├── .gitignore ├── LICENSE ├── README.md ├── composer.json └── src ├── DataSecurity ├── AESEncryptHelper.php ├── EncryptHelper.php └── RSAEncryptHelper.php ├── EncoderSecurity ├── BaseEncoder.php ├── EncoderSecurity.php ├── HtmlEntityEncoder.php ├── JavaScriptEncoder.php └── LICENSE ├── FileSecurity ├── FileSecurity.php └── UploadedFileVerification.php ├── HTMLPurifier ├── HTMLPurifier.php ├── HTMLPurifier │ ├── AttrDef │ │ ├── CSS │ │ │ ├── HTMLPurifier_AttrDef_CSS_AlphaValue.php │ │ │ ├── HTMLPurifier_AttrDef_CSS_Background.php │ │ │ ├── HTMLPurifier_AttrDef_CSS_BackgroundPosition.php │ │ │ ├── HTMLPurifier_AttrDef_CSS_Border.php │ │ │ ├── HTMLPurifier_AttrDef_CSS_Color.php │ │ │ ├── HTMLPurifier_AttrDef_CSS_Composite.php │ │ │ ├── HTMLPurifier_AttrDef_CSS_DenyElementDecorator.php │ │ │ ├── HTMLPurifier_AttrDef_CSS_Filter.php │ │ │ ├── HTMLPurifier_AttrDef_CSS_Font.php │ │ │ ├── HTMLPurifier_AttrDef_CSS_FontFamily.php │ │ │ ├── HTMLPurifier_AttrDef_CSS_Ident.php │ │ │ ├── HTMLPurifier_AttrDef_CSS_ImportantDecorator.php │ │ │ ├── HTMLPurifier_AttrDef_CSS_Length.php │ │ │ ├── HTMLPurifier_AttrDef_CSS_ListStyle.php │ │ │ ├── HTMLPurifier_AttrDef_CSS_Multiple.php │ │ │ ├── HTMLPurifier_AttrDef_CSS_Number.php │ │ │ ├── HTMLPurifier_AttrDef_CSS_Percentage.php │ │ │ ├── HTMLPurifier_AttrDef_CSS_TextDecoration.php │ │ │ └── HTMLPurifier_AttrDef_CSS_URI.php │ │ ├── HTML │ │ │ ├── HTMLPurifier_AttrDef_HTML_Bool.php │ │ │ ├── HTMLPurifier_AttrDef_HTML_Class.php │ │ │ ├── HTMLPurifier_AttrDef_HTML_Color.php │ │ │ ├── HTMLPurifier_AttrDef_HTML_FrameTarget.php │ │ │ ├── HTMLPurifier_AttrDef_HTML_ID.php │ │ │ ├── HTMLPurifier_AttrDef_HTML_Length.php │ │ │ ├── HTMLPurifier_AttrDef_HTML_LinkTypes.php │ │ │ ├── HTMLPurifier_AttrDef_HTML_MultiLength.php │ │ │ ├── HTMLPurifier_AttrDef_HTML_Nmtokens.php │ │ │ └── HTMLPurifier_AttrDef_HTML_Pixels.php │ │ ├── HTMLPurifier_AttrDef_CSS.php │ │ ├── HTMLPurifier_AttrDef_Clone.php │ │ ├── HTMLPurifier_AttrDef_Enum.php │ │ ├── HTMLPurifier_AttrDef_Integer.php │ │ ├── HTMLPurifier_AttrDef_Lang.php │ │ ├── HTMLPurifier_AttrDef_Switch.php │ │ ├── HTMLPurifier_AttrDef_Text.php │ │ ├── HTMLPurifier_AttrDef_URI.php │ │ └── URI │ │ │ ├── Email │ │ │ └── HTMLPurifier_AttrDef_URI_Email_SimpleCheck.php │ │ │ ├── HTMLPurifier_AttrDef_URI_Email.php │ │ │ ├── HTMLPurifier_AttrDef_URI_Host.php │ │ │ ├── HTMLPurifier_AttrDef_URI_IPv4.php │ │ │ └── HTMLPurifier_AttrDef_URI_IPv6.php │ ├── AttrTransform │ │ ├── HTMLPurifier_AttrTransform_Background.php │ │ ├── HTMLPurifier_AttrTransform_BdoDir.php │ │ ├── HTMLPurifier_AttrTransform_BgColor.php │ │ ├── HTMLPurifier_AttrTransform_BoolToCSS.php │ │ ├── HTMLPurifier_AttrTransform_Border.php │ │ ├── HTMLPurifier_AttrTransform_EnumToCSS.php │ │ ├── HTMLPurifier_AttrTransform_ImgRequired.php │ │ ├── HTMLPurifier_AttrTransform_ImgSpace.php │ │ ├── HTMLPurifier_AttrTransform_Input.php │ │ ├── HTMLPurifier_AttrTransform_Lang.php │ │ ├── HTMLPurifier_AttrTransform_Length.php │ │ ├── HTMLPurifier_AttrTransform_Name.php │ │ ├── HTMLPurifier_AttrTransform_NameSync.php │ │ ├── HTMLPurifier_AttrTransform_Nofollow.php │ │ ├── HTMLPurifier_AttrTransform_SafeEmbed.php │ │ ├── HTMLPurifier_AttrTransform_SafeObject.php │ │ ├── HTMLPurifier_AttrTransform_SafeParam.php │ │ ├── HTMLPurifier_AttrTransform_ScriptRequired.php │ │ ├── HTMLPurifier_AttrTransform_TargetBlank.php │ │ ├── HTMLPurifier_AttrTransform_TargetNoopener.php │ │ ├── HTMLPurifier_AttrTransform_TargetNoreferrer.php │ │ └── HTMLPurifier_AttrTransform_Textarea.php │ ├── ChildDef │ │ ├── HTMLPurifier_ChildDef_Chameleon.php │ │ ├── HTMLPurifier_ChildDef_Custom.php │ │ ├── HTMLPurifier_ChildDef_Empty.php │ │ ├── HTMLPurifier_ChildDef_List.php │ │ ├── HTMLPurifier_ChildDef_Optional.php │ │ ├── HTMLPurifier_ChildDef_Required.php │ │ ├── HTMLPurifier_ChildDef_StrictBlockquote.php │ │ └── HTMLPurifier_ChildDef_Table.php │ ├── ConfigSchema │ │ └── schema.ser │ ├── DefinitionCache │ │ ├── Decorator │ │ │ ├── HTMLPurifier_DefinitionCache_Decorator_Cleanup.php │ │ │ ├── HTMLPurifier_DefinitionCache_Decorator_Memory.php │ │ │ └── Template.php.in │ │ ├── HTMLPurifier_DefinitionCache_Decorator.php │ │ ├── HTMLPurifier_DefinitionCache_Null.php │ │ ├── HTMLPurifier_DefinitionCache_Serializer.php │ │ └── Serializer │ │ │ ├── HTML │ │ │ └── 4.10.0,42d2529d2d2aa4f137a4d6d6292a92e3ee82eb86,1.ser │ │ │ └── URL │ │ │ └── readme.md │ ├── EntityLookup │ │ └── entities.ser │ ├── Filter │ │ └── HTMLPurifier_Filter_ExtractStyleBlocks.php │ ├── HTMLModule │ │ ├── HTMLPurifier_HTMLModule_Bdo.php │ │ ├── HTMLPurifier_HTMLModule_CommonAttributes.php │ │ ├── HTMLPurifier_HTMLModule_Edit.php │ │ ├── HTMLPurifier_HTMLModule_Forms.php │ │ ├── HTMLPurifier_HTMLModule_Hypertext.php │ │ ├── HTMLPurifier_HTMLModule_Iframe.php │ │ ├── HTMLPurifier_HTMLModule_Image.php │ │ ├── HTMLPurifier_HTMLModule_Legacy.php │ │ ├── HTMLPurifier_HTMLModule_List.php │ │ ├── HTMLPurifier_HTMLModule_Name.php │ │ ├── HTMLPurifier_HTMLModule_Nofollow.php │ │ ├── HTMLPurifier_HTMLModule_NonXMLCommonAttributes.php │ │ ├── HTMLPurifier_HTMLModule_Object.php │ │ ├── HTMLPurifier_HTMLModule_Presentation.php │ │ ├── HTMLPurifier_HTMLModule_Proprietary.php │ │ ├── HTMLPurifier_HTMLModule_SafeEmbed.php │ │ ├── HTMLPurifier_HTMLModule_SafeObject.php │ │ ├── HTMLPurifier_HTMLModule_SafeScripting.php │ │ ├── HTMLPurifier_HTMLModule_Scripting.php │ │ ├── HTMLPurifier_HTMLModule_StyleAttribute.php │ │ ├── HTMLPurifier_HTMLModule_Tables.php │ │ ├── HTMLPurifier_HTMLModule_Target.php │ │ ├── HTMLPurifier_HTMLModule_TargetBlank.php │ │ ├── HTMLPurifier_HTMLModule_TargetNoopener.php │ │ ├── HTMLPurifier_HTMLModule_TargetNoreferrer.php │ │ ├── HTMLPurifier_HTMLModule_Text.php │ │ ├── HTMLPurifier_HTMLModule_Tidy.php │ │ ├── HTMLPurifier_HTMLModule_XMLCommonAttributes.php │ │ └── Tidy │ │ │ ├── HTMLPurifier_HTMLModule_Tidy_Name.php │ │ │ ├── HTMLPurifier_HTMLModule_Tidy_Proprietary.php │ │ │ ├── HTMLPurifier_HTMLModule_Tidy_Strict.php │ │ │ ├── HTMLPurifier_HTMLModule_Tidy_Transitional.php │ │ │ ├── HTMLPurifier_HTMLModule_Tidy_XHTML.php │ │ │ └── HTMLPurifier_HTMLModule_Tidy_XHTMLAndHTML4.php │ ├── HTMLPurifier_Arborize.php │ ├── HTMLPurifier_AttrCollections.php │ ├── HTMLPurifier_AttrDef.php │ ├── HTMLPurifier_AttrTransform.php │ ├── HTMLPurifier_AttrTypes.php │ ├── HTMLPurifier_AttrValidator.php │ ├── HTMLPurifier_CSSDefinition.php │ ├── HTMLPurifier_ChildDef.php │ ├── HTMLPurifier_Config.php │ ├── HTMLPurifier_ConfigSchema.php │ ├── HTMLPurifier_ContentSets.php │ ├── HTMLPurifier_Context.php │ ├── HTMLPurifier_Definition.php │ ├── HTMLPurifier_DefinitionCache.php │ ├── HTMLPurifier_DefinitionCacheFactory.php │ ├── HTMLPurifier_Doctype.php │ ├── HTMLPurifier_DoctypeRegistry.php │ ├── HTMLPurifier_ElementDef.php │ ├── HTMLPurifier_Encoder.php │ ├── HTMLPurifier_EntityLookup.php │ ├── HTMLPurifier_EntityParser.php │ ├── HTMLPurifier_ErrorStruct.php │ ├── HTMLPurifier_Exception.php │ ├── HTMLPurifier_Filter.php │ ├── HTMLPurifier_Generator.php │ ├── HTMLPurifier_HTMLDefinition.php │ ├── HTMLPurifier_HTMLModule.php │ ├── HTMLPurifier_HTMLModuleManager.php │ ├── HTMLPurifier_IDAccumulator.php │ ├── HTMLPurifier_Injector.php │ ├── HTMLPurifier_Length.php │ ├── HTMLPurifier_Lexer.php │ ├── HTMLPurifier_Node.php │ ├── HTMLPurifier_PercentEncoder.php │ ├── HTMLPurifier_PropertyList.php │ ├── HTMLPurifier_PropertyListIterator.php │ ├── HTMLPurifier_Queue.php │ ├── HTMLPurifier_Strategy.php │ ├── HTMLPurifier_StringHash.php │ ├── HTMLPurifier_StringHashParser.php │ ├── HTMLPurifier_TagTransform.php │ ├── HTMLPurifier_Token.php │ ├── HTMLPurifier_TokenFactory.php │ ├── HTMLPurifier_URI.php │ ├── HTMLPurifier_URIDefinition.php │ ├── HTMLPurifier_URIFilter.php │ ├── HTMLPurifier_URIParser.php │ ├── HTMLPurifier_URIScheme.php │ ├── HTMLPurifier_URISchemeRegistry.php │ ├── HTMLPurifier_UnitConverter.php │ ├── HTMLPurifier_VarParser.php │ ├── HTMLPurifier_VarParserException.php │ ├── HTMLPurifier_Zipper.php │ ├── Injector │ │ ├── HTMLPurifier_Injector_AutoParagraph.php │ │ ├── HTMLPurifier_Injector_DisplayLinkURI.php │ │ ├── HTMLPurifier_Injector_Linkify.php │ │ ├── HTMLPurifier_Injector_PurifierLinkify.php │ │ ├── HTMLPurifier_Injector_RemoveEmpty.php │ │ ├── HTMLPurifier_Injector_RemoveSpansWithoutAttributes.php │ │ └── HTMLPurifier_Injector_SafeObject.php │ ├── Lexer │ │ ├── HTML5.php │ │ ├── HTML5TreeConstructer.php │ │ ├── HTMLPurifier_Lexer_DOMLex.php │ │ ├── HTMLPurifier_Lexer_DirectLex.php │ │ └── HTMLPurifier_Lexer_PH5P.php │ ├── Node │ │ ├── HTMLPurifier_Node_Comment.php │ │ ├── HTMLPurifier_Node_Element.php │ │ └── HTMLPurifier_Node_Text.php │ ├── Strategy │ │ ├── HTMLPurifier_Strategy_Composite.php │ │ ├── HTMLPurifier_Strategy_Core.php │ │ ├── HTMLPurifier_Strategy_FixNesting.php │ │ ├── HTMLPurifier_Strategy_MakeWellFormed.php │ │ ├── HTMLPurifier_Strategy_RemoveForeignElements.php │ │ └── HTMLPurifier_Strategy_ValidateAttributes.php │ ├── TagTransform │ │ ├── HTMLPurifier_TagTransform_Font.php │ │ └── HTMLPurifier_TagTransform_Simple.php │ ├── Token │ │ ├── HTMLPurifier_Token_Comment.php │ │ ├── HTMLPurifier_Token_Empty.php │ │ ├── HTMLPurifier_Token_End.php │ │ ├── HTMLPurifier_Token_Start.php │ │ ├── HTMLPurifier_Token_Tag.php │ │ └── HTMLPurifier_Token_Text.php │ ├── URIFilter │ │ ├── HTMLPurifier_URIFilter_DisableExternal.php │ │ ├── HTMLPurifier_URIFilter_DisableExternalResources.php │ │ ├── HTMLPurifier_URIFilter_DisableResources.php │ │ ├── HTMLPurifier_URIFilter_HostBlacklist.php │ │ ├── HTMLPurifier_URIFilter_MakeAbsolute.php │ │ ├── HTMLPurifier_URIFilter_Munge.php │ │ └── HTMLPurifier_URIFilter_SafeIframe.php │ ├── URIScheme │ │ ├── HTMLPurifier_URIScheme_file.php │ │ ├── HTMLPurifier_URIScheme_ftp.php │ │ ├── HTMLPurifier_URIScheme_http.php │ │ └── HTMLPurifier_URIScheme_https.php │ └── VarParser │ │ ├── HTMLPurifier_VarParser_Flexible.php │ │ └── HTMLPurifier_VarParser_Native.php ├── HTMLPurifier_Default_config.php └── LICENSE ├── SLIM ├── Clause │ ├── ClauseContainer.php │ ├── GroupClause.php │ ├── HavingClause.php │ ├── JoinClause.php │ ├── LimitClause.php │ ├── OffsetClause.php │ ├── OrderClause.php │ └── WhereClause.php ├── Database.php ├── LICENSE ├── Mysql.php ├── Statement.php ├── Statement │ ├── DeleteStatement.php │ ├── InsertStatement.php │ ├── SelectStatement.php │ ├── StatementContainer.php │ └── UpdateStatement.php └── docs │ ├── AGGREGATES.md │ ├── Clause │ ├── GROUP_BY.md │ ├── HAVING.md │ ├── JOIN.md │ ├── LIMIT.md │ ├── OFFSET.md │ ├── ORDER_BY.md │ └── WHERE.md │ ├── README.md │ └── Statement │ ├── DELETE.md │ ├── INSERT.md │ ├── SELECT.md │ └── UPDATE.md ├── SecurityUtil.php └── URLSecurity ├── DefenseAgainstCSRF.php ├── DefenseAgainstRedirect.php ├── DefenseAgainstSSRF.php └── URLSecurity.php /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) [year], [fullname] 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /composer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "momosec/rhizobia", 3 | "description": "provide protection against common security issues.", 4 | "type": "library", 5 | "keywords": ["vulnerability","csrf","ssrf","sqli","xss"], 6 | "license": "BSD-3-Clause", 7 | "authors": [ 8 | { 9 | "name": "thecastle", 10 | "email": "projectone@immomo.com", 11 | "role": "Developer MOMOSEC" 12 | } 13 | ], 14 | "require": { 15 | "php": ">=5.6.0", 16 | "ext-pdo": "*", 17 | "ext-curl": "*", 18 | "ext-mbstring": "*", 19 | "ext-openssl": "*", 20 | "ext-fileinfo":"*" 21 | }, 22 | "autoload": { 23 | "psr-4": { 24 | "Security\\": "src/", 25 | "Security\\URLSecurity\\": "src/URLSecurity", 26 | "Security\\EncoderSecurity\\": "src/EncoderSecurity", 27 | "Security\\SQLSecurity\\": "src/SLIM", 28 | "Security\\HTMLPurifier\\": "src/HTMLPurifier", 29 | "Security\\DataSecurity\\": "src/DataSecurity", 30 | "Security\\FileSecurity\\": "src/FileSecurity" 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /src/DataSecurity/AESEncryptHelper.php: -------------------------------------------------------------------------------- 1 | 5 | * Date: 2019/4/17 6 | * Time: 下午7:33 7 | */ 8 | 9 | namespace Security\DataSecurity; 10 | 11 | /** 12 | * Class AESEncryptHelper 13 | * @package Security\DataSecurity 14 | */ 15 | class AESEncryptHelper 16 | { 17 | 18 | const SHA256 = 'sha256'; 19 | 20 | const METHOD = 'AES-256-CBC'; 21 | 22 | /** 23 | * @var string 24 | */ 25 | private $secretKey = 'AES_KEY'; 26 | 27 | 28 | /** 29 | * AESEncryptHelper constructor. 30 | */ 31 | public function __construct() 32 | { 33 | } 34 | 35 | 36 | /** 37 | * @param $data 38 | * @param $secret_key 39 | * @param int $options 40 | * @return string 41 | */ 42 | public function encryptWithOpenssl($data, $secret_key, $options = 0) 43 | { 44 | $iv = substr($secret_key, 8, 16); 45 | return openssl_encrypt($data, self::METHOD, $secret_key, $options, $iv); 46 | } 47 | 48 | 49 | /** 50 | * @param $data 51 | * @param $secret_key 52 | * @param int $options 53 | * @return string 54 | */ 55 | public function decryptWithOpenssl($data, $secret_key, $options = 0) 56 | { 57 | $iv = substr($secret_key, 8, 16); 58 | return openssl_decrypt($data, self::METHOD, $secret_key, $options, $iv); 59 | } 60 | 61 | 62 | /** 63 | * @param $uuid 64 | * @return string 65 | */ 66 | public function createSecretKey($uuid) 67 | { 68 | return md5($this->sha256WithOpenssl($uuid . '|' . $this->secretKey) . '|' . $this->secretKey); 69 | } 70 | 71 | 72 | /** 73 | * @param $data 74 | * @return string 75 | */ 76 | public function sha256WithOpenssl($data) 77 | { 78 | return openssl_digest($data, self::SHA256); 79 | } 80 | 81 | 82 | /** 83 | * @param $secret_key 84 | */ 85 | public function initAESConfig($secret_key) 86 | { 87 | $this->secretKey = $secret_key; 88 | } 89 | } 90 | -------------------------------------------------------------------------------- /src/DataSecurity/EncryptHelper.php: -------------------------------------------------------------------------------- 1 | 5 | * Date: 2019/4/17 6 | * Time: 下午7:33 7 | */ 8 | 9 | namespace Security\DataSecurity; 10 | 11 | /** 12 | * @property AESEncryptHelper $aesEncryptHelper 13 | * @property RSAEncryptHelper $rsaEncryptHelper 14 | **/ 15 | class EncryptHelper 16 | { 17 | 18 | /** 19 | * @var array 20 | */ 21 | protected $component = array(); 22 | 23 | 24 | /** 25 | * EncryptHelper constructor. 26 | */ 27 | public function __construct() 28 | { 29 | } 30 | 31 | 32 | /** 33 | * @param $key 34 | * @return mixed|null 35 | */ 36 | public function __get($key) 37 | { 38 | if (!isset($this->component[$key])) { 39 | $func = "get" . $key; 40 | if (method_exists($this, $func)) { 41 | $this->component[$key] = $this->$func(); 42 | } else { 43 | trigger_error(' unhandled key: ' . $key, E_USER_NOTICE); 44 | } 45 | } 46 | 47 | return isset($this->component[$key]) ? $this->component[$key] : null; 48 | } 49 | 50 | 51 | /** 52 | * @return AESEncryptHelper 53 | */ 54 | public function getAESEncryptHelper() 55 | { 56 | return new AESEncryptHelper(); 57 | } 58 | 59 | 60 | /** 61 | * @return RSAEncryptHelper 62 | */ 63 | public function getRSAEncryptHelper() 64 | { 65 | return new RSAEncryptHelper(); 66 | } 67 | } 68 | -------------------------------------------------------------------------------- /src/EncoderSecurity/EncoderSecurity.php: -------------------------------------------------------------------------------- 1 | 5 | * Date: 2019/4/17 6 | * Time: 下午7:33 7 | */ 8 | namespace Security\EncoderSecurity; 9 | 10 | /** 11 | * Class EncoderSecurity 12 | * @package Security\EncoderSecurity 13 | */ 14 | 15 | use Security\HTMLPurifier\HTMLPurifier; 16 | 17 | /** 18 | * 19 | * @property HtmlEntityEncoder $htmlEntityEncoder 20 | * @property JavaScriptEncoder $javascriptEncoder 21 | * @property HTMLPurifier $htmlPurifier 22 | */ 23 | class EncoderSecurity 24 | { 25 | 26 | const CHAR_LOWERS = 'abcdefghijklmnopqrstuvwxyz'; 27 | const CHAR_UPPERS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; 28 | const CHAR_DIGITS = '0123456789'; 29 | const CHAR_SPECIALS = '.-_!@$^*=~|+?'; 30 | const CHAR_LETTERS = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; 31 | const CHAR_ALPHANUMERICS = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; 32 | /** 33 | * @var array 34 | */ 35 | protected $component = array(); 36 | 37 | /** 38 | * EncoderSecurity constructor. 39 | */ 40 | function __construct() 41 | { 42 | } 43 | 44 | /** 45 | * @return HtmlEntityEncoder 46 | */ 47 | public function getHtmlEntityEncoder() 48 | { 49 | return new HtmlEntityEncoder(); 50 | } 51 | 52 | /** 53 | * @return JavaScriptEncoder 54 | */ 55 | public function getJavascriptEncoder() 56 | { 57 | return new JavaScriptEncoder(); 58 | } 59 | 60 | /** 61 | * @return HTMLPurifier 62 | */ 63 | public function getHtmlPurifier() 64 | { 65 | return new HTMLPurifier(); 66 | } 67 | 68 | /** 69 | * @param $key 70 | * @return mixed|null 71 | */ 72 | public function __get($key) 73 | { 74 | if (!isset($this->component[$key])) { 75 | $func = "get" . $key; 76 | if (method_exists($this, $func)) { 77 | $this->component[$key] = $this->$func(); 78 | } else { 79 | trigger_error(' unhandled key: ' . $key, E_USER_NOTICE); 80 | } 81 | } 82 | 83 | return isset($this->component[$key]) ? $this->component[$key] : null; 84 | } 85 | 86 | 87 | } 88 | -------------------------------------------------------------------------------- /src/EncoderSecurity/LICENSE: -------------------------------------------------------------------------------- 1 | The BSD License 2 | 3 | Copyright (c) 2007-2008 The OWASP Foundation 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 7 | 8 | Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 9 | Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 10 | Neither the name of the OWASP Foundation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 11 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 12 | 13 | -------------------------------------------------------------------------------- /src/FileSecurity/FileSecurity.php: -------------------------------------------------------------------------------- 1 | 5 | * Date: 2019/5/16 6 | * Time: 下午5:53 7 | */ 8 | 9 | namespace Security\FileSecurity; 10 | 11 | /** 12 | * Class FileSecurity 13 | * 14 | * @property UploadedFileVerification $uploadedFileVerification 15 | * @package Security\FileSecurity 16 | */ 17 | class FileSecurity 18 | { 19 | /** 20 | * @return UploadedFileVerification 21 | */ 22 | public function getUploadedFileVerification() 23 | { 24 | return new UploadedFileVerification(); 25 | } 26 | 27 | /** 28 | * @var array 29 | */ 30 | protected $component = array(); 31 | 32 | 33 | /** 34 | * FileSecurity constructor. 35 | */ 36 | public function __construct() 37 | { 38 | } 39 | 40 | 41 | /** 42 | * @param $key 43 | * @return mixed|null 44 | */ 45 | public function __get($key) 46 | { 47 | if (!isset($this->component[$key])) { 48 | $func = "get" . $key; 49 | if (method_exists($this, $func)) { 50 | $this->component[$key] = $this->$func(); 51 | } else { 52 | trigger_error(' unhandled key: ' . $key, E_USER_NOTICE); 53 | } 54 | } 55 | 56 | return isset($this->component[$key]) ? $this->component[$key] : null; 57 | } 58 | 59 | } -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/CSS/HTMLPurifier_AttrDef_CSS_AlphaValue.php: -------------------------------------------------------------------------------- 1 | 1.0) { 30 | $result = '1'; 31 | } 32 | return $result; 33 | } 34 | } 35 | 36 | 37 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/CSS/HTMLPurifier_AttrDef_CSS_Border.php: -------------------------------------------------------------------------------- 1 | getCSSDefinition(); 25 | $this->info['border-width'] = $def->info['border-width']; 26 | $this->info['border-style'] = $def->info['border-style']; 27 | $this->info['border-top-color'] = $def->info['border-top-color']; 28 | } 29 | 30 | /** 31 | * @param string $string 32 | * @param HTMLPurifier_Config $config 33 | * @param HTMLPurifier_Context $context 34 | * @return bool|string 35 | */ 36 | public function validate($string, $config, $context) 37 | { 38 | $string = $this->parseCDATA($string); 39 | $string = $this->mungeRgb($string); 40 | $bits = explode(' ', $string); 41 | $done = array(); // segments we've finished 42 | $ret = ''; // return value 43 | foreach ($bits as $bit) { 44 | foreach ($this->info as $propname => $validator) { 45 | if (isset($done[$propname])) { 46 | continue; 47 | } 48 | $r = $validator->validate($bit, $config, $context); 49 | if ($r !== false) { 50 | $ret .= $r . ' '; 51 | $done[$propname] = true; 52 | break; 53 | } 54 | } 55 | } 56 | return rtrim($ret); 57 | } 58 | } 59 | 60 | 61 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/CSS/HTMLPurifier_AttrDef_CSS_Composite.php: -------------------------------------------------------------------------------- 1 | defs = $defs; 32 | } 33 | 34 | /** 35 | * @param string $string 36 | * @param HTMLPurifier_Config $config 37 | * @param HTMLPurifier_Context $context 38 | * @return bool|string 39 | */ 40 | public function validate($string, $config, $context) 41 | { 42 | foreach ($this->defs as $i => $def) { 43 | $result = $this->defs[$i]->validate($string, $config, $context); 44 | if ($result !== false) { 45 | return $result; 46 | } 47 | } 48 | return false; 49 | } 50 | } 51 | 52 | 53 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/CSS/HTMLPurifier_AttrDef_CSS_DenyElementDecorator.php: -------------------------------------------------------------------------------- 1 | def = $def; 28 | $this->element = $element; 29 | } 30 | 31 | /** 32 | * Checks if CurrentToken is set and equal to $this->element 33 | * @param string $string 34 | * @param HTMLPurifier_Config $config 35 | * @param HTMLPurifier_Context $context 36 | * @return bool|string 37 | */ 38 | public function validate($string, $config, $context) 39 | { 40 | $token = $context->get('CurrentToken', true); 41 | if ($token && $token->name == $this->element) { 42 | return false; 43 | } 44 | return $this->def->validate($string, $config, $context); 45 | } 46 | } 47 | 48 | 49 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/CSS/HTMLPurifier_AttrDef_CSS_Ident.php: -------------------------------------------------------------------------------- 1 | def = $def; 28 | $this->allow = $allow; 29 | } 30 | 31 | /** 32 | * Intercepts and removes !important if necessary 33 | * @param string $string 34 | * @param HTMLPurifier_Config $config 35 | * @param HTMLPurifier_Context $context 36 | * @return bool|string 37 | */ 38 | public function validate($string, $config, $context) 39 | { 40 | // test for ! and important tokens 41 | $string = trim($string); 42 | $is_important = false; 43 | // :TODO: optimization: test directly for !important and ! important 44 | if (strlen($string) >= 9 && substr($string, -9) === 'important') { 45 | $temp = rtrim(substr($string, 0, -9)); 46 | // use a temp, because we might want to restore important 47 | if (strlen($temp) >= 1 && substr($temp, -1) === '!') { 48 | $string = rtrim(substr($temp, 0, -1)); 49 | $is_important = true; 50 | } 51 | } 52 | $string = $this->def->validate($string, $config, $context); 53 | if ($this->allow && $is_important) { 54 | $string .= ' !important'; 55 | } 56 | return $string; 57 | } 58 | } 59 | 60 | 61 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/CSS/HTMLPurifier_AttrDef_CSS_Length.php: -------------------------------------------------------------------------------- 1 | min = $min !== null ? HTMLPurifier_Length::make($min) : null; 31 | $this->max = $max !== null ? HTMLPurifier_Length::make($max) : null; 32 | } 33 | 34 | /** 35 | * @param string $string 36 | * @param HTMLPurifier_Config $config 37 | * @param HTMLPurifier_Context $context 38 | * @return bool|string 39 | */ 40 | public function validate($string, $config, $context) 41 | { 42 | $string = $this->parseCDATA($string); 43 | 44 | // Optimizations 45 | if ($string === '') { 46 | return false; 47 | } 48 | if ($string === '0') { 49 | return '0'; 50 | } 51 | if (strlen($string) === 1) { 52 | return false; 53 | } 54 | 55 | $length = HTMLPurifier_Length::make($string); 56 | if (!$length->isValid()) { 57 | return false; 58 | } 59 | 60 | if ($this->min) { 61 | $c = $length->compareTo($this->min); 62 | if ($c === false) { 63 | return false; 64 | } 65 | if ($c < 0) { 66 | return false; 67 | } 68 | } 69 | if ($this->max) { 70 | $c = $length->compareTo($this->max); 71 | if ($c === false) { 72 | return false; 73 | } 74 | if ($c > 0) { 75 | return false; 76 | } 77 | } 78 | return $length->toString(); 79 | } 80 | } 81 | 82 | 83 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/CSS/HTMLPurifier_AttrDef_CSS_Percentage.php: -------------------------------------------------------------------------------- 1 | number_def = new HTMLPurifier_AttrDef_CSS_Number($non_negative); 25 | } 26 | 27 | /** 28 | * @param string $string 29 | * @param HTMLPurifier_Config $config 30 | * @param HTMLPurifier_Context $context 31 | * @return bool|string 32 | */ 33 | public function validate($string, $config, $context) 34 | { 35 | $string = $this->parseCDATA($string); 36 | 37 | if ($string === '') { 38 | return false; 39 | } 40 | $length = strlen($string); 41 | if ($length === 1) { 42 | return false; 43 | } 44 | if ($string[$length - 1] !== '%') { 45 | return false; 46 | } 47 | 48 | $number = substr($string, 0, $length - 1); 49 | $number = $this->number_def->validate($number, $config, $context); 50 | 51 | if ($number === false) { 52 | return false; 53 | } 54 | return "$number%"; 55 | } 56 | } 57 | 58 | 59 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/CSS/HTMLPurifier_AttrDef_CSS_TextDecoration.php: -------------------------------------------------------------------------------- 1 | true, 25 | 'overline' => true, 26 | 'underline' => true, 27 | ); 28 | 29 | $string = strtolower($this->parseCDATA($string)); 30 | 31 | if ($string === 'none') { 32 | return $string; 33 | } 34 | 35 | $parts = explode(' ', $string); 36 | $final = ''; 37 | foreach ($parts as $part) { 38 | if (isset($allowed_values[$part])) { 39 | $final .= $part . ' '; 40 | } 41 | } 42 | $final = rtrim($final); 43 | if ($final === '') { 44 | return false; 45 | } 46 | return $final; 47 | } 48 | } 49 | 50 | 51 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/HTML/HTMLPurifier_AttrDef_HTML_Bool.php: -------------------------------------------------------------------------------- 1 | name = $name; 28 | } 29 | 30 | /** 31 | * @param string $string 32 | * @param HTMLPurifier_Config $config 33 | * @param HTMLPurifier_Context $context 34 | * @return bool|string 35 | */ 36 | public function validate($string, $config, $context) 37 | { 38 | return $this->name; 39 | } 40 | 41 | /** 42 | * @param string $string Name of attribute 43 | * @return HTMLPurifier_AttrDef_HTML_Bool 44 | */ 45 | public function make($string) 46 | { 47 | return new HTMLPurifier_AttrDef_HTML_Bool($string); 48 | } 49 | } 50 | 51 | 52 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/HTML/HTMLPurifier_AttrDef_HTML_Class.php: -------------------------------------------------------------------------------- 1 | getDefinition('HTML')->doctype->name; 19 | if ($name == "XHTML 1.1" || $name == "XHTML 2.0") { 20 | return parent::split($string, $config, $context); 21 | } else { 22 | return preg_split('/\s+/', $string); 23 | } 24 | } 25 | 26 | /** 27 | * @param array $tokens 28 | * @param HTMLPurifier_Config $config 29 | * @param HTMLPurifier_Context $context 30 | * @return array 31 | */ 32 | protected function filter($tokens, $config, $context) 33 | { 34 | $allowed = $config->get('Attr.AllowedClasses'); 35 | $forbidden = $config->get('Attr.ForbiddenClasses'); 36 | $ret = array(); 37 | foreach ($tokens as $token) { 38 | if (($allowed === null || isset($allowed[$token])) && 39 | !isset($forbidden[$token]) && 40 | // We need this O(n) check because of PHP's array 41 | // implementation that casts -0 to 0. 42 | !in_array($token, $ret, true) 43 | ) { 44 | $ret[] = $token; 45 | } 46 | } 47 | return $ret; 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/HTML/HTMLPurifier_AttrDef_HTML_Color.php: -------------------------------------------------------------------------------- 1 | get('Core.ColorKeywords'); 24 | } 25 | 26 | $string = trim($string); 27 | 28 | if (empty($string)) { 29 | return false; 30 | } 31 | $lower = strtolower($string); 32 | if (isset($colors[$lower])) { 33 | return $colors[$lower]; 34 | } 35 | if ($string[0] === '#') { 36 | $hex = substr($string, 1); 37 | } else { 38 | $hex = $string; 39 | } 40 | 41 | $length = strlen($hex); 42 | if ($length !== 3 && $length !== 6) { 43 | return false; 44 | } 45 | if (!ctype_xdigit($hex)) { 46 | return false; 47 | } 48 | if ($length === 3) { 49 | $hex = $hex[0] . $hex[0] . $hex[1] . $hex[1] . $hex[2] . $hex[2]; 50 | } 51 | return "#$hex"; 52 | } 53 | } 54 | 55 | 56 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/HTML/HTMLPurifier_AttrDef_HTML_FrameTarget.php: -------------------------------------------------------------------------------- 1 | valid_values === false) { 36 | $this->valid_values = $config->get('Attr.AllowedFrameTargets'); 37 | } 38 | return parent::validate($string, $config, $context); 39 | } 40 | } 41 | 42 | 43 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/HTML/HTMLPurifier_AttrDef_HTML_Length.php: -------------------------------------------------------------------------------- 1 | 100) { 50 | return '100%'; 51 | } 52 | return ((string)$points) . '%'; 53 | } 54 | } 55 | 56 | 57 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/HTML/HTMLPurifier_AttrDef_HTML_LinkTypes.php: -------------------------------------------------------------------------------- 1 | 'AllowedRel', 29 | 'rev' => 'AllowedRev' 30 | ); 31 | if (!isset($configLookup[$name])) { 32 | trigger_error( 33 | 'Unrecognized attribute name for link ' . 34 | 'relationship.', 35 | E_USER_ERROR 36 | ); 37 | return; 38 | } 39 | $this->name = $configLookup[$name]; 40 | } 41 | 42 | /** 43 | * @param string $string 44 | * @param HTMLPurifier_Config $config 45 | * @param HTMLPurifier_Context $context 46 | * @return bool|string 47 | */ 48 | public function validate($string, $config, $context) 49 | { 50 | $allowed = $config->get('Attr.' . $this->name); 51 | if (empty($allowed)) { 52 | return false; 53 | } 54 | 55 | $string = $this->parseCDATA($string); 56 | $parts = explode(' ', $string); 57 | 58 | // lookup to prevent duplicates 59 | $ret_lookup = array(); 60 | foreach ($parts as $part) { 61 | $part = strtolower(trim($part)); 62 | if (!isset($allowed[$part])) { 63 | continue; 64 | } 65 | $ret_lookup[$part] = true; 66 | } 67 | 68 | if (empty($ret_lookup)) { 69 | return false; 70 | } 71 | $string = implode(' ', array_keys($ret_lookup)); 72 | return $string; 73 | } 74 | } 75 | 76 | 77 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/HTML/HTMLPurifier_AttrDef_HTML_MultiLength.php: -------------------------------------------------------------------------------- 1 | max = $max; 24 | } 25 | 26 | /** 27 | * @param string $string 28 | * @param HTMLPurifier_Config $config 29 | * @param HTMLPurifier_Context $context 30 | * @return bool|string 31 | */ 32 | public function validate($string, $config, $context) 33 | { 34 | $string = trim($string); 35 | if ($string === '0') { 36 | return $string; 37 | } 38 | if ($string === '') { 39 | return false; 40 | } 41 | $length = strlen($string); 42 | if (substr($string, $length - 2) == 'px') { 43 | $string = substr($string, 0, $length - 2); 44 | } 45 | if (!is_numeric($string)) { 46 | return false; 47 | } 48 | $int = (int)$string; 49 | 50 | if ($int < 0) { 51 | return '0'; 52 | } 53 | 54 | // upper-bound value, extremely high values can 55 | // crash operating systems, see 56 | // WARNING, above link WILL crash you if you're using Windows 57 | 58 | if ($this->max !== null && $int > $this->max) { 59 | return (string)$this->max; 60 | } 61 | return (string)$int; 62 | } 63 | 64 | /** 65 | * @param string $string 66 | * @return HTMLPurifier_AttrDef 67 | */ 68 | public function make($string) 69 | { 70 | if ($string === '') { 71 | $max = null; 72 | } else { 73 | $max = (int)$string; 74 | } 75 | $class = get_class($this); 76 | return new $class($max); 77 | } 78 | } 79 | 80 | 81 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/HTMLPurifier_AttrDef_Clone.php: -------------------------------------------------------------------------------- 1 | clone = $clone; 22 | } 23 | 24 | /** 25 | * @param string $v 26 | * @param HTMLPurifier_Config $config 27 | * @param HTMLPurifier_Context $context 28 | * @return bool|string 29 | */ 30 | public function validate($v, $config, $context) 31 | { 32 | return $this->clone->validate($v, $config, $context); 33 | } 34 | 35 | /** 36 | * @param string $string 37 | * @return HTMLPurifier_AttrDef 38 | */ 39 | public function make($string) 40 | { 41 | return clone $this->clone; 42 | } 43 | } 44 | 45 | 46 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/HTMLPurifier_AttrDef_Switch.php: -------------------------------------------------------------------------------- 1 | tag = $tag; 33 | $this->withTag = $with_tag; 34 | $this->withoutTag = $without_tag; 35 | } 36 | 37 | /** 38 | * @param string $string 39 | * @param HTMLPurifier_Config $config 40 | * @param HTMLPurifier_Context $context 41 | * @return bool|string 42 | */ 43 | public function validate($string, $config, $context) 44 | { 45 | $token = $context->get('CurrentToken', true); 46 | if (!$token || $token->name !== $this->tag) { 47 | return $this->withoutTag->validate($string, $config, $context); 48 | } else { 49 | return $this->withTag->validate($string, $config, $context); 50 | } 51 | } 52 | } 53 | 54 | 55 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/HTMLPurifier_AttrDef_Text.php: -------------------------------------------------------------------------------- 1 | parseCDATA($string); 22 | } 23 | } 24 | 25 | 26 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/URI/Email/HTMLPurifier_AttrDef_URI_Email_SimpleCheck.php: -------------------------------------------------------------------------------- 1 | " 23 | // that needs more percent encoding to be done 24 | if ($string == '') { 25 | return false; 26 | } 27 | $string = trim($string); 28 | $result = preg_match('/^[A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i', $string); 29 | return $result ? $string : false; 30 | } 31 | } 32 | 33 | 34 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrDef/URI/HTMLPurifier_AttrDef_URI_Email.php: -------------------------------------------------------------------------------- 1 | ip4) { 29 | $this->_loadRegex(); 30 | } 31 | 32 | if (preg_match('#^' . $this->ip4 . '$#s', $aIP)) { 33 | return $aIP; 34 | } 35 | return false; 36 | } 37 | 38 | /** 39 | * Lazy load function to prevent regex from being stuffed in 40 | * cache. 41 | */ 42 | protected function _loadRegex() 43 | { 44 | $oct = '(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9][0-9]|[0-9])'; // 0-255 45 | $this->ip4 = "(?:{$oct}\\.{$oct}\\.{$oct}\\.{$oct})"; 46 | } 47 | } 48 | 49 | 50 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrTransform/HTMLPurifier_AttrTransform_Background.php: -------------------------------------------------------------------------------- 1 | confiscateAttr($attr, 'background'); 25 | // some validation should happen here 26 | 27 | $this->prependCSS($attr, "background-image:url($background);"); 28 | return $attr; 29 | } 30 | } 31 | 32 | 33 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrTransform/HTMLPurifier_AttrTransform_BdoDir.php: -------------------------------------------------------------------------------- 1 | get('Attr.DefaultTextDir'); 27 | return $attr; 28 | } 29 | } 30 | 31 | 32 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrTransform/HTMLPurifier_AttrTransform_BgColor.php: -------------------------------------------------------------------------------- 1 | confiscateAttr($attr, 'bgcolor'); 25 | // some validation should happen here 26 | 27 | $this->prependCSS($attr, "background-color:$bgcolor;"); 28 | return $attr; 29 | } 30 | } 31 | 32 | 33 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrTransform/HTMLPurifier_AttrTransform_BoolToCSS.php: -------------------------------------------------------------------------------- 1 | attr = $attr; 31 | $this->css = $css; 32 | } 33 | 34 | /** 35 | * @param array $attr 36 | * @param HTMLPurifier_Config $config 37 | * @param HTMLPurifier_Context $context 38 | * @return array 39 | */ 40 | public function transform($attr, $config, $context) 41 | { 42 | if (!isset($attr[$this->attr])) { 43 | return $attr; 44 | } 45 | unset($attr[$this->attr]); 46 | $this->prependCSS($attr, $this->css); 47 | return $attr; 48 | } 49 | } 50 | 51 | 52 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrTransform/HTMLPurifier_AttrTransform_Border.php: -------------------------------------------------------------------------------- 1 | confiscateAttr($attr, 'border'); 24 | // some validation should happen here 25 | $this->prependCSS($attr, "border:{$border_width}px solid;"); 26 | return $attr; 27 | } 28 | } 29 | 30 | 31 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrTransform/HTMLPurifier_AttrTransform_EnumToCSS.php: -------------------------------------------------------------------------------- 1 | attr = $attr; 42 | $this->enumToCSS = $enum_to_css; 43 | $this->caseSensitive = (bool)$case_sensitive; 44 | } 45 | 46 | /** 47 | * @param array $attr 48 | * @param HTMLPurifier_Config $config 49 | * @param HTMLPurifier_Context $context 50 | * @return array 51 | */ 52 | public function transform($attr, $config, $context) 53 | { 54 | if (!isset($attr[$this->attr])) { 55 | return $attr; 56 | } 57 | 58 | $value = trim($attr[$this->attr]); 59 | unset($attr[$this->attr]); 60 | 61 | if (!$this->caseSensitive) { 62 | $value = strtolower($value); 63 | } 64 | 65 | if (!isset($this->enumToCSS[$value])) { 66 | return $attr; 67 | } 68 | $this->prependCSS($attr, $this->enumToCSS[$value]); 69 | return $attr; 70 | } 71 | } 72 | 73 | 74 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrTransform/HTMLPurifier_AttrTransform_ImgRequired.php: -------------------------------------------------------------------------------- 1 | get('Core.RemoveInvalidImg')) { 29 | return $attr; 30 | } 31 | $attr['src'] = $config->get('Attr.DefaultInvalidImage'); 32 | $src = false; 33 | } 34 | 35 | if (!isset($attr['alt'])) { 36 | if ($src) { 37 | $alt = $config->get('Attr.DefaultImageAlt'); 38 | if ($alt === null) { 39 | $attr['alt'] = basename($attr['src']); 40 | } else { 41 | $attr['alt'] = $alt; 42 | } 43 | } else { 44 | $attr['alt'] = $config->get('Attr.DefaultInvalidImageAlt'); 45 | } 46 | } 47 | return $attr; 48 | } 49 | } 50 | 51 | 52 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrTransform/HTMLPurifier_AttrTransform_ImgSpace.php: -------------------------------------------------------------------------------- 1 | array('left', 'right'), 22 | 'vspace' => array('top', 'bottom') 23 | ); 24 | 25 | /** 26 | * @param string $attr 27 | */ 28 | public function __construct($attr) 29 | { 30 | $this->attr = $attr; 31 | if (!isset($this->css[$attr])) { 32 | trigger_error(htmlspecialchars($attr) . ' is not valid space attribute'); 33 | } 34 | } 35 | 36 | /** 37 | * @param array $attr 38 | * @param HTMLPurifier_Config $config 39 | * @param HTMLPurifier_Context $context 40 | * @return array 41 | */ 42 | public function transform($attr, $config, $context) 43 | { 44 | if (!isset($attr[$this->attr])) { 45 | return $attr; 46 | } 47 | 48 | $width = $this->confiscateAttr($attr, $this->attr); 49 | // some validation could happen here 50 | 51 | if (!isset($this->css[$this->attr])) { 52 | return $attr; 53 | } 54 | 55 | $style = ''; 56 | foreach ($this->css[$this->attr] as $suffix) { 57 | $property = "margin-$suffix"; 58 | $style .= "$property:{$width}px;"; 59 | } 60 | $this->prependCSS($attr, $style); 61 | return $attr; 62 | } 63 | } 64 | 65 | 66 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrTransform/HTMLPurifier_AttrTransform_Input.php: -------------------------------------------------------------------------------- 1 | pixels = new HTMLPurifier_AttrDef_HTML_Pixels(); 22 | } 23 | 24 | /** 25 | * @param array $attr 26 | * @param HTMLPurifier_Config $config 27 | * @param HTMLPurifier_Context $context 28 | * @return array 29 | */ 30 | public function transform($attr, $config, $context) 31 | { 32 | if (!isset($attr['type'])) { 33 | $t = 'text'; 34 | } else { 35 | $t = strtolower($attr['type']); 36 | } 37 | if (isset($attr['checked']) && $t !== 'radio' && $t !== 'checkbox') { 38 | unset($attr['checked']); 39 | } 40 | if (isset($attr['maxlength']) && $t !== 'text' && $t !== 'password') { 41 | unset($attr['maxlength']); 42 | } 43 | if (isset($attr['size']) && $t !== 'text' && $t !== 'password') { 44 | $result = $this->pixels->validate($attr['size'], $config, $context); 45 | if ($result === false) { 46 | unset($attr['size']); 47 | } else { 48 | $attr['size'] = $result; 49 | } 50 | } 51 | if (isset($attr['src']) && $t !== 'image') { 52 | unset($attr['src']); 53 | } 54 | if (!isset($attr['value']) && ($t === 'radio' || $t === 'checkbox')) { 55 | $attr['value'] = ''; 56 | } 57 | return $attr; 58 | } 59 | } 60 | 61 | 62 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrTransform/HTMLPurifier_AttrTransform_Lang.php: -------------------------------------------------------------------------------- 1 | name = $name; 26 | $this->cssName = $css_name ? $css_name : $name; 27 | } 28 | 29 | /** 30 | * @param array $attr 31 | * @param HTMLPurifier_Config $config 32 | * @param HTMLPurifier_Context $context 33 | * @return array 34 | */ 35 | public function transform($attr, $config, $context) 36 | { 37 | if (!isset($attr[$this->name])) { 38 | return $attr; 39 | } 40 | $length = $this->confiscateAttr($attr, $this->name); 41 | if (ctype_digit($length)) { 42 | $length .= 'px'; 43 | } 44 | $this->prependCSS($attr, $this->cssName . ":$length;"); 45 | return $attr; 46 | } 47 | } 48 | 49 | 50 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrTransform/HTMLPurifier_AttrTransform_Name.php: -------------------------------------------------------------------------------- 1 | get('HTML.Attr.Name.UseCDATA')) { 23 | return $attr; 24 | } 25 | if (!isset($attr['name'])) { 26 | return $attr; 27 | } 28 | $id = $this->confiscateAttr($attr, 'name'); 29 | if (isset($attr['id'])) { 30 | return $attr; 31 | } 32 | $attr['id'] = $id; 33 | return $attr; 34 | } 35 | } 36 | 37 | 38 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrTransform/HTMLPurifier_AttrTransform_NameSync.php: -------------------------------------------------------------------------------- 1 | idDef = new HTMLPurifier_AttrDef_HTML_ID(); 19 | } 20 | 21 | /** 22 | * @param array $attr 23 | * @param HTMLPurifier_Config $config 24 | * @param HTMLPurifier_Context $context 25 | * @return array 26 | */ 27 | public function transform($attr, $config, $context) 28 | { 29 | if (!isset($attr['name'])) { 30 | return $attr; 31 | } 32 | $name = $attr['name']; 33 | if (isset($attr['id']) && $attr['id'] === $name) { 34 | return $attr; 35 | } 36 | $result = $this->idDef->validate($name, $config, $context); 37 | if ($result === false) { 38 | unset($attr['name']); 39 | } else { 40 | $attr['name'] = $result; 41 | } 42 | return $attr; 43 | } 44 | } 45 | 46 | 47 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrTransform/HTMLPurifier_AttrTransform_Nofollow.php: -------------------------------------------------------------------------------- 1 | parser = new HTMLPurifier_URIParser(); 23 | } 24 | 25 | /** 26 | * @param array $attr 27 | * @param HTMLPurifier_Config $config 28 | * @param HTMLPurifier_Context $context 29 | * @return array 30 | */ 31 | public function transform($attr, $config, $context) 32 | { 33 | if (!isset($attr['href'])) { 34 | return $attr; 35 | } 36 | 37 | // XXX Kind of inefficient 38 | $url = $this->parser->parse($attr['href']); 39 | $scheme = $url->getSchemeObj($config, $context); 40 | 41 | if ($scheme->browsable && !$url->isLocal($config, $context)) { 42 | if (isset($attr['rel'])) { 43 | $rels = explode(' ', $attr['rel']); 44 | if (!in_array('nofollow', $rels)) { 45 | $rels[] = 'nofollow'; 46 | } 47 | $attr['rel'] = implode(' ', $rels); 48 | } else { 49 | $attr['rel'] = 'nofollow'; 50 | } 51 | } 52 | return $attr; 53 | } 54 | } 55 | 56 | 57 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrTransform/HTMLPurifier_AttrTransform_SafeEmbed.php: -------------------------------------------------------------------------------- 1 | 6 | */ 7 | 8 | use Security\HTMLPurifier\HTMLPurifier\HTMLPurifier_AttrTransform; 9 | 10 | class HTMLPurifier_AttrTransform_ScriptRequired extends HTMLPurifier_AttrTransform 11 | { 12 | /** 13 | * @param array $attr 14 | * @param HTMLPurifier_Config $config 15 | * @param HTMLPurifier_Context $context 16 | * @return array 17 | */ 18 | public function transform($attr, $config, $context) 19 | { 20 | if (!isset($attr['type'])) { 21 | $attr['type'] = 'text/javascript'; 22 | } 23 | return $attr; 24 | } 25 | } 26 | 27 | 28 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrTransform/HTMLPurifier_AttrTransform_TargetBlank.php: -------------------------------------------------------------------------------- 1 | parser = new HTMLPurifier_URIParser(); 25 | } 26 | 27 | /** 28 | * @param array $attr 29 | * @param HTMLPurifier_Config $config 30 | * @param HTMLPurifier_Context $context 31 | * @return array 32 | */ 33 | public function transform($attr, $config, $context) 34 | { 35 | if (!isset($attr['href'])) { 36 | return $attr; 37 | } 38 | 39 | // XXX Kind of inefficient 40 | $url = $this->parser->parse($attr['href']); 41 | $scheme = $url->getSchemeObj($config, $context); 42 | 43 | if ($scheme->browsable && !$url->isBenign($config, $context)) { 44 | $attr['target'] = '_blank'; 45 | } 46 | return $attr; 47 | } 48 | } 49 | 50 | 51 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/AttrTransform/HTMLPurifier_AttrTransform_TargetNoopener.php: -------------------------------------------------------------------------------- 1 | 6 | */ 7 | 8 | use Security\HTMLPurifier\HTMLPurifier\HTMLPurifier_AttrTransform; 9 | 10 | class HTMLPurifier_AttrTransform_Textarea extends HTMLPurifier_AttrTransform 11 | { 12 | /** 13 | * @param array $attr 14 | * @param HTMLPurifier_Config $config 15 | * @param HTMLPurifier_Context $context 16 | * @return array 17 | */ 18 | public function transform($attr, $config, $context) 19 | { 20 | // Calculated from Firefox 21 | if (!isset($attr['cols'])) { 22 | $attr['cols'] = '22'; 23 | } 24 | if (!isset($attr['rows'])) { 25 | $attr['rows'] = '3'; 26 | } 27 | return $attr; 28 | } 29 | } 30 | 31 | 32 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/ChildDef/HTMLPurifier_ChildDef_Chameleon.php: -------------------------------------------------------------------------------- 1 | inline = new HTMLPurifier_ChildDef_Optional($inline); 43 | $this->block = new HTMLPurifier_ChildDef_Optional($block); 44 | $this->elements = $this->block->elements; 45 | } 46 | 47 | /** 48 | * @param HTMLPurifier_Node[] $children 49 | * @param HTMLPurifier_Config $config 50 | * @param HTMLPurifier_Context $context 51 | * @return bool 52 | */ 53 | public function validateChildren($children, $config, $context) 54 | { 55 | if ($context->get('IsInline') === false) { 56 | return $this->block->validateChildren( 57 | $children, 58 | $config, 59 | $context 60 | ); 61 | } else { 62 | return $this->inline->validateChildren( 63 | $children, 64 | $config, 65 | $context 66 | ); 67 | } 68 | } 69 | } 70 | 71 | 72 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/ChildDef/HTMLPurifier_ChildDef_Empty.php: -------------------------------------------------------------------------------- 1 | whitespace) { 37 | return $children; 38 | } else { 39 | return array(); 40 | } 41 | } 42 | return $result; 43 | } 44 | } 45 | 46 | 47 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/DefinitionCache/Decorator/HTMLPurifier_DefinitionCache_Decorator_Cleanup.php: -------------------------------------------------------------------------------- 1 | array('dir' => false) 25 | ); 26 | 27 | /** 28 | * @param HTMLPurifier_Config $config 29 | */ 30 | public function setup($config) 31 | { 32 | $bdo = $this->addElement( 33 | 'bdo', 34 | 'Inline', 35 | 'Inline', 36 | array('Core', 'Lang'), 37 | array( 38 | 'dir' => 'Enum#ltr,rtl', // required 39 | // The Abstract Module specification has the attribute 40 | // inclusions wrong for bdo: bdo allows Lang 41 | ) 42 | ); 43 | $bdo->attr_transform_post[] = new HTMLPurifier_AttrTransform_BdoDir(); 44 | 45 | $this->attr_collections['I18N']['dir'] = 'Enum#ltr,rtl'; 46 | } 47 | } 48 | 49 | 50 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_CommonAttributes.php: -------------------------------------------------------------------------------- 1 | array( 20 | 0 => array('Style'), 21 | // 'xml:space' => false, 22 | 'class' => 'Class', 23 | 'id' => 'ID', 24 | 'title' => 'CDATA', 25 | ), 26 | 'Lang' => array(), 27 | 'I18N' => array( 28 | 0 => array('Lang'), // proprietary, for xml:lang/lang 29 | ), 30 | 'Common' => array( 31 | 0 => array('Core', 'I18N') 32 | ) 33 | ); 34 | } 35 | 36 | 37 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_Edit.php: -------------------------------------------------------------------------------- 1 | 'URI', 39 | // 'datetime' => 'Datetime', // not implemented 40 | ); 41 | $this->addElement('del', 'Inline', $contents, 'Common', $attr); 42 | $this->addElement('ins', 'Inline', $contents, 'Common', $attr); 43 | } 44 | 45 | /** 46 | * @param HTMLPurifier_ElementDef $def 47 | * @return HTMLPurifier_ChildDef_Chameleon 48 | */ 49 | public function getChildDef($def) 50 | { 51 | if ($def->content_model_type != 'chameleon') { 52 | return false; 53 | } 54 | $value = explode('!', $def->content_model); 55 | return new HTMLPurifier_ChildDef_Chameleon($value[0], $value[1]); 56 | } 57 | } 58 | 59 | 60 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_Hypertext.php: -------------------------------------------------------------------------------- 1 | addElement( 25 | 'a', 26 | 'Inline', 27 | 'Inline', 28 | 'Common', 29 | array( 30 | // 'accesskey' => 'Character', 31 | // 'charset' => 'Charset', 32 | 'href' => 'URI', 33 | // 'hreflang' => 'LanguageCode', 34 | 'rel' => new HTMLPurifier_AttrDef_HTML_LinkTypes('rel'), 35 | 'rev' => new HTMLPurifier_AttrDef_HTML_LinkTypes('rev'), 36 | // 'tabindex' => 'Number', 37 | // 'type' => 'ContentType', 38 | ) 39 | ); 40 | $a->formatting = true; 41 | $a->excludes = array('a' => true); 42 | } 43 | } 44 | 45 | 46 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_Iframe.php: -------------------------------------------------------------------------------- 1 | get('HTML.SafeIframe')) { 33 | $this->safe = true; 34 | } 35 | $this->addElement( 36 | 'iframe', 37 | 'Inline', 38 | 'Flow', 39 | 'Common', 40 | array( 41 | 'src' => 'URI#embedded', 42 | 'width' => 'Length', 43 | 'height' => 'Length', 44 | 'name' => 'ID', 45 | 'scrolling' => 'Enum#yes,no,auto', 46 | 'frameborder' => 'Enum#0,1', 47 | 'longdesc' => 'URI', 48 | 'marginheight' => 'Pixels', 49 | 'marginwidth' => 'Pixels', 50 | ) 51 | ); 52 | } 53 | } 54 | 55 | 56 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_Image.php: -------------------------------------------------------------------------------- 1 | get('HTML.MaxImgLength'); 29 | $img = $this->addElement( 30 | 'img', 31 | 'Inline', 32 | 'Empty', 33 | 'Common', 34 | array( 35 | 'alt*' => 'Text', 36 | // According to the spec, it's Length, but percents can 37 | // be abused, so we allow only Pixels. 38 | 'height' => 'Pixels#' . $max, 39 | 'width' => 'Pixels#' . $max, 40 | 'longdesc' => 'URI', 41 | 'src*' => new HTMLPurifier_AttrDef_URI(true), // embedded 42 | ) 43 | ); 44 | if ($max === null || $config->get('HTML.Trusted')) { 45 | $img->attr['height'] = 46 | $img->attr['width'] = 'Length'; 47 | } 48 | 49 | // kind of strange, but splitting things up would be inefficient 50 | $img->attr_transform_pre[] = 51 | $img->attr_transform_post[] = 52 | new HTMLPurifier_AttrTransform_ImgRequired(); 53 | } 54 | } 55 | 56 | 57 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_List.php: -------------------------------------------------------------------------------- 1 | 'List'); 31 | 32 | /** 33 | * @param HTMLPurifier_Config $config 34 | */ 35 | public function setup($config) 36 | { 37 | $ol = $this->addElement('ol', 'List', new HTMLPurifier_ChildDef_List(), 'Common'); 38 | $ul = $this->addElement('ul', 'List', new HTMLPurifier_ChildDef_List(), 'Common'); 39 | // XXX The wrap attribute is handled by MakeWellFormed. This is all 40 | // quite unsatisfactory, because we generated this 41 | // *specifically* for lists, and now a big chunk of the handling 42 | // is done properly by the List ChildDef. So actually, we just 43 | // want enough information to make autoclosing work properly, 44 | // and then hand off the tricky stuff to the ChildDef. 45 | $ol->wrap = 'li'; 46 | $ul->wrap = 'li'; 47 | $this->addElement('dl', 'List', 'Required: dt | dd', 'Common'); 48 | 49 | $this->addElement('li', false, 'Flow', 'Common'); 50 | 51 | $this->addElement('dd', false, 'Flow', 'Common'); 52 | $this->addElement('dt', false, 'Inline', 'Common'); 53 | } 54 | } 55 | 56 | 57 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_Name.php: -------------------------------------------------------------------------------- 1 | addBlankElement($name); 23 | $element->attr['name'] = 'CDATA'; 24 | if (!$config->get('HTML.Attr.Name.UseCDATA')) { 25 | $element->attr_transform_post[] = new HTMLPurifier_AttrTransform_NameSync(); 26 | } 27 | } 28 | } 29 | } 30 | 31 | 32 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_Nofollow.php: -------------------------------------------------------------------------------- 1 | addBlankElement('a'); 25 | $a->attr_transform_post[] = new HTMLPurifier_AttrTransform_Nofollow(); 26 | } 27 | } 28 | 29 | 30 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_NonXMLCommonAttributes.php: -------------------------------------------------------------------------------- 1 | array( 19 | 'lang' => 'LanguageCode', 20 | ) 21 | ); 22 | } 23 | 24 | 25 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_Object.php: -------------------------------------------------------------------------------- 1 | to cater to legacy browsers: this 7 | * module does not allow this sort of behavior 8 | */ 9 | 10 | use Security\HTMLPurifier\HTMLPurifier\HTMLPurifier_HTMLModule; 11 | 12 | class HTMLPurifier_HTMLModule_Object extends HTMLPurifier_HTMLModule 13 | { 14 | /** 15 | * @type string 16 | */ 17 | public $name = 'Object'; 18 | 19 | /** 20 | * @type bool 21 | */ 22 | public $safe = false; 23 | 24 | /** 25 | * @param HTMLPurifier_Config $config 26 | */ 27 | public function setup($config) 28 | { 29 | $this->addElement( 30 | 'object', 31 | 'Inline', 32 | 'Optional: #PCDATA | Flow | param', 33 | 'Common', 34 | array( 35 | 'archive' => 'URI', 36 | 'classid' => 'URI', 37 | 'codebase' => 'URI', 38 | 'codetype' => 'Text', 39 | 'data' => 'URI', 40 | 'declare' => 'Bool#declare', 41 | 'height' => 'Length', 42 | 'name' => 'CDATA', 43 | 'standby' => 'Text', 44 | 'tabindex' => 'Number', 45 | 'type' => 'ContentType', 46 | 'width' => 'Length' 47 | ) 48 | ); 49 | 50 | $this->addElement( 51 | 'param', 52 | false, 53 | 'Empty', 54 | null, 55 | array( 56 | 'id' => 'ID', 57 | 'name*' => 'Text', 58 | 'type' => 'Text', 59 | 'value' => 'Text', 60 | 'valuetype' => 'Enum#data,ref,object' 61 | ) 62 | ); 63 | } 64 | } 65 | 66 | 67 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_Presentation.php: -------------------------------------------------------------------------------- 1 | addElement('hr', 'Block', 'Empty', 'Common'); 31 | $this->addElement('sub', 'Inline', 'Inline', 'Common'); 32 | $this->addElement('sup', 'Inline', 'Inline', 'Common'); 33 | $b = $this->addElement('b', 'Inline', 'Inline', 'Common'); 34 | $b->formatting = true; 35 | $big = $this->addElement('big', 'Inline', 'Inline', 'Common'); 36 | $big->formatting = true; 37 | $i = $this->addElement('i', 'Inline', 'Inline', 'Common'); 38 | $i->formatting = true; 39 | $small = $this->addElement('small', 'Inline', 'Inline', 'Common'); 40 | $small->formatting = true; 41 | $tt = $this->addElement('tt', 'Inline', 'Inline', 'Common'); 42 | $tt->formatting = true; 43 | } 44 | } 45 | 46 | 47 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_Proprietary.php: -------------------------------------------------------------------------------- 1 | addElement( 24 | 'marquee', 25 | 'Inline', 26 | 'Flow', 27 | 'Common', 28 | array( 29 | 'direction' => 'Enum#left,right,up,down', 30 | 'behavior' => 'Enum#alternate', 31 | 'width' => 'Length', 32 | 'height' => 'Length', 33 | 'scrolldelay' => 'Number', 34 | 'scrollamount' => 'Number', 35 | 'loop' => 'Number', 36 | 'bgcolor' => 'Color', 37 | 'hspace' => 'Pixels', 38 | 'vspace' => 'Pixels', 39 | ) 40 | ); 41 | } 42 | } 43 | 44 | 45 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_SafeEmbed.php: -------------------------------------------------------------------------------- 1 | get('HTML.MaxImgLength'); 23 | $embed = $this->addElement( 24 | 'embed', 25 | 'Inline', 26 | 'Empty', 27 | 'Common', 28 | array( 29 | 'src*' => 'URI#embedded', 30 | 'type' => 'Enum#application/x-shockwave-flash', 31 | 'width' => 'Pixels#' . $max, 32 | 'height' => 'Pixels#' . $max, 33 | 'allowscriptaccess' => 'Enum#never', 34 | 'allownetworking' => 'Enum#internal', 35 | 'flashvars' => 'Text', 36 | 'wmode' => 'Enum#window,transparent,opaque', 37 | 'name' => 'ID', 38 | ) 39 | ); 40 | $embed->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeEmbed(); 41 | } 42 | } 43 | 44 | 45 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_SafeObject.php: -------------------------------------------------------------------------------- 1 | get('HTML.MaxImgLength'); 29 | $object = $this->addElement( 30 | 'object', 31 | 'Inline', 32 | 'Optional: param | Flow | #PCDATA', 33 | 'Common', 34 | array( 35 | // While technically not required by the spec, we're forcing 36 | // it to this value. 37 | 'type' => 'Enum#application/x-shockwave-flash', 38 | 'width' => 'Pixels#' . $max, 39 | 'height' => 'Pixels#' . $max, 40 | 'data' => 'URI#embedded', 41 | 'codebase' => new HTMLPurifier_AttrDef_Enum( 42 | array( 43 | 'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0' 44 | ) 45 | ), 46 | ) 47 | ); 48 | $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject(); 49 | 50 | $param = $this->addElement( 51 | 'param', 52 | false, 53 | 'Empty', 54 | false, 55 | array( 56 | 'id' => 'ID', 57 | 'name*' => 'Text', 58 | 'value' => 'Text' 59 | ) 60 | ); 61 | $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam(); 62 | $this->info_injector[] = 'SafeObject'; 63 | } 64 | } 65 | 66 | 67 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_SafeScripting.php: -------------------------------------------------------------------------------- 1 | get('HTML.SafeScripting'); 29 | $script = $this->addElement( 30 | 'script', 31 | 'Inline', 32 | 'Empty', 33 | null, 34 | array( 35 | // While technically not required by the spec, we're forcing 36 | // it to this value. 37 | 'type' => 'Enum#text/javascript', 38 | 'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed)) 39 | ) 40 | ); 41 | $script->attr_transform_pre[] = 42 | $script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired(); 43 | } 44 | } 45 | 46 | 47 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_StyleAttribute.php: -------------------------------------------------------------------------------- 1 | array('style' => false), // see constructor 26 | 'Core' => array(0 => array('Style')) 27 | ); 28 | 29 | /** 30 | * @param HTMLPurifier_Config $config 31 | */ 32 | public function setup($config) 33 | { 34 | $this->attr_collections['Style']['style'] = new HTMLPurifier_AttrDef_CSS(); 35 | } 36 | } 37 | 38 | 39 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_Target.php: -------------------------------------------------------------------------------- 1 | addBlankElement($name); 26 | $e->attr = array( 27 | 'target' => new HTMLPurifier_AttrDef_HTML_FrameTarget() 28 | ); 29 | } 30 | } 31 | } 32 | 33 | 34 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_TargetBlank.php: -------------------------------------------------------------------------------- 1 | addBlankElement('a'); 24 | $a->attr_transform_post[] = new HTMLPurifier_AttrTransform_TargetBlank(); 25 | } 26 | } 27 | 28 | 29 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_TargetNoopener.php: -------------------------------------------------------------------------------- 1 | addBlankElement('a'); 25 | $a->attr_transform_post[] = new HTMLPurifier_AttrTransform_TargetNoopener(); 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_TargetNoreferrer.php: -------------------------------------------------------------------------------- 1 | addBlankElement('a'); 25 | $a->attr_transform_post[] = new HTMLPurifier_AttrTransform_TargetNoreferrer(); 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/HTMLPurifier_HTMLModule_XMLCommonAttributes.php: -------------------------------------------------------------------------------- 1 | array( 19 | 'xml:lang' => 'LanguageCode', 20 | ) 21 | ); 22 | } 23 | 24 | 25 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/Tidy/HTMLPurifier_HTMLModule_Tidy_Name.php: -------------------------------------------------------------------------------- 1 | content_model_type != 'strictblockquote') { 41 | return parent::getChildDef($def); 42 | } 43 | return new HTMLPurifier_ChildDef_StrictBlockquote($def->content_model); 44 | } 45 | } 46 | 47 | 48 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLModule/Tidy/HTMLPurifier_HTMLModule_Tidy_Transitional.php: -------------------------------------------------------------------------------- 1 | elements; 40 | } 41 | 42 | /** 43 | * Validates nodes according to definition and returns modification. 44 | * 45 | * @param HTMLPurifier_Node[] $children Array of HTMLPurifier_Node 46 | * @param HTMLPurifier_Config $config HTMLPurifier_Config object 47 | * @param HTMLPurifier_Context $context HTMLPurifier_Context object 48 | * @return bool|array true to leave nodes as is, false to remove parent node, array of replacement children 49 | */ 50 | abstract public function validateChildren($children, $config, $context); 51 | } 52 | 53 | 54 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLPurifier_Definition.php: -------------------------------------------------------------------------------- 1 | setup) { 42 | return; 43 | } 44 | $this->setup = true; 45 | $this->doSetup($config); 46 | } 47 | 48 | /** 49 | * Sets up the definition object into the final form, something 50 | * not done by the constructor 51 | * @param HTMLPurifier_Config $config 52 | */ 53 | abstract protected function doSetup($config); 54 | } 55 | 56 | 57 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLPurifier_Doctype.php: -------------------------------------------------------------------------------- 1 | renderDoctype. 8 | * If structure changes, please update that function. 9 | */ 10 | class HTMLPurifier_Doctype 11 | { 12 | /** 13 | * Full name of doctype 14 | * @type string 15 | */ 16 | public $name; 17 | 18 | /** 19 | * List of standard modules (string identifiers or literal objects) 20 | * that this doctype uses 21 | * @type array 22 | */ 23 | public $modules = array(); 24 | 25 | /** 26 | * List of modules to use for tidying up code 27 | * @type array 28 | */ 29 | public $tidyModules = array(); 30 | 31 | /** 32 | * Is the language derived from XML (i.e. XHTML)? 33 | * @type bool 34 | */ 35 | public $xml = true; 36 | 37 | /** 38 | * List of aliases for this doctype 39 | * @type array 40 | */ 41 | public $aliases = array(); 42 | 43 | /** 44 | * Public DTD identifier 45 | * @type string 46 | */ 47 | public $dtdPublic; 48 | 49 | /** 50 | * System DTD identifier 51 | * @type string 52 | */ 53 | public $dtdSystem; 54 | 55 | public function __construct( 56 | $name = null, 57 | $xml = true, 58 | $modules = array(), 59 | $tidyModules = array(), 60 | $aliases = array(), 61 | $dtd_public = null, 62 | $dtd_system = null 63 | ) 64 | { 65 | $this->name = $name; 66 | $this->xml = $xml; 67 | $this->modules = $modules; 68 | $this->tidyModules = $tidyModules; 69 | $this->aliases = $aliases; 70 | $this->dtdPublic = $dtd_public; 71 | $this->dtdSystem = $dtd_system; 72 | } 73 | } 74 | 75 | 76 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLPurifier_EntityLookup.php: -------------------------------------------------------------------------------- 1 | setup(); 29 | } 30 | return $instance; 31 | } 32 | 33 | /** 34 | * Sets up the entity lookup table from the serialized file contents. 35 | * @param bool $file 36 | * @note The serialized contents are versioned, but were generated 37 | * using the maintenance script generate_entity_file.php 38 | * @warning This is not in constructor to help enforce the Singleton 39 | */ 40 | public function setup($file = false) 41 | { 42 | if (!$file) { 43 | $file = HTMLPURIFIER_PREFIX . '/HTMLPurifier/EntityLookup/entities.ser'; 44 | } 45 | $this->table = unserialize(file_get_contents($file)); 46 | } 47 | } 48 | 49 | 50 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLPurifier_ErrorStruct.php: -------------------------------------------------------------------------------- 1 | children[$type][$id])) { 59 | $this->children[$type][$id] = new HTMLPurifier_ErrorStruct(); 60 | $this->children[$type][$id]->type = $type; 61 | } 62 | return $this->children[$type][$id]; 63 | } 64 | 65 | /** 66 | * @param int $severity 67 | * @param string $message 68 | */ 69 | public function addError($severity, $message) 70 | { 71 | $this->errors[] = array($severity, $message); 72 | } 73 | } 74 | 75 | 76 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLPurifier_Exception.php: -------------------------------------------------------------------------------- 1 | preFilter, 16 | * 2->preFilter, 3->preFilter, purify, 3->postFilter, 2->postFilter, 17 | * 1->postFilter. 18 | * 19 | * @note Methods are not declared abstract as it is perfectly legitimate 20 | * for an implementation not to want anything to happen on a step 21 | */ 22 | class HTMLPurifier_Filter 23 | { 24 | 25 | /** 26 | * Name of the filter for identification purposes. 27 | * @type string 28 | */ 29 | public $name; 30 | 31 | /** 32 | * Pre-processor function, handles HTML before HTML Purifier 33 | * @param string $html 34 | * @param HTMLPurifier_Config $config 35 | * @param HTMLPurifier_Context $context 36 | * @return string 37 | */ 38 | public function preFilter($html, $config, $context) 39 | { 40 | return $html; 41 | } 42 | 43 | /** 44 | * Post-processor function, handles HTML after HTML Purifier 45 | * @param string $html 46 | * @param HTMLPurifier_Config $config 47 | * @param HTMLPurifier_Context $context 48 | * @return string 49 | */ 50 | public function postFilter($html, $config, $context) 51 | { 52 | return $html; 53 | } 54 | } 55 | 56 | 57 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLPurifier_IDAccumulator.php: -------------------------------------------------------------------------------- 1 | load($config->get('Attr.IDBlacklist')); 29 | return $id_accumulator; 30 | } 31 | 32 | /** 33 | * Load a list of IDs into the lookup table 34 | * @param $array_of_ids Array of IDs to load 35 | * @note This function doesn't care about duplicates 36 | */ 37 | public function load($array_of_ids) 38 | { 39 | foreach ($array_of_ids as $id) { 40 | $this->ids[$id] = true; 41 | } 42 | } 43 | 44 | /** 45 | * Add an ID to the lookup table. 46 | * @param string $id ID to be added. 47 | * @return bool status, true if success, false if there's a dupe 48 | */ 49 | public function add($id) 50 | { 51 | if (isset($this->ids[$id])) { 52 | return false; 53 | } 54 | return $this->ids[$id] = true; 55 | } 56 | } 57 | 58 | 59 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLPurifier_Node.php: -------------------------------------------------------------------------------- 1 | l = strlen($filter); 27 | $this->filter = $filter; 28 | } 29 | 30 | /** 31 | * @return bool 32 | */ 33 | public function accept() 34 | { 35 | $key = $this->getInnerIterator()->key(); 36 | if (strncmp($key, $this->filter, $this->l) !== 0) { 37 | return false; 38 | } 39 | return true; 40 | } 41 | } 42 | 43 | 44 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLPurifier_Queue.php: -------------------------------------------------------------------------------- 1 | input = $input; 29 | $this->output = array(); 30 | } 31 | 32 | /** 33 | * Shifts an element off the front of the queue. 34 | */ 35 | public function shift() 36 | { 37 | if (empty($this->output)) { 38 | $this->output = array_reverse($this->input); 39 | $this->input = array(); 40 | } 41 | if (empty($this->output)) { 42 | return NULL; 43 | } 44 | return array_pop($this->output); 45 | } 46 | 47 | /** 48 | * Pushes an element onto the front of the queue. 49 | */ 50 | public function push($x) 51 | { 52 | array_push($this->input, $x); 53 | } 54 | 55 | /** 56 | * Checks if it's empty. 57 | */ 58 | public function isEmpty() 59 | { 60 | return empty($this->input) && empty($this->output); 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLPurifier_Strategy.php: -------------------------------------------------------------------------------- 1 | accessed[$index] = true; 27 | return parent::offsetGet($index); 28 | } 29 | 30 | /** 31 | * Returns a lookup array of all array indexes that have been accessed. 32 | * @return array in form array($index => true). 33 | */ 34 | public function getAccessed() 35 | { 36 | return $this->accessed; 37 | } 38 | 39 | /** 40 | * Resets the access array. 41 | */ 42 | public function resetAccessed() 43 | { 44 | $this->accessed = array(); 45 | } 46 | } 47 | 48 | 49 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/HTMLPurifier_TagTransform.php: -------------------------------------------------------------------------------- 1 | start->attr['href'])) { 36 | $url = $token->start->attr['href']; 37 | unset($token->start->attr['href']); 38 | $token = array($token, new HTMLPurifier_Token_Text(" ($url)")); 39 | } else { 40 | // nothing to display 41 | } 42 | } 43 | } 44 | 45 | 46 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/Injector/HTMLPurifier_Injector_PurifierLinkify.php: -------------------------------------------------------------------------------- 1 | array('href')); 30 | 31 | /** 32 | * @param HTMLPurifier_Config $config 33 | * @param HTMLPurifier_Context $context 34 | * @return string 35 | */ 36 | public function prepare($config, $context) 37 | { 38 | $this->docURL = $config->get('AutoFormat.PurifierLinkify.DocURL'); 39 | return parent::prepare($config, $context); 40 | } 41 | 42 | /** 43 | * @param HTMLPurifier_Token $token 44 | */ 45 | public function handleText(&$token) 46 | { 47 | if (!$this->allowsElement('a')) { 48 | return; 49 | } 50 | if (strpos($token->data, '%') === false) { 51 | return; 52 | } 53 | 54 | $bits = preg_split('#%([a-z0-9]+\.[a-z0-9]+)#Si', $token->data, -1, PREG_SPLIT_DELIM_CAPTURE); 55 | $token = array(); 56 | 57 | // $i = index 58 | // $c = count 59 | // $l = is link 60 | for ($i = 0, $c = count($bits), $l = false; $i < $c; $i++, $l = !$l) { 61 | if (!$l) { 62 | if ($bits[$i] === '') { 63 | continue; 64 | } 65 | $token[] = new HTMLPurifier_Token_Text($bits[$i]); 66 | } else { 67 | $token[] = new HTMLPurifier_Token_Start( 68 | 'a', 69 | array('href' => str_replace('%s', $bits[$i], $this->docURL)) 70 | ); 71 | $token[] = new HTMLPurifier_Token_Text('%' . $bits[$i]); 72 | $token[] = new HTMLPurifier_Token_End('a'); 73 | } 74 | } 75 | } 76 | } 77 | 78 | 79 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/Lexer/HTMLPurifier_Lexer_PH5P.php: -------------------------------------------------------------------------------- 1 | normalize($html, $config, $context); 24 | $new_html = $this->wrapHTML($new_html, $config, $context, false /* no div */); 25 | try { 26 | $parser = new HTML5($new_html); 27 | $doc = $parser->save(); 28 | } catch (DOMException $e) { 29 | // Uh oh, it failed. Punt to DirectLex. 30 | $lexer = new HTMLPurifier_Lexer_DirectLex(); 31 | $context->register('PH5PError', $e); // save the error, so we can detect it 32 | return $lexer->tokenizeHTML($html, $config, $context); // use original HTML 33 | } 34 | $tokens = array(); 35 | $this->tokenizeDOM( 36 | $doc->getElementsByTagName('html')->item(0)-> // 37 | getElementsByTagName('body')->item(0) // 38 | , 39 | $tokens, $config 40 | ); 41 | return $tokens; 42 | } 43 | } -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/Node/HTMLPurifier_Node_Comment.php: -------------------------------------------------------------------------------- 1 | data = $data; 34 | $this->line = $line; 35 | $this->col = $col; 36 | } 37 | 38 | public function toTokenPair() 39 | { 40 | return array(new HTMLPurifier_Token_Comment($this->data, $this->line, $this->col), null); 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/Node/HTMLPurifier_Node_Element.php: -------------------------------------------------------------------------------- 1 | form or the form, i.e. 39 | * is it a pair of start/end tokens or an empty token. 40 | * @bool 41 | */ 42 | public $empty = false; 43 | 44 | public $endCol = null, $endLine = null, $endArmor = array(); 45 | 46 | public function __construct($name, $attr = array(), $line = null, $col = null, $armor = array()) 47 | { 48 | $this->name = $name; 49 | $this->attr = $attr; 50 | $this->line = $line; 51 | $this->col = $col; 52 | $this->armor = $armor; 53 | } 54 | 55 | public function toTokenPair() 56 | { 57 | // XXX inefficiency here, normalization is not necessary 58 | if ($this->empty) { 59 | return array(new HTMLPurifier_Token_Empty($this->name, $this->attr, $this->line, $this->col, $this->armor), null); 60 | } else { 61 | $start = new HTMLPurifier_Token_Start($this->name, $this->attr, $this->line, $this->col, $this->armor); 62 | $end = new HTMLPurifier_Token_End($this->name, array(), $this->endLine, $this->endCol, $this->endArmor); 63 | //$end->start = $start; 64 | return array($start, $end); 65 | } 66 | } 67 | } 68 | 69 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/Node/HTMLPurifier_Node_Text.php: -------------------------------------------------------------------------------- 1 | data = $data; 49 | $this->is_whitespace = $is_whitespace; 50 | $this->line = $line; 51 | $this->col = $col; 52 | } 53 | 54 | public function toTokenPair() 55 | { 56 | return array(new HTMLPurifier_Token_Text($this->data, $this->line, $this->col), null); 57 | } 58 | } 59 | 60 | 61 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/Strategy/HTMLPurifier_Strategy_Composite.php: -------------------------------------------------------------------------------- 1 | strategies as $strategy) { 28 | $tokens = $strategy->execute($tokens, $config, $context); 29 | } 30 | return $tokens; 31 | } 32 | } 33 | 34 | 35 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/Strategy/HTMLPurifier_Strategy_Core.php: -------------------------------------------------------------------------------- 1 | strategies[] = new HTMLPurifier_Strategy_RemoveForeignElements(); 12 | $this->strategies[] = new HTMLPurifier_Strategy_MakeWellFormed(); 13 | $this->strategies[] = new HTMLPurifier_Strategy_FixNesting(); 14 | $this->strategies[] = new HTMLPurifier_Strategy_ValidateAttributes(); 15 | } 16 | } 17 | 18 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/Strategy/HTMLPurifier_Strategy_ValidateAttributes.php: -------------------------------------------------------------------------------- 1 | register('CurrentToken', $token); 29 | 30 | foreach ($tokens as $key => $token) { 31 | 32 | // only process tokens that have attributes, 33 | // namely start and empty tags 34 | if (!$token instanceof HTMLPurifier_Token_Start && !$token instanceof HTMLPurifier_Token_Empty) { 35 | continue; 36 | } 37 | 38 | // skip tokens that are armored 39 | if (!empty($token->armor['ValidateAttributes'])) { 40 | continue; 41 | } 42 | 43 | // note that we have no facilities here for removing tokens 44 | $validator->validateToken($token, $config, $context); 45 | } 46 | $context->destroy('CurrentToken'); 47 | return $tokens; 48 | } 49 | } 50 | 51 | 52 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/TagTransform/HTMLPurifier_TagTransform_Simple.php: -------------------------------------------------------------------------------- 1 | transform_to = $transform_to; 28 | $this->style = $style; 29 | } 30 | 31 | /** 32 | * @param HTMLPurifier_Token_Tag $tag 33 | * @param HTMLPurifier_Config $config 34 | * @param HTMLPurifier_Context $context 35 | * @return string 36 | */ 37 | public function transform($tag, $config, $context) 38 | { 39 | $new_tag = clone $tag; 40 | $new_tag->name = $this->transform_to; 41 | if (!is_null($this->style) && 42 | ($new_tag instanceof HTMLPurifier_Token_Start || $new_tag instanceof HTMLPurifier_Token_Empty) 43 | ) { 44 | $this->prependCSS($new_tag->attr, $this->style); 45 | } 46 | return $new_tag; 47 | } 48 | } 49 | 50 | 51 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/Token/HTMLPurifier_Token_Comment.php: -------------------------------------------------------------------------------- 1 | data = $data; 33 | $this->line = $line; 34 | $this->col = $col; 35 | } 36 | 37 | public function toNode() 38 | { 39 | return new HTMLPurifier_Node_Comment($this->data, $this->line, $this->col); 40 | } 41 | } 42 | 43 | 44 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/Token/HTMLPurifier_Token_Empty.php: -------------------------------------------------------------------------------- 1 | empty = true; 13 | return $n; 14 | } 15 | } 16 | 17 | 18 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/Token/HTMLPurifier_Token_End.php: -------------------------------------------------------------------------------- 1 | toNode not supported!"); 23 | } 24 | } 25 | 26 | 27 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/Token/HTMLPurifier_Token_Start.php: -------------------------------------------------------------------------------- 1 | !empty($obj->is_tag) 17 | * without having to use a function call is_a(). 18 | * @type bool 19 | */ 20 | public $is_tag = true; 21 | 22 | /** 23 | * The lower-case name of the tag, like 'a', 'b' or 'blockquote'. 24 | * 25 | * @note Strictly speaking, XML tags are case sensitive, so we shouldn't 26 | * be lower-casing them, but these tokens cater to HTML tags, which are 27 | * insensitive. 28 | * @type string 29 | */ 30 | public $name; 31 | 32 | /** 33 | * Associative array of the tag's attributes. 34 | * @type array 35 | */ 36 | public $attr = array(); 37 | 38 | /** 39 | * Non-overloaded constructor, which lower-cases passed tag name. 40 | * 41 | * @param string $name String name. 42 | * @param array $attr Associative array of attributes. 43 | * @param int $line 44 | * @param int $col 45 | * @param array $armor 46 | */ 47 | public function __construct($name, $attr = array(), $line = null, $col = null, $armor = array()) 48 | { 49 | $this->name = ctype_lower($name) ? $name : strtolower($name); 50 | foreach ($attr as $key => $value) { 51 | // normalization only necessary when key is not lowercase 52 | if (!ctype_lower($key)) { 53 | $new_key = strtolower($key); 54 | if (!isset($attr[$new_key])) { 55 | $attr[$new_key] = $attr[$key]; 56 | } 57 | if ($new_key !== $key) { 58 | unset($attr[$key]); 59 | } 60 | } 61 | } 62 | $this->attr = $attr; 63 | $this->line = $line; 64 | $this->col = $col; 65 | $this->armor = $armor; 66 | } 67 | 68 | public function toNode() 69 | { 70 | return new HTMLPurifier_Node_Element($this->name, $this->attr, $this->line, $this->col, $this->armor); 71 | } 72 | } 73 | 74 | 75 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/Token/HTMLPurifier_Token_Text.php: -------------------------------------------------------------------------------- 1 | data = $data; 48 | $this->is_whitespace = ctype_space($data); 49 | $this->line = $line; 50 | $this->col = $col; 51 | } 52 | 53 | public function toNode() 54 | { 55 | return new HTMLPurifier_Node_Text($this->data, $this->is_whitespace, $this->line, $this->col); 56 | } 57 | } 58 | 59 | 60 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/URIFilter/HTMLPurifier_URIFilter_DisableExternal.php: -------------------------------------------------------------------------------- 1 | getDefinition('URI')->host; 26 | if ($our_host !== null) { 27 | $this->ourHostParts = array_reverse(explode('.', $our_host)); 28 | } 29 | } 30 | 31 | /** 32 | * @param HTMLPurifier_URI $uri Reference 33 | * @param HTMLPurifier_Config $config 34 | * @param HTMLPurifier_Context $context 35 | * @return bool 36 | */ 37 | public function filter(&$uri, $config, $context) 38 | { 39 | if (is_null($uri->host)) { 40 | return true; 41 | } 42 | if ($this->ourHostParts === false) { 43 | return false; 44 | } 45 | $host_parts = array_reverse(explode('.', $uri->host)); 46 | foreach ($this->ourHostParts as $i => $x) { 47 | if (!isset($host_parts[$i])) { 48 | return false; 49 | } 50 | if ($host_parts[$i] != $this->ourHostParts[$i]) { 51 | return false; 52 | } 53 | } 54 | return true; 55 | } 56 | } 57 | 58 | 59 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/URIFilter/HTMLPurifier_URIFilter_DisableExternalResources.php: -------------------------------------------------------------------------------- 1 | get('EmbeddedURI', true)) { 22 | return true; 23 | } 24 | return parent::filter($uri, $config, $context); 25 | } 26 | } 27 | 28 | 29 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/URIFilter/HTMLPurifier_URIFilter_DisableResources.php: -------------------------------------------------------------------------------- 1 | get('EmbeddedURI', true); 23 | } 24 | } 25 | 26 | 27 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/URIFilter/HTMLPurifier_URIFilter_HostBlacklist.php: -------------------------------------------------------------------------------- 1 | blacklist = $config->get('URI.HostBlacklist'); 30 | return true; 31 | } 32 | 33 | /** 34 | * @param HTMLPurifier_URI $uri 35 | * @param HTMLPurifier_Config $config 36 | * @param HTMLPurifier_Context $context 37 | * @return bool 38 | */ 39 | public function filter(&$uri, $config, $context) 40 | { 41 | foreach ($this->blacklist as $blacklisted_host_fragment) { 42 | if (strpos($uri->host, $blacklisted_host_fragment) !== false) { 43 | return false; 44 | } 45 | } 46 | return true; 47 | } 48 | } 49 | 50 | 51 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/URIFilter/HTMLPurifier_URIFilter_SafeIframe.php: -------------------------------------------------------------------------------- 1 | regexp = $config->get('URI.SafeIframeRegexp'); 40 | return true; 41 | } 42 | 43 | /** 44 | * @param HTMLPurifier_URI $uri 45 | * @param HTMLPurifier_Config $config 46 | * @param HTMLPurifier_Context $context 47 | * @return bool 48 | */ 49 | public function filter(&$uri, $config, $context) 50 | { 51 | // check if filter not applicable 52 | if (!$config->get('HTML.SafeIframe')) { 53 | return true; 54 | } 55 | // check if the filter should actually trigger 56 | if (!$context->get('EmbeddedURI', true)) { 57 | return true; 58 | } 59 | $token = $context->get('CurrentToken', true); 60 | if (!($token && $token->name == 'iframe')) { 61 | return true; 62 | } 63 | // check if we actually have some whitelists enabled 64 | if ($this->regexp === null) { 65 | return false; 66 | } 67 | // actually check the whitelists 68 | return preg_match($this->regexp, $uri->toString()); 69 | } 70 | } 71 | 72 | 73 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/URIScheme/HTMLPurifier_URIScheme_file.php: -------------------------------------------------------------------------------- 1 | userinfo = null; 39 | // file:// makes no provisions for accessing the resource 40 | $uri->port = null; 41 | // While it seems to work on Firefox, the querystring has 42 | // no possible effect and is thus stripped. 43 | $uri->query = null; 44 | return true; 45 | } 46 | } 47 | 48 | 49 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/URIScheme/HTMLPurifier_URIScheme_ftp.php: -------------------------------------------------------------------------------- 1 | query = null; 36 | 37 | // typecode check 38 | $semicolon_pos = strrpos($uri->path, ';'); // reverse 39 | if ($semicolon_pos !== false) { 40 | $type = substr($uri->path, $semicolon_pos + 1); // no semicolon 41 | $uri->path = substr($uri->path, 0, $semicolon_pos); 42 | $type_ret = ''; 43 | if (strpos($type, '=') !== false) { 44 | // figure out whether or not the declaration is correct 45 | list($key, $typecode) = explode('=', $type, 2); 46 | if ($key !== 'type') { 47 | // invalid key, tack it back on encoded 48 | $uri->path .= '%3B' . $type; 49 | } elseif ($typecode === 'a' || $typecode === 'i' || $typecode === 'd') { 50 | $type_ret = ";type=$typecode"; 51 | } 52 | } else { 53 | $uri->path .= '%3B' . $type; 54 | } 55 | $uri->path = str_replace(';', '%3B', $uri->path); 56 | $uri->path .= $type_ret; 57 | } 58 | return true; 59 | } 60 | } 61 | 62 | 63 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/URIScheme/HTMLPurifier_URIScheme_http.php: -------------------------------------------------------------------------------- 1 | userinfo = null; 36 | return true; 37 | } 38 | } 39 | 40 | 41 | -------------------------------------------------------------------------------- /src/HTMLPurifier/HTMLPurifier/URIScheme/HTMLPurifier_URIScheme_https.php: -------------------------------------------------------------------------------- 1 | evalExpression($var); 25 | } 26 | 27 | /** 28 | * @param string $expr 29 | * @return mixed 30 | * @throws HTMLPurifier_VarParserException 31 | */ 32 | protected function evalExpression($expr) 33 | { 34 | $var = null; 35 | $result = eval("\$var = $expr;"); 36 | if ($result === false) { 37 | throw new HTMLPurifier_VarParserException("Fatal error in evaluated code"); 38 | } 39 | return $var; 40 | } 41 | } 42 | 43 | 44 | -------------------------------------------------------------------------------- /src/SLIM/Clause/ClauseContainer.php: -------------------------------------------------------------------------------- 1 | 14 | */ 15 | abstract class ClauseContainer 16 | { 17 | /** 18 | * @var array 19 | */ 20 | protected $container = array(); 21 | } 22 | -------------------------------------------------------------------------------- /src/SLIM/Clause/GroupClause.php: -------------------------------------------------------------------------------- 1 | 14 | */ 15 | class GroupClause extends ClauseContainer 16 | { 17 | /** 18 | * @param $columns 19 | */ 20 | public function groupBy($columns) 21 | { 22 | $this->container[] = $columns; 23 | } 24 | 25 | /** 26 | * @return string 27 | */ 28 | public function __toString() 29 | { 30 | if (empty($this->container)) { 31 | return ''; 32 | } 33 | 34 | return ' GROUP BY ' . implode(' , ', $this->container); 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/SLIM/Clause/JoinClause.php: -------------------------------------------------------------------------------- 1 | 14 | */ 15 | class JoinClause extends ClauseContainer 16 | { 17 | /** 18 | * @param $table 19 | * @param $first 20 | * @param null $operator 21 | * @param null $second 22 | */ 23 | public function leftJoin($table, $first, $operator = null, $second = null) 24 | { 25 | $this->join($table, $first, $operator, $second, 'LEFT OUTER'); 26 | } 27 | 28 | /** 29 | * @param $table 30 | * @param $first 31 | * @param null $operator 32 | * @param null $second 33 | * @param string $joinType 34 | */ 35 | public function join($table, $first, $operator = null, $second = null, $joinType = 'INNER') 36 | { 37 | $this->container[] = ' ' . $joinType . ' JOIN ' . $table . ' ON ' . $first . ' ' . $operator . ' ' . $second; 38 | } 39 | 40 | /** 41 | * @param $table 42 | * @param $first 43 | * @param null $operator 44 | * @param null $second 45 | */ 46 | public function rightJoin($table, $first, $operator = null, $second = null) 47 | { 48 | $this->join($table, $first, $operator, $second, 'RIGHT OUTER'); 49 | } 50 | 51 | /** 52 | * @param $table 53 | * @param $first 54 | * @param null $operator 55 | * @param null $second 56 | */ 57 | public function fullJoin($table, $first, $operator = null, $second = null) 58 | { 59 | $this->join($table, $first, $operator, $second, 'FULL OUTER'); 60 | } 61 | 62 | /** 63 | * @return string 64 | */ 65 | public function __toString() 66 | { 67 | if (empty($this->container)) { 68 | return ''; 69 | } 70 | 71 | $args = array(); 72 | 73 | foreach ($this->container as $join) { 74 | $args[] = $join; 75 | } 76 | 77 | return implode('', $args); 78 | } 79 | } 80 | -------------------------------------------------------------------------------- /src/SLIM/Clause/LimitClause.php: -------------------------------------------------------------------------------- 1 | 14 | */ 15 | class LimitClause extends ClauseContainer 16 | { 17 | /** 18 | * @var null 19 | */ 20 | private $limit = null; 21 | 22 | /** 23 | * @param int $number 24 | * @param int $offset 25 | */ 26 | public function limit($number, $offset = 0) 27 | { 28 | if (!is_int($number) || (!is_null($offset) && !is_int($offset))) { 29 | trigger_error('Expects parameters as integers', E_USER_ERROR); 30 | } 31 | 32 | if (!is_null($offset) && $offset >= 0) { 33 | $this->limit = intval($number) . ' OFFSET ' . intval($offset); 34 | } elseif ($number >= 0) { 35 | $this->limit = intval($number); 36 | } 37 | } 38 | 39 | /** 40 | * @return string 41 | */ 42 | public function __toString() 43 | { 44 | if (is_null($this->limit)) { 45 | return ''; 46 | } 47 | 48 | return ' LIMIT ' . $this->limit; 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /src/SLIM/Clause/OffsetClause.php: -------------------------------------------------------------------------------- 1 | 14 | */ 15 | class OffsetClause extends ClauseContainer 16 | { 17 | /** 18 | * @var null 19 | */ 20 | private $offset = null; 21 | 22 | /** 23 | * @param $number 24 | */ 25 | public function offset($number) 26 | { 27 | if (!is_int($number)) { 28 | trigger_error('Expects parameter as integer', E_USER_ERROR); 29 | } 30 | 31 | if ($number >= 0) { 32 | $this->offset = intval($number); 33 | } 34 | } 35 | 36 | /** 37 | * @return string 38 | */ 39 | public function __toString() 40 | { 41 | if (is_null($this->offset)) { 42 | return ''; 43 | } 44 | 45 | return ' OFFSET ' . $this->offset; 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /src/SLIM/Clause/OrderClause.php: -------------------------------------------------------------------------------- 1 | 14 | */ 15 | class OrderClause extends ClauseContainer 16 | { 17 | /** 18 | * @param $column 19 | * @param string $direction 20 | */ 21 | public function orderBy($column, $direction = 'ASC') 22 | { 23 | $this->container[] = $column . ' ' . strtoupper($direction); 24 | } 25 | 26 | /** 27 | * @return string 28 | */ 29 | public function __toString() 30 | { 31 | if (empty($this->container)) { 32 | return ''; 33 | } 34 | 35 | return ' ORDER BY ' . implode(' , ', $this->container); 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/SLIM/Database.php: -------------------------------------------------------------------------------- 1 | 19 | */ 20 | class Database extends \PDO 21 | { 22 | /** 23 | * Constructor. 24 | * 25 | * @param $dsn 26 | * @param null $usr 27 | * @param null $pwd 28 | * @param array $options 29 | */ 30 | public function __construct($dsn, $usr = null, $pwd = null, array $options = array()) 31 | { 32 | // $options = $options + $this->getDefaultOptions(); 33 | 34 | @parent::__construct($dsn, $usr, $pwd, $options); 35 | } 36 | 37 | /** 38 | * @param array $columns 39 | * 40 | * @return SelectStatement 41 | */ 42 | public function select(array $columns = array('*')) 43 | { 44 | return new SelectStatement($this, $columns); 45 | } 46 | 47 | /** 48 | * @param array $columnsOrPairs 49 | * 50 | * @return InsertStatement 51 | */ 52 | public function insert(array $columnsOrPairs = array()) 53 | { 54 | return new InsertStatement($this, $columnsOrPairs); 55 | } 56 | 57 | /** 58 | * @param array $pairs 59 | * 60 | * @return UpdateStatement 61 | */ 62 | public function update(array $pairs = array()) 63 | { 64 | return new UpdateStatement($this, $pairs); 65 | } 66 | 67 | /** 68 | * @param null $table 69 | * 70 | * @return DeleteStatement 71 | */ 72 | public function delete($table = null) 73 | { 74 | return new DeleteStatement($this, $table); 75 | } 76 | 77 | /** 78 | * @return array 79 | */ 80 | protected function getDefaultOptions() 81 | { 82 | return array( 83 | \PDO::ATTR_ERRMODE => \PDO::ERRMODE_EXCEPTION, 84 | \PDO::ATTR_DEFAULT_FETCH_MODE => \PDO::FETCH_ASSOC, 85 | \PDO::ATTR_EMULATE_PREPARES => false, 86 | \PDO::ATTR_STATEMENT_CLASS => array('Security\\PDO\\Statement', array($this)), 87 | ); 88 | } 89 | } 90 | -------------------------------------------------------------------------------- /src/SLIM/LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015-2019 Fabian de Laender 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /src/SLIM/Statement.php: -------------------------------------------------------------------------------- 1 | 14 | */ 15 | class Statement extends \PDOStatement 16 | { 17 | /** 18 | * @var Database 19 | */ 20 | protected $dbh; 21 | 22 | /** 23 | * Constructor. 24 | * 25 | * @param Database $dbh 26 | */ 27 | protected function __construct(Database $dbh) 28 | { 29 | $this->dbh = $dbh; 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /src/SLIM/Statement/DeleteStatement.php: -------------------------------------------------------------------------------- 1 | 16 | */ 17 | class DeleteStatement extends StatementContainer 18 | { 19 | /** 20 | * Constructor. 21 | * 22 | * @param Database $dbh 23 | * @param $table 24 | */ 25 | public function __construct(Database $dbh, $table) 26 | { 27 | parent::__construct($dbh); 28 | 29 | $this->setTable($table); 30 | } 31 | 32 | /** 33 | * @param $table 34 | * 35 | * @return $this 36 | */ 37 | public function from($table) 38 | { 39 | $this->setTable($table); 40 | 41 | return $this; 42 | } 43 | 44 | /** 45 | * @return string 46 | */ 47 | public function __toString() 48 | { 49 | if (empty($this->table)) { 50 | trigger_error('No table is set for deletion', E_USER_ERROR); 51 | } 52 | 53 | $sql = 'DELETE FROM ' . $this->table; 54 | $sql .= $this->whereClause; 55 | $sql .= $this->orderClause; 56 | $sql .= $this->limitClause; 57 | 58 | return $sql; 59 | } 60 | 61 | /** 62 | * @return int 63 | */ 64 | public function execute() 65 | { 66 | return parent::execute()->rowCount(); 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /src/SLIM/Statement/UpdateStatement.php: -------------------------------------------------------------------------------- 1 | 16 | */ 17 | class UpdateStatement extends StatementContainer 18 | { 19 | /** 20 | * Constructor. 21 | * 22 | * @param Database $dbh 23 | * @param array $pairs 24 | */ 25 | public function __construct(Database $dbh, array $pairs) 26 | { 27 | parent::__construct($dbh); 28 | 29 | $this->set($pairs); 30 | } 31 | 32 | /** 33 | * @param array $pairs 34 | * 35 | * @return $this 36 | */ 37 | public function set(array $pairs) 38 | { 39 | foreach ($pairs as $column => $value) { 40 | $this->columns[] = $column . ' = ?'; 41 | $this->values[] = $value; 42 | } 43 | 44 | return $this; 45 | } 46 | 47 | /** 48 | * @param $table 49 | * 50 | * @return $this 51 | */ 52 | public function table($table) 53 | { 54 | $this->setTable($table); 55 | 56 | return $this; 57 | } 58 | 59 | /** 60 | * @return string 61 | */ 62 | public function __toString() 63 | { 64 | if (empty($this->table)) { 65 | trigger_error('No table is set for update', E_USER_ERROR); 66 | } 67 | 68 | if (empty($this->columns) && empty($this->values)) { 69 | trigger_error('Missing columns and values for update', E_USER_ERROR); 70 | } 71 | 72 | $sql = 'UPDATE ' . $this->table; 73 | $sql .= ' SET ' . $this->getColumns(); 74 | $sql .= $this->whereClause; 75 | $sql .= $this->orderClause; 76 | $sql .= $this->limitClause; 77 | 78 | return $sql; 79 | } 80 | 81 | /** 82 | * @return string 83 | */ 84 | protected function getColumns() 85 | { 86 | return implode(' , ', $this->columns); 87 | } 88 | 89 | /** 90 | * @return int 91 | */ 92 | public function execute() 93 | { 94 | return parent::execute()->rowCount(); 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /src/SLIM/docs/AGGREGATES.md: -------------------------------------------------------------------------------- 1 | # Aggregates 2 | 3 | > Used only in [SELECT](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Statement/SELECT.md) statements. 4 | 5 | ### Methods 6 | 7 | ##### `count($column = '*', $as = null, $distinct = false)` 8 | 9 | Parameter | Type | Default | Description 10 | --- | --- | --- | --- 11 | `$column` | *string* | `'*'` | String containing column names 12 | `$as` | *string* | `null` | Column alias 13 | `$distinct` | *bool* | `false` | Boolean **DISTINCT** clause 14 | 15 | ##### `distinctCount($column = '*', $as = null)` 16 | 17 | Parameter | Type | Default | Description 18 | --- | --- | --- | --- 19 | `$column` | *string* | `'*'` | String containing column names 20 | `$as` | *string* | `null` | Column alias 21 | 22 | ##### `max($column, $as = null)` 23 | 24 | Parameter | Type | Default | Description 25 | --- | --- | --- | --- 26 | `$column` | *string* | required | Column name 27 | `$as` | *string* | `null` | Column alias 28 | 29 | ##### `min($column, $as = null)` 30 | 31 | Parameter | Type | Default | Description 32 | --- | --- | --- | --- 33 | `$column` | *string* | required | Column name 34 | `$as` | *string* | `null` | Column alias 35 | 36 | ##### `avg($column, $as = null)` 37 | 38 | Parameter | Type | Default | Description 39 | --- | --- | --- | --- 40 | `$column` | *string* | required | Column name 41 | `$as` | *string* | `null` | Column alias 42 | 43 | ##### `sum($column, $as = null)` 44 | 45 | Parameter | Type | Default | Description 46 | --- | --- | --- | --- 47 | `$column` | *string* | required | Column name 48 | `$as` | *string* | `null` | Column alias 49 | 50 | ### Examples 51 | 52 | ```php 53 | // ... COUNT( * ) 54 | $selectStatement->count(); 55 | 56 | // ... COUNT( votes ) AS all_votes 57 | $selectStatement->count('votes', 'all_votes'); 58 | 59 | // ... COUNT( DISTINCT customer_id ) 60 | $selectStatement->distinctCount('customer_id'); 61 | 62 | // ... MIN|MAX( salary ) , AVG( price ) , SUM( votes ) 63 | $selectStatement->min('salary'); 64 | $selectStatement->max('salary'); 65 | $selectStatement->avg('price'); 66 | $selectStatement->sum('votes'); 67 | ``` 68 | -------------------------------------------------------------------------------- /src/SLIM/docs/Clause/GROUP_BY.md: -------------------------------------------------------------------------------- 1 | # GROUP BY clause 2 | 3 | > Used only in [SELECT](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Statement/SELECT.md) statements. 4 | 5 | ### Methods 6 | 7 | ##### `groupBy($columns)` 8 | 9 | Parameter | Type | Default | Description 10 | --- | --- | --- | --- 11 | `$columns` | *string* | required | String containing column names 12 | 13 | ### Examples 14 | 15 | ```php 16 | // ... GROUP BY f_name 17 | $selectStatement->groupBy('f_name'); 18 | ``` 19 | -------------------------------------------------------------------------------- /src/SLIM/docs/Clause/HAVING.md: -------------------------------------------------------------------------------- 1 | # HAVING clause 2 | 3 | > Used only in [SELECT](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Statement/SELECT.md) statements. 4 | 5 | ### Methods 6 | 7 | ##### `having($column, $operator = null, $chainType = 'AND')` 8 | 9 | Parameter | Type | Default | Description 10 | --- | --- | --- | --- 11 | `$column` | *string* | required | Column name 12 | `$operator` | *string* | `null` | Logic operator 13 | `$chainType` | *string* | `'AND'` | Chain type: `AND` or `OR` 14 | 15 | ##### `orHaving($column, $operator = null)` 16 | 17 | Parameter | Type | Default | Description 18 | --- | --- | --- | --- 19 | `$column` | *string* | required | Column name 20 | `$operator` | *string* | `null` | Logic operator 21 | 22 | ##### `havingCount($column, $operator = null)` 23 | 24 | Parameter | Type | Default | Description 25 | --- | --- | --- | --- 26 | `$column` | *string* | required | Column name 27 | `$operator` | *string* | `null` | Logic operator 28 | 29 | ##### `havingMax($column, $operator = null)` 30 | 31 | Parameter | Type | Default | Description 32 | --- | --- | --- | --- 33 | `$column` | *string* | required | Column name 34 | `$operator` | *string* | `null` | Logic operator 35 | 36 | ##### `havingMin($column, $operator = null)` 37 | 38 | Parameter | Type | Default | Description 39 | --- | --- | --- | --- 40 | `$column` | *string* | required | Column name 41 | `$operator` | *string* | `null` | Logic operator 42 | 43 | ##### `havingAvg($column, $operator = null)` 44 | 45 | Parameter | Type | Default | Description 46 | --- | --- | --- | --- 47 | `$column` | *string* | required | Column name 48 | `$operator` | *string* | `null` | Logic operator 49 | 50 | ##### `havingSum($column, $operator = null)` 51 | 52 | Parameter | Type | Default | Description 53 | --- | --- | --- | --- 54 | `$column` | *string* | required | Column name 55 | `$operator` | *string* | `null` | Logic operator 56 | 57 | ### Examples 58 | 59 | ```php 60 | // ... HAVING MIN( price ) > ? OR MAX( price ) < ? 61 | $selectStatement->having('MIN( price )', '>', 125)->orHaving('MAX( price )', '<', 250); 62 | 63 | // ... HAVING COUNT( * ) > ? 64 | $selectStatement->havingCount('*', '>', 1234); 65 | 66 | // ... HAVING MIN|MAX( salary ) > ? 67 | $selectStatement->havingMin('salary', '>', 25000); 68 | $selectStatement->havingMax('salary', '<', 50000); 69 | 70 | // ... HAVING AVG( price ) < ? 71 | $selectStatement->havingAvg('price', '<', 12.5); 72 | 73 | // ... HAVING SUM( votes ) > ? 74 | $selectStatement->havingSum('votes', '>', 25); 75 | ``` 76 | -------------------------------------------------------------------------------- /src/SLIM/docs/Clause/JOIN.md: -------------------------------------------------------------------------------- 1 | # JOIN clause 2 | 3 | > Used only in [SELECT](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Statement/SELECT.md) statements. 4 | 5 | ### Methods 6 | 7 | ##### `join($table, $first, $operator = null, $second = null, $joinType = 'INNER')` 8 | 9 | Parameter | Type | Default | Description 10 | --- | --- | --- | --- 11 | `$table` | *string* | required | Table name 12 | `$first` | *string* | required | Column name 13 | `$operator` | *string* | `null` | Logical operator 14 | `$second` | *string* | `null` | Column name 15 | `$joinType` | *string* | `'INNER'` | Join type: `INNER`, `LEFT OUTER`, `RIGHT OUTER` or `FULL OUTER` 16 | 17 | ##### `leftJoin($table, $first, $operator = null, $second = null)` 18 | 19 | Parameter | Type | Default | Description 20 | --- | --- | --- | --- 21 | `$table` | *string* | required | Table name 22 | `$first` | *string* | required | Column name 23 | `$operator` | *string* | `null` | Logical operator 24 | `$second` | *string* | `null` | Column name 25 | 26 | ##### `rightJoin($table, $first, $operator = null, $second = null)` 27 | 28 | Parameter | Type | Default | Description 29 | --- | --- | --- | --- 30 | `$table` | *string* | required | Table name 31 | `$first` | *string* | required | Column name 32 | `$operator` | *string* | `null` | Logical operator 33 | `$second` | *string* | `null` | Column name 34 | 35 | ##### `fullJoin($table, $first, $operator = null, $second = null)` 36 | 37 | Parameter | Type | Default | Description 38 | --- | --- | --- | --- 39 | `$table` | *string* | required | Table name 40 | `$first` | *string* | required | Column name 41 | `$operator` | *string* | `null` | Logical operator 42 | `$second` | *string* | `null` | Column name 43 | 44 | ### Examples 45 | 46 | ```php 47 | // ... INNER JOIN orders ON customers.id = orders.customer_id 48 | $selectStatement->join('orders', 'customers.id', '=', 'orders.customer_id'); 49 | $selectStatement->join('orders', 'customers.id', '=', 'orders.customer_id', 'INNER'); 50 | 51 | // ... LEFT OUTER JOIN orders ON customers.id = orders.customer_id 52 | $selectStatement->leftJoin('orders', 'customers.id', '=', 'orders.customer_id'); 53 | 54 | // ... RIGHT OUTER JOIN orders ON customers.id = orders.customer_id 55 | $selectStatement->rightJoin('orders', 'customers.id', '=', 'orders.customer_id'); 56 | 57 | // ... FULL OUTER JOIN orders ON customers.id = orders.customer_id 58 | $selectStatement->fullJoin('orders', 'customers.id', '=', 'orders.customer_id'); 59 | ``` 60 | -------------------------------------------------------------------------------- /src/SLIM/docs/Clause/LIMIT.md: -------------------------------------------------------------------------------- 1 | # LIMIT clause 2 | 3 | > Used in [SELECT](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Statement/SELECT.md), [UPDATE](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Statement/UPDATE.md) and [DELETE](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Statement/DELETE.md) statements. 4 | 5 | ### Methods 6 | 7 | ##### `limit($number, $offset = null)` 8 | 9 | Parameter | Type | Default | Description 10 | --- | --- | --- | --- 11 | `$number` | *int* | required | Number of rows 12 | `$offset` | *int* | `null` | Offset value 13 | 14 | ### Examples 15 | 16 | ```php 17 | // ... LIMIT 10 18 | $statement->limit(10); 19 | 20 | // ... LIMIT 10 , 30 21 | $statement->limit(10, 30); 22 | ``` 23 | -------------------------------------------------------------------------------- /src/SLIM/docs/Clause/OFFSET.md: -------------------------------------------------------------------------------- 1 | # OFFSET clause 2 | 3 | > Used only in [SELECT](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Statement/SELECT.md) statements. 4 | 5 | ### Methods 6 | 7 | ##### `offset($number)` 8 | 9 | Parameter | Type | Default | Description 10 | --- | --- | --- | --- 11 | `$number` | *int* | required | Number of rows 12 | 13 | ### Examples 14 | 15 | ```php 16 | // ... OFFSET 20 17 | $selectStatement->offset(20); 18 | ``` 19 | -------------------------------------------------------------------------------- /src/SLIM/docs/Clause/ORDER_BY.md: -------------------------------------------------------------------------------- 1 | # ORDER BY clause 2 | 3 | > Used in [SELECT](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Statement/SELECT.md), [UPDATE](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Statement/UPDATE.md) and [DELETE](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Statement/DELETE.md) statements. 4 | 5 | ### Methods 6 | 7 | ##### `orderBy($column, $direction = 'ASC')` 8 | 9 | Parameter | Type | Default | Description 10 | --- | --- | --- | --- 11 | `$column` | *string* | required | Column name 12 | `$direction` | *string* | `'ASC'` | Direction: `ASC` or `DESC` 13 | 14 | ### Examples 15 | 16 | ```php 17 | // ... ORDER BY l_name ASC 18 | $statement->orderBy('l_name'); 19 | $statement->orderBy('l_name', 'ASC'); 20 | 21 | // ... ORDER BY l_name DESC 22 | $statement->orderBy('l_name', 'DESC'); 23 | ``` 24 | -------------------------------------------------------------------------------- /src/SLIM/docs/README.md: -------------------------------------------------------------------------------- 1 | # Documentation 2 | 3 | > **IMPORTANT!** Before reading through the following commands and methods, please be aware that it is possible to use raw PDO stuff, like `fetch()`, `fetchAll()`, `execute()` and the others whenever you feel you need to. 4 | 5 | ### Statements 6 | 7 | + [SELECT](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Statement/SELECT.md) 8 | + [INSERT](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Statement/INSERT.md) 9 | + [UPDATE](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Statement/UPDATE.md) 10 | + [DELETE](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Statement/DELETE.md) 11 | 12 | ### Clauses 13 | 14 | + [JOIN](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Clause/JOIN.md) 15 | + [WHERE](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Clause/WHERE.md) 16 | + [GROUP BY](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Clause/GROUP_BY.md) 17 | + [HAVING](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Clause/HAVING.md) 18 | + [ORDER BY](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Clause/ORDER_BY.md) 19 | + [LIMIT](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Clause/LIMIT.md) 20 | + [OFFSET](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Clause/OFFSET.md) 21 | 22 | ### Functions 23 | 24 | + [AGGREGATES](https://github.com/FaaPz/Slim-PDO/blob/master/docs/AGGREGATES.md) 25 | -------------------------------------------------------------------------------- /src/SLIM/docs/Statement/DELETE.md: -------------------------------------------------------------------------------- 1 | # DELETE statement 2 | 3 | ### Methods 4 | 5 | ##### `from($table)` 6 | 7 | Parameter | Type | Default | Description 8 | --- | --- | --- | --- 9 | `$table` | *string* | required | Table name 10 | 11 | ##### `execute()` 12 | 13 | ### Clauses 14 | 15 | + [WHERE](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Clause/WHERE.md) 16 | + [ORDER BY](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Clause/ORDER_BY.md) 17 | + [LIMIT](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Clause/LIMIT.md) 18 | 19 | ### Examples 20 | 21 | ```php 22 | // DELETE FROM users WHERE id = ? 23 | $deleteStatement = $slimPdo->delete() 24 | ->from('users') 25 | ->where('id', '=', 1234); 26 | 27 | $affectedRows = $deleteStatement->execute(); 28 | ``` 29 | -------------------------------------------------------------------------------- /src/SLIM/docs/Statement/INSERT.md: -------------------------------------------------------------------------------- 1 | # INSERT statement 2 | 3 | ### Methods 4 | 5 | ##### `into($table)` 6 | 7 | Parameter | Type | Default | Description 8 | --- | --- | --- | --- 9 | `$table` | *string* | required | Table name 10 | 11 | ##### `columns(array $columns)` 12 | 13 | Parameter | Type | Default | Description 14 | --- | --- | --- | --- 15 | `$columns` | *array* | required | Array containing column names 16 | 17 | ##### `values(array $values)` 18 | 19 | Parameter | Type | Default | Description 20 | --- | --- | --- | --- 21 | `$values` | *array* | required | Array containing column values 22 | 23 | ##### `execute($insertId = true)` 24 | 25 | Parameter | Type | Default | Description 26 | --- | --- | --- | --- 27 | `$insertId` | *bool* | `true` | Boolean to return **lastInsertId** 28 | 29 | ### Examples 30 | 31 | ```php 32 | // INSERT INTO users ( id , usr , pwd ) VALUES ( ? , ? , ? ) 33 | $insertStatement = $slimPdo->insert(array('id', 'usr', 'pwd')) 34 | ->into('users') 35 | ->values(array(1234, 'your_username', 'your_password')); 36 | 37 | // INSERT INTO users ( id , usr , pwd ) VALUES ( ? , ? , ? ) 38 | $insertStatement = $slimPdo->insert(array('id')) 39 | ->into('users') 40 | ->columns(array('usr', 'pwd')) 41 | ->values(array(1234, 'your_username', 'your_password')); 42 | 43 | $insertId = $insertStatement->execute(false); 44 | ``` 45 | -------------------------------------------------------------------------------- /src/SLIM/docs/Statement/UPDATE.md: -------------------------------------------------------------------------------- 1 | # UPDATE statement 2 | 3 | ### Methods 4 | 5 | ##### `table($table)` 6 | 7 | Parameter | Type | Default | Description 8 | --- | --- | --- | --- 9 | `$table` | *string* | required | Table name 10 | 11 | ##### `set(array $pairs)` 12 | 13 | Parameter | Type | Default | Description 14 | --- | --- | --- | --- 15 | `$pairs` | *array* | required | Array containing pairs of columns with values 16 | 17 | ##### `execute()` 18 | 19 | ### Clauses 20 | 21 | + [WHERE](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Clause/WHERE.md) 22 | + [ORDER BY](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Clause/ORDER_BY.md) 23 | + [LIMIT](https://github.com/FaaPz/Slim-PDO/blob/master/docs/Clause/LIMIT.md) 24 | 25 | ### Examples 26 | 27 | ```php 28 | // UPDATE users SET pwd = ? WHERE id = ? 29 | $updateStatement = $slimPdo->update(array('pwd' => 'your_new_password')) 30 | ->table('users') 31 | ->where('id', '=', 1234); 32 | 33 | // UPDATE users SET usr = ? , pwd = ? WHERE id = ? 34 | $updateStatement = $slimPdo->update(array('usr' => 'your_new_username')) 35 | ->set(array('pwd' => 'your_new_password')) 36 | ->table('users') 37 | ->where('id', '=', 1234); 38 | 39 | $affectedRows = $updateStatement->execute(); 40 | ``` 41 | -------------------------------------------------------------------------------- /src/URLSecurity/DefenseAgainstCSRF.php: -------------------------------------------------------------------------------- 1 | 5 | * Date: 2019/4/17 6 | * Time: 下午7:33 7 | */ 8 | 9 | namespace Security\URLSecurity; 10 | 11 | /** 12 | * Class DefenseAgainstCSRF 13 | * @package Security\URLSecurity 14 | */ 15 | class DefenseAgainstCSRF 16 | { 17 | /** 18 | * DefenseAgainstCSRF constructor. 19 | */ 20 | public function __construct() 21 | { 22 | } 23 | 24 | /** 25 | * @param string $csrf_token_name 26 | * @param string $session_name 27 | * @param string $salt 28 | * @return bool 29 | */ 30 | public function verifyCSRFToken($csrf_token_name = 'csrf_token', $session_name = 'session', $salt = '') 31 | { 32 | if (!isset($_POST[$csrf_token_name]) || !isset($_COOKIE[$session_name])) { 33 | return false; 34 | } 35 | $session = $_COOKIE[$session_name] ? $_COOKIE[$session_name] : null; 36 | $session = trim($session); 37 | $csrf_token = $_POST[$csrf_token_name] ? $_POST[$csrf_token_name] : null; 38 | $csrf_token = trim($csrf_token); 39 | if (!$session || !$csrf_token) { 40 | return false; 41 | } 42 | if (strlen($session) !== 32 || strlen($csrf_token) !== 32) { 43 | return false; 44 | } 45 | if ($csrf_token === $this->getCSRFToken($session, $salt)) { 46 | return true; 47 | } 48 | return false; 49 | } 50 | 51 | 52 | /** 53 | * @param $session 54 | * @param $salt 55 | * @return string 56 | */ 57 | private function getCSRFToken($session, $salt) 58 | { 59 | return md5(md5($session.'|'.$salt).'|'.$salt); 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /src/URLSecurity/URLSecurity.php: -------------------------------------------------------------------------------- 1 | 5 | * Date: 2019/4/17 6 | * Time: 下午7:33 7 | */ 8 | 9 | namespace Security\URLSecurity; 10 | 11 | /** 12 | * 13 | * @property DefenseAgainstCSRF $defenseAgainstCSRF 14 | * @property DefenseAgainstRedirect $defenseAgainstRedirect 15 | * @property DefenseAgainstSSRF $defenseAgainstSSRF 16 | */ 17 | class URLSecurity 18 | { 19 | 20 | /** 21 | * @var array 22 | */ 23 | protected $component = array(); 24 | 25 | /** 26 | * URLSecurity constructor. 27 | */ 28 | function __construct() 29 | { 30 | } 31 | 32 | /** 33 | * @return DefenseAgainstCSRF 34 | */ 35 | public function getDefenseAgainstCSRF() 36 | { 37 | return new DefenseAgainstCSRF(); 38 | } 39 | 40 | /** 41 | * @return DefenseAgainstRedirect 42 | */ 43 | public function getDefenseAgainstRedirect() 44 | { 45 | return new DefenseAgainstRedirect(); 46 | } 47 | 48 | /** 49 | * @return DefenseAgainstSSRF 50 | */ 51 | public function getDefenseAgainstSSRF() 52 | { 53 | return new DefenseAgainstSSRF(); 54 | } 55 | 56 | /** 57 | * @param $key 58 | * @return mixed|null 59 | */ 60 | public function __get($key) 61 | { 62 | if (!isset($this->component[$key])) { 63 | $func = "get" . $key; 64 | if (method_exists($this, $func)) { 65 | $this->component[$key] = $this->$func(); 66 | } else { 67 | trigger_error(' unhandled key: ' . $key, E_USER_NOTICE); 68 | } 69 | } 70 | 71 | return isset($this->component[$key]) ? $this->component[$key] : null; 72 | } 73 | 74 | 75 | } 76 | --------------------------------------------------------------------------------