pictcode

<?php

/**

 * Washes strings from unwanted noise.

 *

 * Helpful methods to make unsafe strings usable.

 *

 * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)

 * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)

 *

 * Licensed under The MIT License

 * For full copyright and license information, please see the LICENSE.txt

 * Redistributions of files must retain the above copyright notice.

 *

 * @copyright     Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)

 * @link          http://cakephp.org CakePHP(tm) Project

 * @package       Cake.Utility

 * @since         CakePHP(tm) v 0.10.0.1076

 * @license       http://www.opensource.org/licenses/mit-license.php MIT License

 */

App::uses('ConnectionManager', 'Model');

/**

 * Data Sanitization.

 *

 * Removal of alphanumeric characters, SQL-safe slash-added strings, HTML-friendly strings,

 * and all of the above on arrays.

 *

 * @package       Cake.Utility

 * @deprecated    3.0.0 Deprecated since version 2.4

 */

class Sanitize {

/**

 * Removes any non-alphanumeric characters.

 *

 * @param string $string String to sanitize

 * @param array $allowed An array of additional characters that are not to be removed.

 * @return string Sanitized string

 */

        public static function paranoid($string, $allowed = array()) {

                $allow = null;

                if (!empty($allowed)) {

                        foreach ($allowed as $value) {

                                $allow .= "\\$value";

                        }

                }

                if (!is_array($string)) {

                        return preg_replace("/[^{$allow}a-zA-Z0-9]/", '', $string);

                }

                $cleaned = array();

                foreach ($string as $key => $clean) {

                        $cleaned[$key] = preg_replace("/[^{$allow}a-zA-Z0-9]/", '', $clean);

                }

                return $cleaned;

        }

/**

 * Makes a string SQL-safe.

 *

 * @param string $string String to sanitize

 * @param string $connection Database connection being used

 * @return string SQL safe string

 */

        public static function escape($string, $connection = 'default') {

                if (is_numeric($string) || $string === null || is_bool($string)) {

                        return $string;

                }

                $db = ConnectionManager::getDataSource($connection);

                $string = $db->value($string, 'string');

                $start = 1;

                if ($string{0} === 'N') {

                        $start = 2;

                }

                return substr(substr($string, $start), 0, -1);

        }

/**

 * Returns given string safe for display as HTML. Renders entities.

 *

 * strip_tags() does not validating HTML syntax or structure, so it might strip whole passages

 * with broken HTML.

 *

 * ### Options:

 *

 * - remove (boolean) if true strips all HTML tags before encoding

 * - charset (string) the charset used to encode the string

 * - quotes (int) see http://php.net/manual/en/function.htmlentities.php

 * - double (boolean) double encode html entities

 *

 * @param string $string String from where to strip tags

 * @param array $options Array of options to use.

 * @return string Sanitized string

 */

        public static function html($string, $options = array()) {

                static $defaultCharset = false;

                if ($defaultCharset === false) {

                        $defaultCharset = Configure::read('App.encoding');

                        if ($defaultCharset === null) {

                                $defaultCharset = 'UTF-8';

                        }

                }

                $defaults = array(

                        'remove' => false,

                        'charset' => $defaultCharset,

                        'quotes' => ENT_QUOTES,

                        'double' => true

                );

                $options += $defaults;

                if ($options['remove']) {

                        $string = strip_tags($string);

                }

                return htmlentities($string, $options['quotes'], $options['charset'], $options['double']);

        }

/**

 * Strips extra whitespace from output

 *

 * @param string $str String to sanitize

 * @return string whitespace sanitized string

 */

        public static function stripWhitespace($str) {

                return preg_replace('/\s{2,}/u', ' ', preg_replace('/[\n\r\t]+/', '', $str));

        }

/**

 * Strips image tags from output

 *

 * @param string $str String to sanitize

 * @return string Sting with images stripped.

 */

        public static function stripImages($str) {

                $preg = array(

                        '/(<a[^>]*>)(<img[^>]+alt=")([^"]*)("[^>]*>)(<\/a>)/i' => '$1$3$5<br />',

                        '/(<img[^>]+alt=")([^"]*)("[^>]*>)/i' => '$2<br />',

                        '/<img[^>]*>/i' => ''

                );

                return preg_replace(array_keys($preg), array_values($preg), $str);

        }

/**

 * Strips scripts and stylesheets from output

 *

 * @param string $str String to sanitize

 * @return string String with <link>, <img>, <script>, <style> elements and html comments removed.

 */

        public static function stripScripts($str) {

                $regex =

                        '/(<link[^>]+rel="[^"]*stylesheet"[^>]*>|' .

                        '<img[^>]*>|style="[^"]*")|' .

                        '<script[^>]*>.*?<\/script>|' .

                        '<style[^>]*>.*?<\/style>|' .

                        '<!--.*?-->/is';

                return preg_replace($regex, '', $str);

        }

/**

 * Strips extra whitespace, images, scripts and stylesheets from output

 *

 * @param string $str String to sanitize

 * @return string sanitized string

 */

        public static function stripAll($str) {

                return Sanitize::stripScripts(

                        Sanitize::stripImages(

                                Sanitize::stripWhitespace($str)

                        )

                );

        }

/**

 * Strips the specified tags from output. First parameter is string from

 * where to remove tags. All subsequent parameters are tags.

 *

 * Ex.`$clean = Sanitize::stripTags($dirty, 'b', 'p', 'div');`

 *

 * Will remove all `<b>`, `<p>`, and `<div>` tags from the $dirty string.

 *

 * @param string $str String to sanitize.

 * @return string sanitized String

 */

        public static function stripTags($str) {

                $params = func_get_args();

                for ($i = 1, $count = count($params); $i < $count; $i++) {

                        $str = preg_replace('/<' . $params[$i] . '\b[^>]*>/i', '', $str);

                        $str = preg_replace('/<\/' . $params[$i] . '[^>]*>/i', '', $str);

                }

                return $str;

        }

/**

 * Sanitizes given array or value for safe input. Use the options to specify

 * the connection to use, and what filters should be applied (with a boolean

 * value). Valid filters:

 *

 * - odd_spaces - removes any non space whitespace characters

 * - encode - Encode any html entities. Encode must be true for the `remove_html` to work.

 * - dollar - Escape `$` with `\$`

 * - carriage - Remove `\r`

 * - unicode -

 * - escape - Should the string be SQL escaped.

 * - backslash -

 * - remove_html - Strip HTML with strip_tags. `encode` must be true for this option to work.

 *

 * @param string|array $data Data to sanitize

 * @param string|array $options If string, DB connection being used, otherwise set of options

 * @return mixed Sanitized data

 */

        public static function clean($data, $options = array()) {

                if (empty($data)) {

                        return $data;

                }

                if (!is_array($options)) {

                        $options = array('connection' => $options);

                }

                $options += array(

                        'connection' => 'default',

                        'odd_spaces' => true,

                        'remove_html' => false,

                        'encode' => true,

                        'dollar' => true,

                        'carriage' => true,

                        'unicode' => true,

                        'escape' => true,

                        'backslash' => true

                );

                if (is_array($data)) {

                        foreach ($data as $key => $val) {

                                $data[$key] = Sanitize::clean($val, $options);

                        }

                        return $data;

                }

                if ($options['odd_spaces']) {

                        $data = str_replace(chr(0xCA), '', $data);

                }

                if ($options['encode']) {

                        $data = Sanitize::html($data, array('remove' => $options['remove_html']));

                }

                if ($options['dollar']) {

                        $data = str_replace("\\\$", "$", $data);

                }

                if ($options['carriage']) {

                        $data = str_replace("\r", "", $data);

                }

                if ($options['unicode']) {

                        $data = preg_replace("/&#([0-9]+);/s", "&#\\1;", $data);

                }

                if ($options['escape']) {

                        $data = Sanitize::escape($data, $options['connection']);

                }

                if ($options['backslash']) {

                        $data = preg_replace("/\\\(?!&#|\?#)/", "\\", $data);

                }

                return $data;

        }

}