Menu
▾
▴
[Tikiwiki-cvs/svn] SF.net SVN: tikiwiki:[13961] branches/2.0/lib/setup/sanitization.php
|
From: <se...@us...> - 2008-07-30 12:54:21
|
Revision: 13961
http://tikiwiki.svn.sourceforge.net/tikiwiki/?rev=13961&view=rev
Author: sept_7
Date: 2008-07-30 12:54:29 +0000 (Wed, 30 Jul 2008)
Log Message:
-----------
[ENH] : minimize the call to preg_replace and calculate search pattern only
once where applicable.
Modified Paths:
--------------
branches/2.0/lib/setup/sanitization.php
Modified: branches/2.0/lib/setup/sanitization.php
===================================================================
--- branches/2.0/lib/setup/sanitization.php 2008-07-30 09:46:18 UTC (rev 13960)
+++ branches/2.0/lib/setup/sanitization.php 2008-07-30 12:54:29 UTC (rev 13961)
@@ -1,36 +1,51 @@
<?php
+// $Id: compatibility.php 13491 2008-07-10 09:20:32Z lphuberdeau $
+// Copyright (c) 2002-2007, Luis Argerich, Garland Foster, Eduardo Polidor,
+// et. al. All Rights Reserved.
+// See copyright.txt for details and a complete list of authors.
+// Licensed under the GNU LESSER GENERAL PUBLIC LICENSE.
+// See license.txt for details.
-// $Id: compatibility.php 13491 2008-07-10 09:20:32Z lphuberdeau $
-// Copyright (c) 2002-2007, Luis Argerich, Garland Foster, Eduardo Polidor, et. al.
-// All Rights Reserved. See copyright.txt for details and a complete list of authors.
-// Licensed under the GNU LESSER GENERAL PUBLIC LICENSE. See license.txt for
-// details.
$access->check_script($_SERVER["SCRIPT_NAME"],basename(__FILE__));
-/* RemoveXSS initially developped by kallahar - quickwired.com, modified for TikiWiki
- * Original code can be found here: http://quickwired.com/smallprojects/php_xss_filter_function.php
+/* RemoveXSS initially developped by kallahar - quickwired.com,
+ * modified for TikiWiki Original code can be found here:
+ * http://quickwired.com/smallprojects/php_xss_filter_function.php
*/
function RemoveXSS($val) {
- // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
- // this prevents some character re-spacing such as <java\0script>
- // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs
- $val = preg_replace(array('/([\x00-\x08])/','/([\x0b-\x0c])/','/([\x0e-\x19])/'), '', $val);
+ static $patterns = NULL;
+ static $replacements = NULL;
+ // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are
+ // allowed this prevents some character re-spacing such as <java\0script>
+ // note that you have to handle splits with \n, \r, and \t later since they
+ // *are* allowed in some inputs
+ $val = preg_replace('/([\x00-\x08\x0b-\x0c\x0e-\x19])/', '', $val);
- // straight replacements, the user should never need these since they're normal characters
- // this prevents like <IMG SRC=@avascript:alert('XSS')>
- $search = 'abcdefghijklmnopqrstuvwxyz';
- $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
- $search .= '1234567890!@#$%^&*()';
- $search .= '~`";:?+/={}[]-_|\'\\';
- for ($i = 0; $i < strlen($search); $i++) {
- // ;? matches the ;, which is optional
- // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars
-
- // @ @ search for the hex values
- $val = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ;
- // @ @ 0{0,7} matches '0' zero to seven times
- $val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ;
+ // straight replacements, the user should never need these since they're
+ // normal characters this prevents like
+ // <IMG SRC=@avascript:alert('XSS')>
+ // Calculate the search and replace patterns only once
+ if ($patterns == NULL or $replacements == NULL) {
+ $search = 'abcdefghijklmnopqrstuvwxyz';
+ $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
+ $search .= '1234567890!@#$%^&*()';
+ $search .= '~`";:?+/={}[]-_|\'\\';
+ $patterns = array();
+ $replacements = array();
+ for ($i = 0; $i < strlen($search); $i++) {
+ // ;? matches the ;, which is optional
+ // 0{0,7} matches any padded zeros,
+ // which are optional and go up to 8 chars
+ // @ @ search for the hex values
+ $patterns[] = '/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i';
+ $replacements[] = $search[$i];
+ // @ @ 0{0,7} matches '0' zero to seven times
+ // with a ;
+ $patterns[] = '/(�{0,8}'.ord($search[$i]).';?)/';
+ $replacements[] = $search[$i];
+ }
}
+ $val = preg_replace($patterns, $replacements, $val);
// now the only remaining whitespace attacks are \t, \n, and \r
$ra_as_tag_only = array('style', 'script', 'embed', 'object', 'applet', 'meta', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'base');
@@ -53,6 +68,8 @@
function RemoveXSSregexp(&$ra, &$val, $prefix = '', $suffix = '', $allow_spaces = false) {
$val_before = $val;
$found = true;
+ $patterns = array();
+ $replacements = array();
$pattern_sep = '('
. '(&#[xX]0{0,8}([9ab]);)'
@@ -89,12 +106,16 @@
}
$pattern .= $pattern_end;
$replacement = ( $prefix != '' ) ? '\\1' : '';
- $replacement .= substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag
- $val = preg_replace($pattern, $replacement.$replacement_end, $val); // filter out the hex tags
- if ($val_before == $val) {
- // no replacements were made, so exit the loop
- $found = false;
- }
+ // add in <> to nerf the tag
+ $replacement .= substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2);
+ $patterns[] = $pattern;
+ $replacements[] = $replacement.$replacement_end;
}
+ // filter out the hex tags
+ $val = preg_replace($patterns, $replacements, $val);
+ if ($val_before == $val) {
+ // no replacements were made, so exit the loop
+ $found = false;
+ }
return $found;
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|