = ' /';
}
# Are any attributes allowed at all for this element?
if (
!isset($this->allowed_html[strtolower($element)]) ||
count($this->allowed_html[strtolower($element)]) == 0
)
{
return "<$element$xhtml_slash>";
}
# Split it
$attrarr = $this->combAttributes($attr);
# Go through $attrarr, and save the allowed attributes for this element
# in $attr2
$attr2 = '';
if(is_array($attrarr) && count($attrarr) > 0)
{
foreach ($attrarr as $arreach)
{
if(!isset($this->allowed_html[strtolower($element)][strtolower($arreach['name'])]))
{
continue;
}
$current = $this->allowed_html[strtolower($element)][strtolower($arreach['name'])];
if (!is_array($current))
{
# there are no checks
$attr2 .= ' '.$arreach['whole'];
}
else
{
# there are some checks
$ok = true;
if(is_array($current) && count($current) > 0)
{
foreach ($current as $currkey => $currval)
{
if (!$this->checkAttributeValue($arreach['value'], $arreach['vless'], $currkey, $currval))
{
$ok = false;
break;
}
}
}
if ($ok)
{
# it passed them
$attr2 .= ' '.$arreach['whole'];
}
}
}
}
# Remove any "<" or ">" characters
$attr2 = preg_replace('/[<>]/', '', $attr2);
return "<$element$attr2$xhtml_slash>";
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -