validType = $validType; $this->checkXss = $checkXss; $this->checkSql = $checkSql; $this->strip_tags = $strip_tags; $this->strip_js = $strip_js; } public function CleanInput ($val,$type = '') { if(in_array($type,$this->validType) OR $type == '' ) { // set val type if($type == 'int') { $val = $this->setInt($val); } else if($type == 'bool') { $val = $this->setBoll($val); } else if($type == 'null') { $val = $this->setNull($val); } if($this->checkXss) { $val = $this->checkXss($val); } if($this->checkSql) { $val = $this->checkSql($val); } if($this->strip_tags) { $val = $this->strip_tags($val); } if($this->strip_js) { $val = $this->strip_javascript($val); } return(trim($val)); } else { return(false); } } private function setInt ($val) { if(!is_numeric($val)) { $val = intval($val); } else { return($val); } } private function setBoll ($val) { if(!is_bool($val)) { $val = 0; } else { return($val); } } private function setNull($val) { if(!is_null($val)) { $val = ""; } else { return($val); } } private function strip_javascript($filter) { $redefs = '(?(DEFINE) (? [a-z][^\s>/]*+ ) (? [^\s>/][^\s=>/]*+ ) # first char can be pretty much anything, including = (? (?> "[^"]*+" | \'[^\']*+\' | [^\s>]*+ # unquoted values can contain quotes, = and / ) ) (? (?&attname) (?: \s*+ = \s*+ (?&attval) )?+ ) (? [^\s>] ) # most crap inside tag is ignored, will eat the last / in self closing tags (? <(?&tagname) (?: \s*+ # spaces between attributes not required: bold red text (?> (?&attrib) | # order matters (?&crap) # if not an attribute, eat the crap ) )*+ \s*+ /?+ \s*+ > ) )'; // realign javascript href to onClick $filter = str_replace("/href=(['\"]).*?javascript:(.*)?\\1/i", "onClick=' $2 '", $filter); //remove javascript from tags while( preg_match("/<(.*)?javascript.*?\(.*?((?>[^()]+)|(?R)).*?\)?\)(.*)?>/i", $filter)) $filter = str_replace("/<(.*)?javascript.*?\(.*?((?>[^()]+)|(?R)).*?\)?\)(.*)?>/i", "<$1$3$4$5>", $filter); // dump expressions from contibuted content if(0) $filter = str_replace("/:expression\(.*?((?>[^(.*?)]+)|(?R)).*?\)\)/i", "", $filter); while( preg_match("/<(.*)?:expr.*?\(.*?((?>[^()]+)|(?R)).*?\)?\)(.*)?>/i", $filter)) $filter = str_replace("/<(.*)?:expr.*?\(.*?((?>[^()]+)|(?R)).*?\)?\)(.*)?>/i", "<$1$3$4$5>", $filter); // remove all on* events while( preg_match("/<(.*)?\s?on.+?=?\s?.+?(['\"]).*?\\2\s?(.*)?>/i", $filter) ) $filter = str_replace("/<(.*)?\s?on.+?=?\s?.+?(['\"]).*?\\2\s?(.*)?>/i", "<$1$3>", $filter); $re = '(?&tag)' . $redefs; $filter = str_replace("~$re~xie", 'remove_event_attributes_from_tag("$0")', $filter); $re2 = '( ^ <(?&tagname) ) | \G \s*+ (?> ((?&attrib)) | ((?&crap)) )' . $redefs; $filter = str_replace("~$re~xie", '"$1$3"? "$0": (preg_match("/^on/i", "$2")? " ": "$0")', $filter); return $filter; } private function strip_tags($val) { if(function_exists("strip_tags")) { return(strip_tags($val)); } else { return(false); } } /*'@onClick@', '@ondblclick@','@onkeypress@','@onkeyup@','@onload@', '@onkeydown@',*/ private function checkXss ($val) { $search = array('@]*?>.*?@si', '@cookie@', '@alert@', '@.ready@', '@$.@', '@jquery@', '@href@', '@location.@', '@onerror@', '@document.@', '@<[\/\!]*?[^<>]*?>@si', '@]*?>.*?@siU', '@@' ); $val = str_replace($search, '', $val); return($val); } private function checkSql ($val) { if(get_magic_quotes_gpc()) { $val = addslashes($val); } return mysql_real_escape_string($val); } } ?>