| | |
|---|
| | | function get_input_value($fname, $source, $allow_html=FALSE, $charset=NULL) |
|---|
| | | { |
|---|
| | | $value = NULL; |
|---|
| | | |
|---|
| | | if ($source==RCUBE_INPUT_GET && isset($_GET[$fname])) |
|---|
| | | $value = $_GET[$fname]; |
|---|
| | | else if ($source==RCUBE_INPUT_POST && isset($_POST[$fname])) |
|---|
| | | $value = $_POST[$fname]; |
|---|
| | | else if ($source==RCUBE_INPUT_GPC) |
|---|
| | | { |
|---|
| | | |
|---|
| | | if ($source == RCUBE_INPUT_GET) { |
|---|
| | | if (isset($_GET[$fname])) |
|---|
| | | $value = $_GET[$fname]; |
|---|
| | | } |
|---|
| | | else if ($source == RCUBE_INPUT_POST) { |
|---|
| | | if (isset($_POST[$fname])) |
|---|
| | | $value = $_POST[$fname]; |
|---|
| | | } |
|---|
| | | else if ($source == RCUBE_INPUT_GPC) { |
|---|
| | | if (isset($_POST[$fname])) |
|---|
| | | $value = $_POST[$fname]; |
|---|
| | | else if (isset($_GET[$fname])) |
|---|
| | | $value = $_GET[$fname]; |
|---|
| | | else if (isset($_COOKIE[$fname])) |
|---|
| | | $value = $_COOKIE[$fname]; |
|---|
| | | } |
|---|
| | | } |
|---|
| | | |
|---|
| | | return parse_input_value($value, $allow_html, $charset); |
|---|
| | | } |
|---|
| | |
|---|
| | | /** |
|---|
| | | * Parse/validate input value. See get_input_value() |
|---|
| | | * Performs stripslashes() and charset conversion if necessary |
|---|
| | | * |
|---|
| | | * |
|---|
| | | * @param string Input value |
|---|
| | | * @param boolean Allow HTML tags in field value |
|---|
| | | * @param string Charset to convert into |
|---|
| | |
|---|
| | | else if (get_magic_quotes_gpc() || get_magic_quotes_runtime()) |
|---|
| | | $value = stripslashes($value); |
|---|
| | | |
|---|
| | | // remove HTML tags if not allowed |
|---|
| | | // remove HTML tags if not allowed |
|---|
| | | if (!$allow_html) |
|---|
| | | $value = strip_tags($value); |
|---|
| | | |
|---|
| | | |
|---|
| | | $output_charset = is_object($OUTPUT) ? $OUTPUT->get_charset() : null; |
|---|
| | | |
|---|
| | | // remove invalid characters (#1488124) |
|---|
| | | if ($output_charset == 'UTF-8') |
|---|
| | | $value = rc_utf8_clean($value); |
|---|
| | | |
|---|
| | | // convert to internal charset |
|---|
| | | if (is_object($OUTPUT) && $charset) |
|---|
| | | return rcube_charset_convert($value, $OUTPUT->get_charset(), $charset); |
|---|
| | | else |
|---|
| | | return $value; |
|---|
| | | if ($charset && $output_charset) |
|---|
| | | $value = rcube_charset_convert($value, $output_charset, $charset); |
|---|
| | | |
|---|
| | | return $value; |
|---|
| | | } |
|---|
| | | |
|---|
| | | /** |
|---|
| | |
|---|
| | | $src = $mode == RCUBE_INPUT_GET ? $_GET : ($mode == RCUBE_INPUT_POST ? $_POST : $_REQUEST); |
|---|
| | | foreach ($src as $key => $value) { |
|---|
| | | $fname = $key[0] == '_' ? substr($key, 1) : $key; |
|---|
| | | if ($ignore && !preg_match("/($ignore)/", $fname)) |
|---|
| | | if ($ignore && !preg_match('/^(' . $ignore . ')$/', $fname)) |
|---|
| | | $out[$fname] = get_input_value($key, $mode); |
|---|
| | | } |
|---|
| | | |
|---|
| | | |
|---|
| | | return $out; |
|---|
| | | } |
|---|
| | | |
|---|
| | |
|---|
| | | * @param string Container ID to use as prefix |
|---|
| | | * @return string Modified CSS source |
|---|
| | | */ |
|---|
| | | function rcmail_mod_css_styles($source, $container_id) |
|---|
| | | function rcmail_mod_css_styles($source, $container_id, $allow_remote=false) |
|---|
| | | { |
|---|
| | | $last_pos = 0; |
|---|
| | | $replacements = new rcube_string_replacer; |
|---|
| | | |
|---|
| | | // ignore the whole block if evil styles are detected |
|---|
| | | $stripped = preg_replace('/[^a-z\(:;]/', '', rcmail_xss_entity_decode($source)); |
|---|
| | | if (preg_match('/expression|behavior|url\(|import[^a]/', $stripped)) |
|---|
| | | $source = rcmail_xss_entity_decode($source); |
|---|
| | | $stripped = preg_replace('/[^a-z\(:;]/i', '', $source); |
|---|
| | | $evilexpr = 'expression|behavior|javascript:|import[^a]' . (!$allow_remote ? '|url\(' : ''); |
|---|
| | | if (preg_match("/$evilexpr/i", $stripped)) |
|---|
| | | return '/* evil! */'; |
|---|
| | | |
|---|
| | | // remove css comments (sometimes used for some ugly hacks) |
|---|
| | | $source = preg_replace('!/\*(.+)\*/!Ums', '', $source); |
|---|
| | | |
|---|
| | | // cut out all contents between { and } |
|---|
| | | while (($pos = strpos($source, '{', $last_pos)) && ($pos2 = strpos($source, '}', $pos))) |
|---|
| | | { |
|---|
| | | $key = $replacements->add(substr($source, $pos+1, $pos2-($pos+1))); |
|---|
| | | while (($pos = strpos($source, '{', $last_pos)) && ($pos2 = strpos($source, '}', $pos))) { |
|---|
| | | $styles = substr($source, $pos+1, $pos2-($pos+1)); |
|---|
| | | |
|---|
| | | // check every line of a style block... |
|---|
| | | if ($allow_remote) { |
|---|
| | | $a_styles = preg_split('/;[\r\n]*/', $styles, -1, PREG_SPLIT_NO_EMPTY); |
|---|
| | | foreach ($a_styles as $line) { |
|---|
| | | $stripped = preg_replace('/[^a-z\(:;]/i', '', $line); |
|---|
| | | // ... and only allow strict url() values |
|---|
| | | if (stripos($stripped, 'url(') && !preg_match('!url\s*\([ "\'](https?:)//[a-z0-9/._+-]+["\' ]\)!Uims', $line)) { |
|---|
| | | $a_styles = array('/* evil! */'); |
|---|
| | | break; |
|---|
| | | } |
|---|
| | | } |
|---|
| | | $styles = join(";\n", $a_styles); |
|---|
| | | } |
|---|
| | | |
|---|
| | | $key = $replacements->add($styles); |
|---|
| | | $source = substr($source, 0, $pos+1) . $replacements->get_replacement($key) . substr($source, $pos2, strlen($source)-$pos2); |
|---|
| | | $last_pos = $pos+2; |
|---|
| | | } |
|---|
| | |
|---|
| | | { |
|---|
| | | $out = html_entity_decode(html_entity_decode($content)); |
|---|
| | | $out = preg_replace_callback('/\\\([0-9a-f]{4})/i', 'rcmail_xss_entity_decode_callback', $out); |
|---|
| | | $out = preg_replace('#/\*.*\*/#Um', '', $out); |
|---|
| | | $out = preg_replace('#/\*.*\*/#Ums', '', $out); |
|---|
| | | return $out; |
|---|
| | | } |
|---|
| | | |
|---|
