Basic validation of UTF-8 input via GET/POST vars: invalid UTF-8 sequences will cause the string to drop. Not necessarily super-thorough; should be improved in future to drop individual bad sequences, do normalization of combining forms, etc. General input validation (for ints, types of strings, etc) still would be good to have!
This commit is contained in:
parent
0aa9f08dd2
commit
ebfa8bce27
36
lib/util.php
36
lib/util.php
|
@ -906,6 +906,28 @@ function common_shorten_links($text, $always = false)
|
||||||
return common_replace_urls_callback($text, array('File_redirection', 'makeShort'));
|
return common_replace_urls_callback($text, array('File_redirection', 'makeShort'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Very basic stripping of invalid UTF-8 input text.
|
||||||
|
*
|
||||||
|
* @param string $str
|
||||||
|
* @return mixed string or null if invalid input
|
||||||
|
*
|
||||||
|
* @todo ideally we should drop bad chars, and maybe do some of the checks
|
||||||
|
* from common_xml_safe_str. But we can't strip newlines, etc.
|
||||||
|
* @todo Unicode normalization might also be useful, but not needed now.
|
||||||
|
*/
|
||||||
|
function common_validate_utf8($str)
|
||||||
|
{
|
||||||
|
// preg_replace will return NULL on invalid UTF-8 input.
|
||||||
|
return preg_replace('//u', '', $str);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Make sure an arbitrary string is safe for output in XML as a single line.
|
||||||
|
*
|
||||||
|
* @param string $str
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
function common_xml_safe_str($str)
|
function common_xml_safe_str($str)
|
||||||
{
|
{
|
||||||
// Replace common eol and extra whitespace input chars
|
// Replace common eol and extra whitespace input chars
|
||||||
|
@ -1663,19 +1685,25 @@ function common_config($main, $sub)
|
||||||
array_key_exists($sub, $config[$main])) ? $config[$main][$sub] : false;
|
array_key_exists($sub, $config[$main])) ? $config[$main][$sub] : false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Pull arguments from a GET/POST/REQUEST array with first-level input checks:
|
||||||
|
* strips "magic quotes" slashes if necessary, and kills invalid UTF-8 strings.
|
||||||
|
*
|
||||||
|
* @param array $from
|
||||||
|
* @return array
|
||||||
|
*/
|
||||||
function common_copy_args($from)
|
function common_copy_args($from)
|
||||||
{
|
{
|
||||||
$to = array();
|
$to = array();
|
||||||
$strip = get_magic_quotes_gpc();
|
$strip = get_magic_quotes_gpc();
|
||||||
foreach ($from as $k => $v) {
|
foreach ($from as $k => $v) {
|
||||||
if($strip) {
|
|
||||||
if(is_array($v)) {
|
if(is_array($v)) {
|
||||||
$to[$k] = common_copy_args($v);
|
$to[$k] = common_copy_args($v);
|
||||||
} else {
|
} else {
|
||||||
$to[$k] = stripslashes($v);
|
if ($strip) {
|
||||||
|
$v = stripslashes($v);
|
||||||
}
|
}
|
||||||
} else {
|
$to[$k] = strval(common_validate_utf8($v));
|
||||||
$to[$k] = $v;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return $to;
|
return $to;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user