* * bar * * @uses preg_replace() * @uses strtr() * @param string the message * @param boolean whether to escape html in result * * @return string the sanitized message * * @access public */ function PMA_sanitize($message, $escape = false, $safe = false) { if (!$safe) { $message = strtr($message, array('<' => '<', '>' => '>')); } $replace_pairs = array( '[i]' => '', // deprecated by em '[/i]' => '', // deprecated by em '[em]' => '', '[/em]' => '', '[b]' => '', // deprecated by strong '[/b]' => '', // deprecated by strong '[strong]' => '', '[/strong]' => '', '[tt]' => '', // deprecated by CODE or KBD '[/tt]' => '', // deprecated by CODE or KBD '[code]' => '', '[/code]' => '', '[kbd]' => '', '[/kbd]' => '', '[br]' => '
', '[/a]' => '', '[sup]' => '^{', '[/sup]' => '}', ); $message = strtr($message, $replace_pairs); $pattern = '/\[a@([^"@]*)@([^]"]*)\]/'; if (preg_match_all($pattern, $message, $founds, PREG_SET_ORDER)) { $valid_links = array( 'http', // default http:// links (and https://) './Do', // ./Documentation './ur', // url.php redirector ); foreach ($founds as $found) { // only http... and ./Do... allowed if (! in_array(substr($found[1], 0, 4), $valid_links)) { return $message; } // a-z and _ allowed in target if (! empty($found[2]) && preg_match('/[^a-z_]+/i', $found[2])) { return $message; } } if (substr($found[1], 0, 4) == 'http') { $message = preg_replace($pattern, '', $message); } else { $message = preg_replace($pattern, '', $message); } } if ($escape) { $message = htmlspecialchars($message); } return $message; } /** * Sanitize a filename by removing anything besides A-Za-z0-9_.- * * Intended usecase: * When using a filename in a Content-Disposition header the value should not contain ; or " * * @param string The filename * * @return string the sanitized filename * */ function PMA_sanitize_filename($filename) { $filename = preg_replace('/[^A-Za-z0-9_.-]/', '_', $filename); return $filename; } ?>