MeDBia/videodb/core/security.php

<?php
/**
 * Security functions
 *
 * @package Core
 * @author  Andreas Goetz   <cpuidle@gmx.de>
 * @author  tREXX           <www.trexx.ch>
 * @version $Id: security.php,v 1.2 2008/01/05 13:50:58 andig2 Exp $
 */

/**
 * Allow these tags
 */
$allowedTags = '<h1><h2><h3><h4><b><strong><i><a><ol><ul><li><pre><hr><blockquote>';

/**
 * Disallow these attributes/prefix within a tag
 */
$stripAttrib = 'javascript:|onclick|ondblclick|onmousedown|onmouseup|onmouseover|'.
               'onmousemove|onmouseout|onkeypress|onkeydown|onkeyup';

/**
 * @return string
 * @param string
 * @desc Strip forbidden attributes from a tag
 */
function removeEvilAttributes($tagSource)
{
    global $stripAttrib;
    return stripslashes(preg_replace("/$stripAttrib/i", 'forbidden', $tagSource));
}

/**
 * @return string
 * @param string
 * @desc Strip forbidden attributes from an array of matches for an expression like (<)(.*?)(>)
 */
function _callbackRemoveEvilAttributes($matches)
{
    return $matches[1] . removeEvilAttributes($matches[2]) . $matches[3];
}

/**
 * @return string
 * @param string
 * @desc Strip forbidden tags and delegate tag-source check to removeEvilAttributes()
 */
function removeEvilTags($source)
{
    global $allowedTags;
    if (!is_null($source))
    {    
        $source = strip_tags($source, $allowedTags);
        return preg_replace_callback('/(<)(.*?)(>)/i', "_callbackRemoveEvilAttributes", $source);
    }
    return $source;
}

?>