fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

modificaciones en class.inputfilter.php

Browse Source
This commit is contained in:
marcelo.cuiza
2015-03-13 10:46:56 -04:00
parent e778677796
commit 2723fa7477
1 changed files with 73 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
gulliver/system/class.inputfilter.php
View File

@@ -370,6 +370,7 @@ class InputFilter
* @author Marcelo Cuiza * @author Marcelo Cuiza
* @access protected * @access protected
* @param Array or String $input * @param Array or String $input
* @param String $type
* @return Array or String $input * @return Array or String $input
*/ */
public function xssFilter($input, $type = "") public function xssFilter($input, $type = "")
@@ -381,7 +382,7 @@ class InputFilter
$input[$i] = $this->xssFilter($val); $input[$i] = $this->xssFilter($val);
} else { } else {
if(!empty($val)) { if(!empty($val)) {
if($type != "url" && !strpos(basename($val), "=")) { if($type != "url") {
$inputFiltered = addslashes(htmlspecialchars(filter_var($val, FILTER_SANITIZE_STRING), ENT_COMPAT, 'UTF-8')); $inputFiltered = addslashes(htmlspecialchars(filter_var($val, FILTER_SANITIZE_STRING), ENT_COMPAT, 'UTF-8'));
} else { } else {
$inputFiltered = filter_var($val, FILTER_SANITIZE_STRING); $inputFiltered = filter_var($val, FILTER_SANITIZE_STRING);
@@ -412,27 +413,45 @@ class InputFilter
* @author Marcelo Cuiza * @author Marcelo Cuiza
* @access protected * @access protected
* @param Array or String $input * @param Array or String $input
* @param String $type
* @return Array or String $input * @return Array or String $input
*/ */
function xssFilterHard($input, $type = "") function xssFilterHard($input, $type = "")
{ {
require_once (PATH_THIRDPARTY . 'HTMLPurifier/HTMLPurifier.auto.php'); require_once (PATH_THIRDPARTY . 'HTMLPurifier/HTMLPurifier.auto.php');
$config = HTMLPurifier_Config::createDefault(); $config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config); $purifier = new HTMLPurifier($config);
if(is_array($input)) { if(is_array($input)) {
if(sizeof($input)) { if(sizeof($input)) {
foreach($input as $i => $val) { foreach($input as $i => $val) {
if(is_array($val) && sizeof($val)) { if(is_array($val) && sizeof($val)) {
$input[$i] = $this->xssFilterHard($val,$type); $input[$i] = $this->xssFilterHard($val);
} else { } else {
if(!empty($val)) { if(!empty($val)) {
$inputFiltered = $purifier->purify($val); if(!sizeof(G::json_decode($val))) {
$pos = strpos($inputFiltered, "="); $inputFiltered = $purifier->purify($val);
if($type != "url" && $pos === false) { if($type != "url" && !strpos(basename($val), "=")) {
$inputFiltered = addslashes(htmlspecialchars($inputFiltered, ENT_COMPAT, 'UTF-8')); $inputFiltered = addslashes(htmlspecialchars($inputFiltered, ENT_COMPAT, 'UTF-8'));
} else {
$inputFiltered = str_replace('&','&',$inputFiltered);
}
} else { } else {
$inputFiltered = str_replace('&','&',$inputFiltered); $jsArray = (array)G::json_decode($val);
} if(is_array($jsArray) && sizeof($jsArray)) {
foreach($jsArray as $j => $jsVal){
if(is_array($jsVal) && sizeof($jsVal)) {
$jsArray[$j] = $this->xssFilterHard($jsVal);
} else {
if(!empty($jsVal)) {
$jsArray[$j] = $purifier->purify($jsVal);
}
}
}
$inputFiltered = json_encode($jsArray);
} else {
$inputFiltered = $val;
}
}
} else { } else {
$inputFiltered = ""; $inputFiltered = "";
} }
@@ -441,17 +460,32 @@ class InputFilter
} }
} }
return $input; return $input;
} else { } else {
if(!isset($input) || trim($input) === '' || $input === NULL ) { if(!isset($input) || empty($input)) {
return ''; return '';
} else { } else {
$input = $purifier->purify($input); if(!sizeof(G::json_decode($input))) {
$pos = strpos(basename($input), "="); $input = $purifier->purify($input);
if($type != "url" && $pos === false) { if($type != "url" && !strpos(basename($input), "=")) {
$input = addslashes(htmlspecialchars($input, ENT_COMPAT, 'UTF-8')); $input = addslashes(htmlspecialchars($input, ENT_COMPAT, 'UTF-8'));
} else {
$input = str_replace('&','&',$input);
}
} else { } else {
$input = str_replace('&','&',$input); $jsArray = (array)G::json_decode($input);
} if(is_array($jsArray) && sizeof($jsArray)) {
foreach($jsArray as $j => $jsVal){
if(is_array($jsVal) && sizeof($jsVal)) {
$jsArray[$j] = $this->xssFilterHard($jsVal);
} else {
if(!empty($jsVal)) {
$jsArray[$j] = $purifier->purify($jsVal);
}
}
}
$input = json_encode($jsArray);
}
}
return $input; return $input;
} }
} }
@@ -494,7 +528,7 @@ class InputFilter
* @param String $type * @param String $type
* @return String $value * @return String $value
*/ */
function validateInput($value, $type = "string") function validateInput($value, $types = 'string')
{ {
if(!isset($value) || trim($value) === '' || $value === NULL ) { if(!isset($value) || trim($value) === '' || $value === NULL ) {
return ''; return '';
@@ -503,7 +537,20 @@ class InputFilter
if($pos = strpos($value,";")) { if($pos = strpos($value,";")) {
$value = substr($value,0,$pos); $value = substr($value,0,$pos);
} }
if(is_array($types) && sizeof($types)){
foreach($types as $type){
$value = $this->validateInputValue($value, $type);
}
} elseif(is_string($types)) {
$value = $this->validateInputValue($value, $types);
}
return $value;
}
function validateInputValue($value, $type) {
switch($type) { switch($type) {
case 'float': case 'float':
$value = (float)filter_var($value, FILTER_SANITIZE_NUMBER_FLOAT); $value = (float)filter_var($value, FILTER_SANITIZE_NUMBER_FLOAT);
@@ -519,15 +566,18 @@ class InputFilter
$value = ''; $value = '';
} }
break; break;
case 'noSql': case 'nosql':
$value = (string)filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH); $value = (string)filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
if(preg_match('/\b(or|and|xor|drop|insert|update|delete|select)\b/i' , $value)) { if(preg_match('/\b(or|and|xor|drop|insert|update|delete|select)\b/i' , $value)) {
$value = ''; $value = '';
} }
break; break;
case 'db':
break;
default: default:
$value = (string)filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH); $value = (string)filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
} }
return $value;
} return $value;
} }
}