1
|
|
|
<?php |
2
|
|
|
/* |
3
|
|
|
* YOURLS |
4
|
|
|
* Function library for anything related to formatting / validating / sanitizing |
5
|
|
|
*/ |
6
|
|
|
|
7
|
|
|
/** |
8
|
|
|
* Convert an integer (1337) to a string (3jk). |
9
|
|
|
* |
10
|
|
|
*/ |
11
|
|
|
function yourls_int2string( $num, $chars = null ) { |
12
|
2 |
|
if( $chars == null ) |
13
|
2 |
|
$chars = yourls_get_shorturl_charset(); |
14
|
2 |
|
$string = ''; |
15
|
2 |
|
$len = strlen( $chars ); |
16
|
2 |
|
while( $num >= $len ) { |
17
|
2 |
|
$mod = bcmod( $num, $len ); |
18
|
2 |
|
$num = bcdiv( $num, $len ); |
19
|
2 |
|
$string = $chars[ $mod ] . $string; |
20
|
|
|
} |
21
|
2 |
|
$string = $chars[ intval( $num ) ] . $string; |
22
|
|
|
|
23
|
2 |
|
return yourls_apply_filter( 'int2string', $string, $num, $chars ); |
24
|
|
|
} |
25
|
|
|
|
26
|
|
|
/** |
27
|
|
|
* Convert a string (3jk) to an integer (1337) |
28
|
|
|
* |
29
|
|
|
*/ |
30
|
|
|
function yourls_string2int( $string, $chars = null ) { |
31
|
2 |
|
if( $chars == null ) |
32
|
2 |
|
$chars = yourls_get_shorturl_charset(); |
33
|
2 |
|
$integer = 0; |
34
|
2 |
|
$string = strrev( $string ); |
35
|
2 |
|
$baselen = strlen( $chars ); |
36
|
2 |
|
$inputlen = strlen( $string ); |
37
|
2 |
|
for ($i = 0; $i < $inputlen; $i++) { |
38
|
2 |
|
$index = strpos( $chars, $string[$i] ); |
39
|
2 |
|
$integer = bcadd( $integer, bcmul( $index, bcpow( $baselen, $i ) ) ); |
40
|
|
|
} |
41
|
|
|
|
42
|
2 |
|
return yourls_apply_filter( 'string2int', $integer, $string, $chars ); |
43
|
|
|
} |
44
|
|
|
|
45
|
|
|
/** |
46
|
|
|
* Return a unique(ish) hash for a string to be used as a valid HTML id |
47
|
|
|
* |
48
|
|
|
*/ |
49
|
|
|
function yourls_string2htmlid( $string ) { |
50
|
6 |
|
return yourls_apply_filter( 'string2htmlid', 'y'.abs( crc32( $string ) ) ); |
51
|
|
|
} |
52
|
|
|
|
53
|
|
|
/** |
54
|
|
|
* Make sure a link keyword (ie "1fv" as in "http://sho.rt/1fv") is acceptable |
55
|
|
|
* |
56
|
|
|
* If we are ADDING or EDITING a short URL, the keyword must comply to the short URL charset: every |
57
|
|
|
* character that doesn't belong to it will be removed. |
58
|
|
|
* But otherwise we must have a more conservative approach: we could be checking for a keyword that |
59
|
|
|
* was once valid but now the short URL charset has changed. In such a case, we are treating the keyword for what |
60
|
|
|
* it is: just a part of a URL, hence sanitize it as a URL. |
61
|
|
|
* |
62
|
|
|
* @param string $keyword short URL keyword |
63
|
|
|
* @param bool $restrict_to_shorturl_charset Optional, default false. True if we want the keyword to comply to short URL charset |
64
|
|
|
* @return string The sanitized keyword |
65
|
|
|
*/ |
66
|
|
|
function yourls_sanitize_keyword( $keyword, $restrict_to_shorturl_charset = false ) { |
67
|
23 |
|
if( $restrict_to_shorturl_charset === true ) { |
68
|
|
|
// make a regexp pattern with the shorturl charset, and remove everything but this |
69
|
6 |
|
$pattern = yourls_make_regexp_pattern( yourls_get_shorturl_charset() ); |
70
|
6 |
|
$valid = (string) substr( preg_replace( '![^'.$pattern.']!', '', $keyword ), 0, 199 ); |
71
|
|
|
} else { |
72
|
23 |
|
$valid = yourls_sanitize_url( $keyword ); |
73
|
|
|
} |
74
|
|
|
|
75
|
23 |
|
return yourls_apply_filter( 'sanitize_string', $valid, $keyword, $restrict_to_shorturl_charset ); |
76
|
|
|
} |
77
|
|
|
|
78
|
|
|
/** |
79
|
|
|
* Sanitize a page title. No HTML per W3C http://www.w3.org/TR/html401/struct/global.html#h-7.4.2 |
80
|
|
|
* |
81
|
|
|
* |
82
|
|
|
* @since 1.5 |
83
|
|
|
* @param string $unsafe_title Title, potentially unsafe |
84
|
|
|
* @param string $fallback Optional fallback if after sanitization nothing remains |
85
|
|
|
* @return string Safe title |
86
|
|
|
*/ |
87
|
|
|
function yourls_sanitize_title( $unsafe_title, $fallback = '' ) { |
88
|
5 |
|
$title = $unsafe_title; |
89
|
5 |
|
$title = strip_tags( $title ); |
90
|
5 |
|
$title = preg_replace( "/\s+/", ' ', trim( $title ) ); |
91
|
|
|
|
92
|
5 |
|
if ( '' === $title || false === $title ) { |
93
|
1 |
|
$title = $fallback; |
94
|
|
|
} |
95
|
|
|
|
96
|
5 |
|
return yourls_apply_filter( 'sanitize_title', $title, $unsafe_title, $fallback ); |
97
|
|
|
} |
98
|
|
|
|
99
|
|
|
/** |
100
|
|
|
* A few sanity checks on the URL. Used for redirection or DB. |
101
|
|
|
* For redirection when you don't trust the URL ($_SERVER variable, query string), see yourls_sanitize_url_safe() |
102
|
|
|
* For display purpose, see yourls_esc_url() |
103
|
|
|
* |
104
|
|
|
* @param string $unsafe_url unsafe URL |
105
|
|
|
* @param array $protocols Optional allowed protocols, default to global $yourls_allowedprotocols |
106
|
|
|
* @return string Safe URL |
107
|
|
|
*/ |
108
|
|
|
function yourls_sanitize_url( $unsafe_url, $protocols = array() ) { |
109
|
153 |
|
$url = yourls_esc_url( $unsafe_url, 'redirection', $protocols ); |
110
|
153 |
|
return yourls_apply_filter( 'sanitize_url', $url, $unsafe_url ); |
111
|
|
|
} |
112
|
|
|
|
113
|
|
|
/** |
114
|
|
|
* A few sanity checks on the URL, including CRLF. Used for redirection when URL to be sanitized is critical and cannot be trusted. |
115
|
|
|
* |
116
|
|
|
* Use when critical URL comes from user input or environment variable. In such a case, this function will sanitize |
117
|
|
|
* it like yourls_sanitize_url() but will also remove %0A and %0D to prevent CRLF injection. |
118
|
|
|
* Still, some legit URLs contain %0A or %0D (see issue 2056, and for extra fun 1694, 1707, 2030, and maybe others) |
119
|
|
|
* so we're not using this function unless it's used for internal redirection when the target location isn't |
120
|
|
|
* hardcoded, to avoid XSS via CRLF |
121
|
|
|
* |
122
|
|
|
* @since 1.7.2 |
123
|
|
|
* @param string $unsafe_url unsafe URL |
124
|
|
|
* @param array $protocols Optional allowed protocols, default to global $yourls_allowedprotocols |
125
|
|
|
* @return string Safe URL |
126
|
|
|
*/ |
127
|
|
|
function yourls_sanitize_url_safe( $unsafe_url, $protocols = array() ) { |
128
|
1 |
|
$url = yourls_esc_url( $unsafe_url, 'safe', $protocols ); |
129
|
1 |
|
return yourls_apply_filter( 'sanitize_url_safe', $url, $unsafe_url ); |
130
|
|
|
} |
131
|
|
|
|
132
|
|
|
/** |
133
|
|
|
* Perform a replacement while a string is found, eg $subject = '%0%0%0DDD', $search ='%0D' -> $result ='' |
134
|
|
|
* |
135
|
|
|
* Stolen from WP's _deep_replace |
136
|
|
|
* |
137
|
|
|
*/ |
138
|
|
|
function yourls_deep_replace( $search, $subject ){ |
139
|
1 |
|
$found = true; |
140
|
1 |
|
while($found) { |
141
|
1 |
|
$found = false; |
142
|
1 |
|
foreach( (array) $search as $val ) { |
143
|
1 |
|
while( strpos( $subject, $val ) !== false ) { |
144
|
1 |
|
$found = true; |
145
|
1 |
|
$subject = str_replace( $val, '', $subject ); |
146
|
|
|
} |
147
|
|
|
} |
148
|
|
|
} |
149
|
|
|
|
150
|
1 |
|
return $subject; |
151
|
|
|
} |
152
|
|
|
|
153
|
|
|
/** |
154
|
|
|
* Make sure an integer is a valid integer (PHP's intval() limits to too small numbers) |
155
|
|
|
* |
156
|
|
|
*/ |
157
|
|
|
function yourls_sanitize_int( $int ) { |
158
|
1 |
|
return ( substr( preg_replace( '/[^0-9]/', '', strval( $int ) ), 0, 20 ) ); |
159
|
|
|
} |
160
|
|
|
|
161
|
|
|
/** |
162
|
|
|
* Sanitize an IP address |
163
|
|
|
* |
164
|
|
|
*/ |
165
|
|
|
function yourls_sanitize_ip( $ip ) { |
166
|
10 |
|
return preg_replace( '/[^0-9a-fA-F:., ]/', '', $ip ); |
167
|
|
|
} |
168
|
|
|
|
169
|
|
|
/** |
170
|
|
|
* Make sure a date is m(m)/d(d)/yyyy, return false otherwise |
171
|
|
|
* |
172
|
|
|
*/ |
173
|
|
|
function yourls_sanitize_date( $date ) { |
174
|
10 |
|
if( !preg_match( '!^\d{1,2}/\d{1,2}/\d{4}$!' , $date ) ) { |
175
|
4 |
|
return false; |
176
|
|
|
} |
177
|
6 |
|
return $date; |
178
|
|
|
} |
179
|
|
|
|
180
|
|
|
/** |
181
|
|
|
* Sanitize a date for SQL search. Return false if malformed input. |
182
|
|
|
* |
183
|
|
|
*/ |
184
|
|
|
function yourls_sanitize_date_for_sql( $date ) { |
185
|
5 |
|
if( !yourls_sanitize_date( $date ) ) |
186
|
2 |
|
return false; |
187
|
3 |
|
return date( 'Y-m-d', strtotime( $date ) ); |
188
|
|
|
} |
189
|
|
|
|
190
|
|
|
/** |
191
|
|
|
* Return trimmed string |
192
|
|
|
* |
193
|
|
|
*/ |
194
|
|
|
function yourls_trim_long_string( $string, $length = 60, $append = '[...]' ) { |
195
|
5 |
|
$newstring = $string; |
196
|
5 |
|
if ( mb_strlen( $newstring ) > $length ) { |
197
|
1 |
|
$newstring = mb_substr( $newstring, 0, $length - mb_strlen( $append ), 'UTF-8' ) . $append; |
198
|
|
|
} |
199
|
5 |
|
return yourls_apply_filter( 'trim_long_string', $newstring, $string, $length, $append ); |
200
|
|
|
} |
201
|
|
|
|
202
|
|
|
/** |
203
|
|
|
* Sanitize a version number (1.4.1-whatever-RC1 -> 1.4.1) |
204
|
|
|
* |
205
|
|
|
* The regexp searches for the first digits, then a period, then more digits and periods, and discards |
206
|
|
|
* all the rest. |
207
|
|
|
* For instance, 'mysql-5.5-beta' and '5.5-RC1' return '5.5' |
208
|
|
|
* |
209
|
|
|
* @since 1.4.1 |
210
|
|
|
* @param string $version Version number |
211
|
|
|
* @return string Sanitized version number |
212
|
|
|
*/ |
213
|
|
|
function yourls_sanitize_version( $version ) { |
214
|
36 |
|
preg_match( '/([0-9]+\.[0-9.]+).*$/', $version, $matches ); |
215
|
36 |
|
$version = isset($matches[1]) ? trim($matches[1], '.') : ''; |
216
|
|
|
|
217
|
36 |
|
return $version; |
218
|
|
|
} |
219
|
|
|
|
220
|
|
|
/** |
221
|
|
|
* Sanitize a filename (no Win32 stuff) |
222
|
|
|
* |
223
|
|
|
*/ |
224
|
|
|
function yourls_sanitize_filename( $file ) { |
225
|
15 |
|
$file = str_replace( '\\', '/', $file ); // sanitize for Win32 installs |
226
|
15 |
|
$file = preg_replace( '|/+|' ,'/', $file ); // remove any duplicate slash |
227
|
15 |
|
return $file; |
228
|
|
|
} |
229
|
|
|
|
230
|
|
|
/** |
231
|
|
|
* Check if a string seems to be UTF-8. Stolen from WP. |
232
|
|
|
* |
233
|
|
|
*/ |
234
|
|
|
function yourls_seems_utf8( $str ) { |
235
|
10 |
|
$length = strlen( $str ); |
236
|
10 |
|
for ( $i=0; $i < $length; $i++ ) { |
237
|
10 |
|
$c = ord( $str[ $i ] ); |
238
|
10 |
|
if ( $c < 0x80 ) $n = 0; # 0bbbbbbb |
239
|
10 |
|
elseif (($c & 0xE0) == 0xC0) $n=1; # 110bbbbb |
240
|
7 |
|
elseif (($c & 0xF0) == 0xE0) $n=2; # 1110bbbb |
241
|
4 |
|
elseif (($c & 0xF8) == 0xF0) $n=3; # 11110bbb |
242
|
4 |
|
elseif (($c & 0xFC) == 0xF8) $n=4; # 111110bb |
243
|
4 |
|
elseif (($c & 0xFE) == 0xFC) $n=5; # 1111110b |
244
|
4 |
|
else return false; # Does not match any model |
245
|
6 |
|
for ($j=0; $j<$n; $j++) { # n bytes matching 10bbbbbb follow ? |
246
|
6 |
|
if ((++$i == $length) || ((ord($str[$i]) & 0xC0) != 0x80)) |
247
|
1 |
|
return false; |
248
|
|
|
} |
249
|
|
|
} |
250
|
5 |
|
return true; |
251
|
|
|
} |
252
|
|
|
|
253
|
|
|
|
254
|
|
|
/** |
255
|
|
|
* Check for PCRE /u modifier support. Stolen from WP. |
256
|
|
|
* |
257
|
|
|
* Just in case "PCRE is not compiled with PCRE_UTF8" which seems to happen |
258
|
|
|
* on some distros |
259
|
|
|
* |
260
|
|
|
* @since 1.7.1 |
261
|
|
|
* |
262
|
|
|
* @return bool whether there's /u support or not |
263
|
|
|
*/ |
264
|
|
|
function yourls_supports_pcre_u() { |
265
|
27 |
|
static $utf8_pcre; |
266
|
27 |
|
if( !isset( $utf8_pcre ) ) { |
267
|
|
|
$utf8_pcre = (bool) @preg_match( '/^./u', 'a' ); |
268
|
|
|
} |
269
|
27 |
|
return $utf8_pcre; |
270
|
|
|
} |
271
|
|
|
|
272
|
|
|
/** |
273
|
|
|
* Checks for invalid UTF8 in a string. Stolen from WP |
274
|
|
|
* |
275
|
|
|
* @since 1.6 |
276
|
|
|
* |
277
|
|
|
* @param string $string The text which is to be checked. |
278
|
|
|
* @param boolean $strip Optional. Whether to attempt to strip out invalid UTF8. Default is false. |
279
|
|
|
* @return string The checked text. |
280
|
|
|
*/ |
281
|
|
|
function yourls_check_invalid_utf8( $string, $strip = false ) { |
282
|
28 |
|
$string = (string) $string; |
283
|
|
|
|
284
|
28 |
|
if ( 0 === strlen( $string ) ) { |
285
|
1 |
|
return ''; |
286
|
|
|
} |
287
|
|
|
|
288
|
|
|
// We can't demand utf8 in the PCRE installation, so just return the string in those cases |
289
|
27 |
|
if ( ! yourls_supports_pcre_u() ) { |
290
|
|
|
return $string; |
291
|
|
|
} |
292
|
|
|
|
293
|
|
|
// preg_match fails when it encounters invalid UTF8 in $string |
294
|
27 |
|
if ( 1 === @preg_match( '/^./us', $string ) ) { |
295
|
27 |
|
return $string; |
296
|
|
|
} |
297
|
|
|
|
298
|
|
|
// Attempt to strip the bad chars if requested (not recommended) |
299
|
|
|
if ( $strip && function_exists( 'iconv' ) ) { |
300
|
|
|
return iconv( 'utf-8', 'utf-8', $string ); |
301
|
|
|
} |
302
|
|
|
|
303
|
|
|
return ''; |
304
|
|
|
} |
305
|
|
|
|
306
|
|
|
/** |
307
|
|
|
* Converts a number of special characters into their HTML entities. Stolen from WP. |
308
|
|
|
* |
309
|
|
|
* Specifically deals with: &, <, >, ", and '. |
310
|
|
|
* |
311
|
|
|
* $quote_style can be set to ENT_COMPAT to encode " to |
312
|
|
|
* ", or ENT_QUOTES to do both. Default is ENT_NOQUOTES where no quotes are encoded. |
313
|
|
|
* |
314
|
|
|
* @since 1.6 |
315
|
|
|
* |
316
|
|
|
* @param string $string The text which is to be encoded. |
317
|
|
|
* @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES. |
318
|
|
|
* @param boolean $double_encode Optional. Whether to encode existing html entities. Default is false. |
319
|
|
|
* @return string The encoded text with HTML entities. |
320
|
|
|
*/ |
321
|
|
|
function yourls_specialchars( $string, $quote_style = ENT_NOQUOTES, $double_encode = false ) { |
322
|
32 |
|
$string = (string) $string; |
323
|
|
|
|
324
|
32 |
|
if ( 0 === strlen( $string ) ) |
325
|
1 |
|
return ''; |
326
|
|
|
|
327
|
|
|
// Don't bother if there are no specialchars - saves some processing |
328
|
31 |
|
if ( ! preg_match( '/[&<>"\']/', $string ) ) |
329
|
11 |
|
return $string; |
330
|
|
|
|
331
|
|
|
// Account for the previous behaviour of the function when the $quote_style is not an accepted value |
332
|
20 |
|
if ( empty( $quote_style ) ) |
333
|
4 |
|
$quote_style = ENT_NOQUOTES; |
334
|
17 |
|
elseif ( ! in_array( $quote_style, array( 0, 2, 3, 'single', 'double' ), true ) ) |
335
|
1 |
|
$quote_style = ENT_QUOTES; |
336
|
|
|
|
337
|
20 |
|
$charset = 'UTF-8'; |
338
|
|
|
|
339
|
20 |
|
$_quote_style = $quote_style; |
340
|
|
|
|
341
|
20 |
|
if ( $quote_style === 'double' ) { |
342
|
1 |
|
$quote_style = ENT_COMPAT; |
343
|
1 |
|
$_quote_style = ENT_COMPAT; |
344
|
20 |
|
} elseif ( $quote_style === 'single' ) { |
345
|
1 |
|
$quote_style = ENT_NOQUOTES; |
346
|
|
|
} |
347
|
|
|
|
348
|
|
|
// Handle double encoding ourselves |
349
|
20 |
|
if ( $double_encode ) { |
350
|
2 |
|
$string = @htmlspecialchars( $string, $quote_style, $charset ); |
351
|
|
|
} else { |
352
|
|
|
// Decode & into & |
353
|
20 |
|
$string = yourls_specialchars_decode( $string, $_quote_style ); |
354
|
|
|
|
355
|
|
|
// Guarantee every &entity; is valid or re-encode the & |
356
|
20 |
|
$string = yourls_kses_normalize_entities( $string ); |
357
|
|
|
|
358
|
|
|
// Now re-encode everything except &entity; |
359
|
20 |
|
$string = preg_split( '/(&#?x?[0-9a-z]+;)/i', $string, -1, PREG_SPLIT_DELIM_CAPTURE ); |
360
|
|
|
|
361
|
20 |
|
for ( $i = 0; $i < count( $string ); $i += 2 ) |
|
|
|
|
362
|
20 |
|
$string[$i] = @htmlspecialchars( $string[$i], $quote_style, $charset ); |
363
|
|
|
|
364
|
20 |
|
$string = implode( '', $string ); |
|
|
|
|
365
|
|
|
} |
366
|
|
|
|
367
|
|
|
// Backwards compatibility |
368
|
20 |
|
if ( 'single' === $_quote_style ) |
369
|
1 |
|
$string = str_replace( "'", ''', $string ); |
370
|
|
|
|
371
|
20 |
|
return $string; |
372
|
|
|
} |
373
|
|
|
|
374
|
|
|
/** |
375
|
|
|
* Converts a number of HTML entities into their special characters. Stolen from WP. |
376
|
|
|
* |
377
|
|
|
* Specifically deals with: &, <, >, ", and '. |
378
|
|
|
* |
379
|
|
|
* $quote_style can be set to ENT_COMPAT to decode " entities, |
380
|
|
|
* or ENT_QUOTES to do both " and '. Default is ENT_NOQUOTES where no quotes are decoded. |
381
|
|
|
* |
382
|
|
|
* @since 1.6 |
383
|
|
|
* |
384
|
|
|
* @param string $string The text which is to be decoded. |
385
|
|
|
* @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old _wp_specialchars() values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES. |
386
|
|
|
* @return string The decoded text without HTML entities. |
387
|
|
|
*/ |
388
|
|
|
function yourls_specialchars_decode( $string, $quote_style = ENT_NOQUOTES ) { |
389
|
20 |
|
$string = (string) $string; |
390
|
|
|
|
391
|
20 |
|
if ( 0 === strlen( $string ) ) { |
392
|
|
|
return ''; |
393
|
|
|
} |
394
|
|
|
|
395
|
|
|
// Don't bother if there are no entities - saves a lot of processing |
396
|
20 |
|
if ( strpos( $string, '&' ) === false ) { |
397
|
11 |
|
return $string; |
398
|
|
|
} |
399
|
|
|
|
400
|
|
|
// Match the previous behaviour of _wp_specialchars() when the $quote_style is not an accepted value |
401
|
12 |
|
if ( empty( $quote_style ) ) { |
402
|
3 |
|
$quote_style = ENT_NOQUOTES; |
403
|
9 |
|
} elseif ( !in_array( $quote_style, array( 0, 2, 3, 'single', 'double' ), true ) ) { |
404
|
|
|
$quote_style = ENT_QUOTES; |
405
|
|
|
} |
406
|
|
|
|
407
|
|
|
// More complete than get_html_translation_table( HTML_SPECIALCHARS ) |
408
|
12 |
|
$single = array( ''' => '\'', ''' => '\'' ); |
409
|
12 |
|
$single_preg = array( '/�*39;/' => ''', '/�*27;/i' => ''' ); |
410
|
12 |
|
$double = array( '"' => '"', '"' => '"', '"' => '"' ); |
411
|
12 |
|
$double_preg = array( '/�*34;/' => '"', '/�*22;/i' => '"' ); |
412
|
12 |
|
$others = array( '<' => '<', '<' => '<', '>' => '>', '>' => '>', '&' => '&', '&' => '&', '&' => '&' ); |
413
|
12 |
|
$others_preg = array( '/�*60;/' => '<', '/�*62;/' => '>', '/�*38;/' => '&', '/�*26;/i' => '&' ); |
414
|
|
|
|
415
|
12 |
|
if ( $quote_style === ENT_QUOTES ) { |
416
|
8 |
|
$translation = array_merge( $single, $double, $others ); |
417
|
8 |
|
$translation_preg = array_merge( $single_preg, $double_preg, $others_preg ); |
418
|
4 |
|
} elseif ( $quote_style === ENT_COMPAT || $quote_style === 'double' ) { |
419
|
1 |
|
$translation = array_merge( $double, $others ); |
420
|
1 |
|
$translation_preg = array_merge( $double_preg, $others_preg ); |
421
|
3 |
|
} elseif ( $quote_style === 'single' ) { |
422
|
|
|
$translation = array_merge( $single, $others ); |
423
|
|
|
$translation_preg = array_merge( $single_preg, $others_preg ); |
424
|
3 |
|
} elseif ( $quote_style === ENT_NOQUOTES ) { |
425
|
3 |
|
$translation = $others; |
426
|
3 |
|
$translation_preg = $others_preg; |
427
|
|
|
} |
428
|
|
|
|
429
|
|
|
// Remove zero padding on numeric entities |
430
|
12 |
|
$string = preg_replace( array_keys( $translation_preg ), array_values( $translation_preg ), $string ); |
431
|
|
|
|
432
|
|
|
// Replace characters according to translation table |
433
|
12 |
|
return strtr( $string, $translation ); |
434
|
|
|
} |
435
|
|
|
|
436
|
|
|
|
437
|
|
|
/** |
438
|
|
|
* Escaping for HTML blocks. Stolen from WP |
439
|
|
|
* |
440
|
|
|
* @since 1.6 |
441
|
|
|
* |
442
|
|
|
* @param string $text |
443
|
|
|
* @return string |
444
|
|
|
*/ |
445
|
|
|
function yourls_esc_html( $text ) { |
446
|
16 |
|
$safe_text = yourls_check_invalid_utf8( $text ); |
447
|
16 |
|
$safe_text = yourls_specialchars( $safe_text, ENT_QUOTES ); |
448
|
16 |
|
return yourls_apply_filter( 'esc_html', $safe_text, $text ); |
449
|
|
|
} |
450
|
|
|
|
451
|
|
|
/** |
452
|
|
|
* Escaping for HTML attributes. Stolen from WP |
453
|
|
|
* |
454
|
|
|
* @since 1.6 |
455
|
|
|
* |
456
|
|
|
* @param string $text |
457
|
|
|
* @return string |
458
|
|
|
*/ |
459
|
|
|
function yourls_esc_attr( $text ) { |
460
|
11 |
|
$safe_text = yourls_check_invalid_utf8( $text ); |
461
|
11 |
|
$safe_text = yourls_specialchars( $safe_text, ENT_QUOTES ); |
462
|
11 |
|
return yourls_apply_filter( 'esc_attr', $safe_text, $text ); |
463
|
|
|
} |
464
|
|
|
|
465
|
|
|
/** |
466
|
|
|
* Checks and cleans a URL before printing it. Stolen from WP. |
467
|
|
|
* |
468
|
|
|
* A number of characters are removed from the URL. If the URL is for displaying |
469
|
|
|
* (the default behaviour) ampersands are also replaced. |
470
|
|
|
* |
471
|
|
|
* This function by default "escapes" URL for display purpose (param $context = 'display') but can |
472
|
|
|
* take extra steps in URL sanitization. See yourls_sanitize_url() and yourls_sanitize_url_safe() |
473
|
|
|
* |
474
|
|
|
* @since 1.6 |
475
|
|
|
* |
476
|
|
|
* @param string $url The URL to be cleaned. |
477
|
|
|
* @param string $context 'display' or something else. Use yourls_sanitize_url() for database or redirection usage. |
478
|
|
|
* @param array $protocols Optional. Array of allowed protocols, defaults to global $yourls_allowedprotocols |
479
|
|
|
* @return string The cleaned $url |
480
|
|
|
*/ |
481
|
|
|
function yourls_esc_url( $url, $context = 'display', $protocols = array() ) { |
482
|
|
|
// trim first -- see #1931 |
483
|
157 |
|
$url = trim( $url ); |
484
|
|
|
|
485
|
|
|
// make sure there's only one 'http://' at the beginning (prevents pasting a URL right after the default 'http://') |
486
|
157 |
|
$url = str_replace( |
487
|
157 |
|
array( 'http://http://', 'http://https://' ), |
488
|
157 |
|
array( 'http://', 'https://' ), |
489
|
157 |
|
$url |
490
|
|
|
); |
491
|
|
|
|
492
|
157 |
|
if ( '' == $url ) |
493
|
4 |
|
return $url; |
494
|
|
|
|
495
|
153 |
|
$original_url = $url; |
496
|
|
|
|
497
|
|
|
// force scheme and domain to lowercase - see issues 591 and 1630 |
498
|
153 |
|
$url = yourls_normalize_uri( $url ); |
499
|
|
|
|
500
|
153 |
|
$url = preg_replace( '|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\[\]\\x80-\\xff]|i', '', $url ); |
501
|
|
|
// Previous regexp in YOURLS was '|[^a-z0-9-~+_.?\[\]\^#=!&;,/:%@$\|*`\'<>"()\\x80-\\xff\{\}]|i' |
502
|
|
|
// TODO: check if that was it too destructive |
503
|
|
|
|
504
|
|
|
// If $context is 'safe', an extra step is taken to make sure no CRLF injection is possible. |
505
|
|
|
// To be used when $url can be forged by evil user (eg it's from a $_SERVER variable, a query string, etc..) |
506
|
153 |
|
if ( 'safe' == $context ) { |
507
|
1 |
|
$strip = array( '%0d', '%0a', '%0D', '%0A' ); |
508
|
1 |
|
$url = yourls_deep_replace( $strip, $url ); |
509
|
|
|
} |
510
|
|
|
|
511
|
|
|
// Replace ampersands and single quotes only when displaying. |
512
|
153 |
|
if ( 'display' == $context ) { |
513
|
5 |
|
$url = yourls_kses_normalize_entities( $url ); |
514
|
5 |
|
$url = str_replace( '&', '&', $url ); |
515
|
5 |
|
$url = str_replace( "'", ''', $url ); |
516
|
|
|
} |
517
|
|
|
|
518
|
|
|
// If there's a protocol, make sure it's OK |
519
|
153 |
|
if( yourls_get_protocol($url) !== '' ) { |
520
|
90 |
|
if ( ! is_array( $protocols ) or ! $protocols ) { |
521
|
90 |
|
global $yourls_allowedprotocols; |
522
|
90 |
|
$protocols = yourls_apply_filter( 'esc_url_protocols', $yourls_allowedprotocols ); |
523
|
|
|
// Note: $yourls_allowedprotocols is also globally filterable in functions-kses.php/yourls_kses_init() |
524
|
|
|
} |
525
|
|
|
|
526
|
90 |
|
if ( !yourls_is_allowed_protocol( $url, $protocols ) ) |
527
|
1 |
|
return ''; |
528
|
|
|
|
529
|
|
|
// I didn't use KSES function kses_bad_protocol() because it doesn't work the way I liked (returns //blah from illegal://blah) |
530
|
|
|
} |
531
|
|
|
|
532
|
153 |
|
return yourls_apply_filter( 'esc_url', $url, $original_url, $context ); |
533
|
|
|
} |
534
|
|
|
|
535
|
|
|
|
536
|
|
|
/** |
537
|
|
|
* Normalize a URI : lowercase scheme and domain, convert IDN to UTF8 |
538
|
|
|
* |
539
|
|
|
* All in one example: 'HTTP://XN--mgbuq0c.Com/AbCd' -> 'http://طارق.com/AbCd' |
540
|
|
|
* See issues 591, 1630, 1889, 2691 |
541
|
|
|
* |
542
|
|
|
* This function is trickier than what seems to be needed at first |
543
|
|
|
* |
544
|
|
|
* First, we need to handle several URI types: http://example.com, mailto:[email protected], facetime:[email protected], and so on, see |
545
|
|
|
* yourls_kses_allowed_protocols() in functions-kses.php |
546
|
|
|
* The general rule is that the scheme ("stuff://" or "stuff:") is case insensitive and should be lowercase. But then, depending on the |
547
|
|
|
* scheme, parts of what follows the scheme may or may not be case sensitive. |
548
|
|
|
* |
549
|
|
|
* Second, simply using parse_url() and its opposite http_build_url() is a pretty unsafe process: |
550
|
|
|
* - parse_url() can easily trip up on malformed or weird URLs |
551
|
|
|
* - exploding a URL with parse_url(), lowercasing some stuff, and glueing things back with http_build_url() does not handle well |
552
|
|
|
* "stuff:"-like URI [1] and can result in URLs ending modified [2][3]. We don't want to *validate* URI, we just want to lowercase |
553
|
|
|
* what is supposed to be lowercased. |
554
|
|
|
* |
555
|
|
|
* So, to be conservative, this function: |
556
|
|
|
* - lowercases the scheme |
557
|
|
|
* - does not lowercase anything else on "stuff:" URI |
558
|
|
|
* - tries to lowercase only scheme and domain of "stuff://" URI |
559
|
|
|
* |
560
|
|
|
* [1] http_build_url(parse_url("mailto:ozh")) == "mailto:///ozh" |
561
|
|
|
* [2] http_build_url(parse_url("http://blah#omg")) == "http://blah/#omg" |
562
|
|
|
* [3] http_build_url(parse_url("http://blah?#")) == "http://blah/" |
563
|
|
|
* |
564
|
|
|
* @since 1.7.1 |
565
|
|
|
* @param string $url URL |
566
|
|
|
* @return string URL with lowercase scheme and protocol |
567
|
|
|
*/ |
568
|
|
|
function yourls_normalize_uri( $url ) { |
569
|
154 |
|
$scheme = yourls_get_protocol( $url ); |
570
|
|
|
|
571
|
154 |
|
if ('' == $scheme) { |
572
|
|
|
// Scheme not found, malformed URL? Something else? Not sure. |
573
|
70 |
|
return $url; |
574
|
|
|
} |
575
|
|
|
|
576
|
|
|
/** |
577
|
|
|
* Case 1 : scheme like "stuff:", as opposed to "stuff://" |
578
|
|
|
* Examples: "mailto:[email protected]" or "bitcoin:15p1o8vnWqNkJBJGgwafNgR1GCCd6EGtQR?amount=1&label=Ozh" |
579
|
|
|
* In this case, we only lowercase the scheme, because depending on it, things after should or should not be lowercased |
580
|
|
|
*/ |
581
|
94 |
|
if (substr($scheme, -2, 2) != '//') { |
582
|
3 |
|
$url = str_replace( $scheme, strtolower( $scheme ), $url ); |
583
|
3 |
|
return $url; |
584
|
|
|
} |
585
|
|
|
|
586
|
|
|
/** |
587
|
|
|
* Case 2 : scheme like "stuff://" (eg "http://example.com/" or "ssh://[email protected]") |
588
|
|
|
* Here we lowercase the scheme and domain parts |
589
|
|
|
*/ |
590
|
92 |
|
$parts = parse_url($url); |
591
|
|
|
|
592
|
|
|
// Most likely malformed stuff, could not parse : we'll just lowercase the scheme and leave the rest untouched |
593
|
92 |
|
if (false == $parts) { |
594
|
|
|
$url = str_replace( $scheme, strtolower( $scheme ), $url ); |
595
|
|
|
return $url; |
596
|
|
|
} |
597
|
|
|
|
598
|
|
|
// URL seems parsable, let's do the best we can |
599
|
92 |
|
$lower = array(); |
600
|
92 |
|
$lower['scheme'] = strtolower( $parts['scheme'] ); |
601
|
92 |
|
if( isset( $parts['host'] ) ) { |
602
|
|
|
// Convert domain to lowercase, with mb_ to preserve UTF8 |
603
|
92 |
|
$lower['host'] = mb_strtolower($parts['host']); |
604
|
|
|
/** |
605
|
|
|
* Convert IDN domains to their UTF8 form so that طارق.net and xn--mgbuq0c.net |
606
|
|
|
* are considered the same. Explicitely mention option and variant to avoid notice |
607
|
|
|
* on PHP 7.2 and 7.3 |
608
|
|
|
*/ |
609
|
92 |
|
$lower['host'] = idn_to_utf8($lower['host'], IDNA_DEFAULT, INTL_IDNA_VARIANT_UTS46); |
610
|
|
|
} |
611
|
|
|
|
612
|
92 |
|
$url = http_build_url($url, $lower); |
613
|
|
|
|
614
|
92 |
|
return $url; |
615
|
|
|
} |
616
|
|
|
|
617
|
|
|
|
618
|
|
|
/** |
619
|
|
|
* Escape single quotes, htmlspecialchar " < > &, and fix line endings. Stolen from WP. |
620
|
|
|
* |
621
|
|
|
* Escapes text strings for echoing in JS. It is intended to be used for inline JS |
622
|
|
|
* (in a tag attribute, for example onclick="..."). Note that the strings have to |
623
|
|
|
* be in single quotes. The filter 'js_escape' is also applied here. |
624
|
|
|
* |
625
|
|
|
* @since 1.6 |
626
|
|
|
* |
627
|
|
|
* @param string $text The text to be escaped. |
628
|
|
|
* @return string Escaped text. |
629
|
|
|
*/ |
630
|
|
|
function yourls_esc_js( $text ) { |
631
|
3 |
|
$safe_text = yourls_check_invalid_utf8( $text ); |
632
|
3 |
|
$safe_text = yourls_specialchars( $safe_text, ENT_COMPAT ); |
633
|
3 |
|
$safe_text = preg_replace( '/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes( $safe_text ) ); |
634
|
3 |
|
$safe_text = str_replace( "\r", '', $safe_text ); |
635
|
3 |
|
$safe_text = str_replace( "\n", '\\n', addslashes( $safe_text ) ); |
636
|
3 |
|
return yourls_apply_filter( 'esc_js', $safe_text, $text ); |
637
|
|
|
} |
638
|
|
|
|
639
|
|
|
/** |
640
|
|
|
* Escaping for textarea values. Stolen from WP. |
641
|
|
|
* |
642
|
|
|
* @since 1.6 |
643
|
|
|
* |
644
|
|
|
* @param string $text |
645
|
|
|
* @return string |
646
|
|
|
*/ |
647
|
|
|
function yourls_esc_textarea( $text ) { |
648
|
3 |
|
$safe_text = htmlspecialchars( $text, ENT_QUOTES ); |
649
|
3 |
|
return yourls_apply_filter( 'esc_textarea', $safe_text, $text ); |
650
|
|
|
} |
651
|
|
|
|
652
|
|
|
|
653
|
|
|
/** |
654
|
|
|
* PHP emulation of JS's encodeURI |
655
|
|
|
* |
656
|
|
|
* @link https://developer.mozilla.org/en/JavaScript/Reference/Global_Objects/encodeURI |
657
|
|
|
* @param $url |
658
|
|
|
* @return string |
659
|
|
|
*/ |
660
|
|
|
function yourls_encodeURI( $url ) { |
661
|
|
|
// Decode URL all the way |
662
|
|
|
$result = yourls_rawurldecode_while_encoded( $url ); |
663
|
|
|
// Encode once |
664
|
|
|
$result = strtr( rawurlencode( $result ), array ( |
665
|
|
|
'%3B' => ';', '%2C' => ',', '%2F' => '/', '%3F' => '?', '%3A' => ':', '%40' => '@', |
666
|
|
|
'%26' => '&', '%3D' => '=', '%2B' => '+', '%24' => '$', '%21' => '!', '%2A' => '*', |
667
|
|
|
'%27' => '\'', '%28' => '(', '%29' => ')', '%23' => '#', |
668
|
|
|
) ); |
669
|
|
|
// @TODO: |
670
|
|
|
// Known limit: this will most likely break IDN URLs such as http://www.académie-française.fr/ |
671
|
|
|
// To fully support IDN URLs, advocate use of a plugin. |
672
|
|
|
return yourls_apply_filter( 'encodeURI', $result, $url ); |
673
|
|
|
} |
674
|
|
|
|
675
|
|
|
/** |
676
|
|
|
* Adds backslashes before letters and before a number at the start of a string. Stolen from WP. |
677
|
|
|
* |
678
|
|
|
* @since 1.6 |
679
|
|
|
* |
680
|
|
|
* @param string $string Value to which backslashes will be added. |
681
|
|
|
* @return string String with backslashes inserted. |
682
|
|
|
*/ |
683
|
|
|
function yourls_backslashit($string) { |
684
|
3 |
|
$string = preg_replace('/^([0-9])/', '\\\\\\\\\1', $string); |
685
|
3 |
|
$string = preg_replace('/([a-z])/i', '\\\\\1', $string); |
686
|
3 |
|
return $string; |
687
|
|
|
} |
688
|
|
|
|
689
|
|
|
/** |
690
|
|
|
* Check if a string seems to be urlencoded |
691
|
|
|
* |
692
|
|
|
* We use rawurlencode instead of urlencode to avoid messing with '+' |
693
|
|
|
* |
694
|
|
|
* @since 1.7 |
695
|
|
|
* @param string $string |
696
|
|
|
* @return bool |
697
|
|
|
*/ |
698
|
|
|
function yourls_is_rawurlencoded( $string ) { |
699
|
|
|
return rawurldecode( $string ) != $string; |
700
|
|
|
} |
701
|
|
|
|
702
|
|
|
/** |
703
|
|
|
* rawurldecode a string till it's not encoded anymore |
704
|
|
|
* |
705
|
|
|
* Deals with multiple encoding (eg "%2521" => "%21" => "!"). |
706
|
|
|
* See https://github.com/YOURLS/YOURLS/issues/1303 |
707
|
|
|
* |
708
|
|
|
* @since 1.7 |
709
|
|
|
* @param string $string |
710
|
|
|
* @return string |
711
|
|
|
*/ |
712
|
|
|
function yourls_rawurldecode_while_encoded( $string ) { |
713
|
|
|
$string = rawurldecode( $string ); |
714
|
|
|
if( yourls_is_rawurlencoded( $string ) ) { |
715
|
|
|
$string = yourls_rawurldecode_while_encoded( $string ); |
716
|
|
|
} |
717
|
|
|
return $string; |
718
|
|
|
} |
719
|
|
|
|
720
|
|
|
/** |
721
|
|
|
* Converts readable Javascript code into a valid bookmarklet link |
722
|
|
|
* |
723
|
|
|
* Uses https://github.com/ozh/bookmarkletgen |
724
|
|
|
* |
725
|
|
|
* @since 1.7.1 |
726
|
|
|
* @param string $code Javascript code |
727
|
|
|
* @return string Bookmarklet link |
728
|
|
|
*/ |
729
|
|
|
function yourls_make_bookmarklet( $code ) { |
730
|
1 |
|
$book = new \Ozh\Bookmarkletgen\Bookmarkletgen; |
731
|
1 |
|
return $book->crunch( $code ); |
732
|
|
|
} |
733
|
|
|
|
734
|
|
|
/** |
735
|
|
|
* Return a timestamp, plus or minus the time offset if defined |
736
|
|
|
* |
737
|
|
|
* @since 1.7.10 |
738
|
|
|
* @param string|int $timestamp a timestamp |
739
|
|
|
* @return int a timestamp, plus or minus offset if defined |
740
|
|
|
*/ |
741
|
|
|
function yourls_get_timestamp( $timestamp ) { |
742
|
3 |
|
$offset = yourls_get_time_offset(); |
743
|
3 |
|
$timestamp_offset = $timestamp + ($offset * 3600); |
744
|
|
|
|
745
|
3 |
|
return yourls_apply_filter( 'get_timestamp', $timestamp_offset, $timestamp, $offset ); |
746
|
|
|
} |
747
|
|
|
|
748
|
|
|
/** |
749
|
|
|
* Get time offset, as defined in config, filtered |
750
|
|
|
* |
751
|
|
|
* @since 1.7.10 |
752
|
|
|
* @return int Time offset |
753
|
|
|
*/ |
754
|
|
|
function yourls_get_time_offset() { |
755
|
4 |
|
$offset = defined('YOURLS_HOURS_OFFSET') ? (int)YOURLS_HOURS_OFFSET : 0; |
756
|
4 |
|
return yourls_apply_filter( 'get_time_offset', $offset ); |
757
|
|
|
} |
758
|
|
|
|
759
|
|
|
/** |
760
|
|
|
* Return a date() format for a full date + time, filtered |
761
|
|
|
* |
762
|
|
|
* @since 1.7.10 |
763
|
|
|
* @param string $format Date format string |
764
|
|
|
* @return string Date format string |
765
|
|
|
*/ |
766
|
|
|
function yourls_get_datetime_format( $format ) { |
767
|
2 |
|
return yourls_apply_filter( 'get_datetime_format', (string)$format ); |
768
|
|
|
} |
769
|
|
|
|
770
|
|
|
/** |
771
|
|
|
* Return a date() format for date (no time), filtered |
772
|
|
|
* |
773
|
|
|
* @since 1.7.10 |
774
|
|
|
* @param string $format Date format string |
775
|
|
|
* @return string Date format string |
776
|
|
|
*/ |
777
|
|
|
function yourls_get_date_format( $format ) { |
778
|
1 |
|
return yourls_apply_filter( 'get_date_format', (string)$format ); |
779
|
|
|
} |
780
|
|
|
|
781
|
|
|
/** |
782
|
|
|
* Return a date() format for a time (no date), filtered |
783
|
|
|
* |
784
|
|
|
* @since 1.7.10 |
785
|
|
|
* @param string $format Date format string |
786
|
|
|
* @return string Date format string |
787
|
|
|
*/ |
788
|
|
|
function yourls_get_time_format( $format ) { |
789
|
1 |
|
return yourls_apply_filter( 'get_time_format', (string)$format ); |
790
|
|
|
} |
791
|
|
|
|
792
|
|
|
|