|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
namespace Ffcms\Core\Helper; |
|
4
|
|
|
|
|
5
|
|
|
use Ffcms\Core\App; |
|
6
|
|
|
use Ffcms\Core\Helper\Type\Arr; |
|
7
|
|
|
use Ffcms\Core\Helper\Type\Obj; |
|
8
|
|
|
use Ffcms\Core\Helper\Type\Str; |
|
9
|
|
|
|
|
10
|
|
|
class Security |
|
11
|
|
|
{ |
|
12
|
|
|
|
|
13
|
|
|
protected $purifier; |
|
14
|
|
|
|
|
15
|
|
|
|
|
16
|
|
|
public function __construct() |
|
17
|
|
|
{ |
|
18
|
|
|
$config = \HTMLPurifier_Config::createDefault(); |
|
19
|
|
|
$config->set('Cache.SerializerPath', root . '/Private/Cache/HTMLPurifier/'); |
|
20
|
|
|
//$config->set('HTML.Allowed', 'p,b,a[href],i'); |
|
|
|
|
|
|
21
|
|
|
//$config->set('URI.Base', 'http://www.example.com'); |
|
|
|
|
|
|
22
|
|
|
//$config->set('URI.MakeAbsolute', true); |
|
|
|
|
|
|
23
|
|
|
$config->set('AutoFormat.AutoParagraph', false); |
|
24
|
|
|
|
|
25
|
|
|
// allow use target=_blank for links |
|
26
|
|
|
$def = $config->getHTMLDefinition(true); |
|
27
|
|
|
$def->addAttribute('a', 'target', 'Enum#_blank,_self,_target,_top'); |
|
28
|
|
|
|
|
29
|
|
|
$this->purifier = new \HTMLPurifier($config); |
|
30
|
|
|
} |
|
31
|
|
|
|
|
32
|
|
|
/** |
|
33
|
|
|
* Get purifier instance |
|
34
|
|
|
* @return \HTMLPurifier |
|
35
|
|
|
*/ |
|
36
|
|
|
public function getPurifier() |
|
37
|
|
|
{ |
|
38
|
|
|
return $this->purifier; |
|
39
|
|
|
} |
|
40
|
|
|
|
|
41
|
|
|
/** |
|
42
|
|
|
* Secure html code |
|
43
|
|
|
* @param string|array $data |
|
44
|
|
|
* @return string |
|
45
|
|
|
*/ |
|
46
|
|
|
public function secureHtml($data) |
|
47
|
|
|
{ |
|
48
|
|
|
if (Obj::isArray($data)) { |
|
49
|
|
|
return $this->purifier->purifyArray($data); |
|
|
|
|
|
|
50
|
|
|
} |
|
51
|
|
|
|
|
52
|
|
|
return $this->purifier->purify($data); |
|
|
|
|
|
|
53
|
|
|
} |
|
54
|
|
|
|
|
55
|
|
|
/** |
|
56
|
|
|
* String html tags and escape quotes |
|
57
|
|
|
* @param string|array $html |
|
58
|
|
|
* @param boolean $escapeQuotes |
|
59
|
|
|
* @return string |
|
60
|
|
|
*/ |
|
61
|
|
|
public function strip_tags($html, $escapeQuotes = true) |
|
62
|
|
|
{ |
|
63
|
|
|
// recursive usage |
|
64
|
|
|
if (Obj::isArray($html)) { |
|
65
|
|
|
foreach ($html as $key=>$value) { |
|
|
|
|
|
|
66
|
|
|
$html[$key] = $this->strip_tags($value, $escapeQuotes); |
|
67
|
|
|
} |
|
68
|
|
|
return $html; |
|
69
|
|
|
} |
|
70
|
|
|
|
|
71
|
|
|
$text = strip_tags($html); |
|
72
|
|
|
if ($escapeQuotes) { |
|
73
|
|
|
$text = $this->escapeQuotes($text); |
|
74
|
|
|
} |
|
75
|
|
|
return $text; |
|
76
|
|
|
} |
|
77
|
|
|
|
|
78
|
|
|
/** |
|
79
|
|
|
* Strip php tags and notations in string. |
|
80
|
|
|
* @param array|string $data |
|
81
|
|
|
* @return array|mixed|string |
|
82
|
|
|
*/ |
|
83
|
|
|
public function strip_php_tags($data) |
|
84
|
|
|
{ |
|
85
|
|
|
if (is_array($data)) { |
|
86
|
|
|
foreach ($data as $key=>$value) { |
|
87
|
|
|
$data[$key] = $this->strip_php_tags($value); |
|
88
|
|
|
} |
|
89
|
|
|
return $data; |
|
90
|
|
|
} |
|
91
|
|
|
return addslashes(htmlspecialchars(strip_tags($data))); |
|
92
|
|
|
} |
|
93
|
|
|
|
|
94
|
|
|
/** |
|
95
|
|
|
* Alternative var_export function for php >= 5.4 syntax |
|
96
|
|
|
* @deprecated |
|
97
|
|
|
* @param $var |
|
98
|
|
|
* @param null $indent |
|
99
|
|
|
* @return mixed|string |
|
100
|
|
|
*/ |
|
101
|
|
|
public function var_export54($var, $indent = null, $guessTypes = false) { |
|
102
|
|
|
return Arr::var_export54($var, $indent, $guessTypes); |
|
103
|
|
|
} |
|
104
|
|
|
|
|
105
|
|
|
/** |
|
106
|
|
|
* Escape quotes |
|
107
|
|
|
* @param string $html |
|
108
|
|
|
* @return string |
|
109
|
|
|
*/ |
|
110
|
|
|
public function escapeQuotes($html) |
|
111
|
|
|
{ |
|
112
|
|
|
return Str::replace(['"', "'"], '"', $html); |
|
113
|
|
|
} |
|
114
|
|
|
|
|
115
|
|
|
/** |
|
116
|
|
|
* Crypt password secure with Blow fish crypt algo (defined in salt) |
|
117
|
|
|
* Blow fish crypt example: crypt('somedata', '$2a$07$usesomesillystringfor$'), where $2a$07$ - definition of algo, |
|
118
|
|
|
* usesomesillystringfor - is salt (must be 21 or more chars), $ - end caret. Output: $2a$07$usesomesillystringfor.sUeCOxyFvckc3xgq1Kzqq90gLrrIVjq |
|
119
|
|
|
* @param string $password |
|
120
|
|
|
* @return string |
|
121
|
|
|
*/ |
|
122
|
|
|
public static function password_hash($password) |
|
123
|
|
|
{ |
|
124
|
|
|
return crypt($password, App::$Properties->get('passwordSalt')); |
|
125
|
|
|
} |
|
126
|
|
|
|
|
127
|
|
|
/** |
|
128
|
|
|
* Generate simple hash of 8 chars (32bit) for string. This method is NOT SECURE for crypt reason! |
|
129
|
|
|
* @param string $string |
|
130
|
|
|
* @return string |
|
131
|
|
|
*/ |
|
132
|
|
|
public static function simpleHash($string) |
|
133
|
|
|
{ |
|
134
|
|
|
return dechex(crc32($string)); |
|
135
|
|
|
} |
|
136
|
|
|
|
|
137
|
|
|
|
|
138
|
|
|
} |
phpffcms /
ffcms-core
Loading history...
Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it.
The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production.
This check looks for comments that seem to be mostly valid code and reports them.