Permalink
Fetching contributors…
Cannot retrieve contributors at this time
97 lines (92 sloc) 2.77 KB
<?php
/**
* Magento
*
* NOTICE OF LICENSE
*
* This source file is subject to the Open Software License (OSL 3.0)
* that is bundled with this package in the file LICENSE.txt.
* It is also available through the world-wide-web at this URL:
* http://opensource.org/licenses/osl-3.0.php
* If you did not receive a copy of the license and are unable to
* obtain it through the world-wide-web, please send an email
* to license@magentocommerce.com so we can send you a copy immediately.
*
* DISCLAIMER
*
* Do not edit or add to this file if you wish to upgrade Magento to newer
* versions in the future. If you wish to customize Magento for your
* needs please refer to http://www.magentocommerce.com for more information.
*
* @category Mage
* @package Mage_Core
* @copyright Copyright (c) 2013 Magento Inc. (http://www.magentocommerce.com)
* @license http://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0)
*/
/**
* Filter for removing malicious code from HTML
*
* @category Mage
* @package Mage_Core
* @author Magento Core Team <core@magentocommerce.com>
*/
class Mage_Core_Model_Input_Filter_MaliciousCode implements Zend_Filter_Interface
{
/**
* Regular expressions for cutting malicious code
*
* @var array
*/
protected $_expressions = array(
//comments, must be first
'/(\/\*.*\*\/)/Us',
//tabs
'/(\t)/',
//javasript prefix
'/(javascript\s*:)/Usi',
//import styles
'/(@import)/Usi',
//js in the style attribute
'/style=[^<]*((expression\s*?\([^<]*?\))|(behavior\s*:))[^<]*(?=\>)/Uis',
//js attributes
'/(ondblclick|onclick|onkeydown|onkeypress|onkeyup|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|onload|onunload|onerror)=[^<]*(?=\>)/Uis',
//tags
'/<\/?(script|meta|link|frame|iframe).*>/Uis',
//base64 usage
'/src=[^<]*base64[^<]*(?=\>)/Uis',
);
/**
* Filter value
*
* @param string|array $value
* @return string|array Filtered value
*/
public function filter($value)
{
return preg_replace($this->_expressions, '', $value);
}
/**
* Add expression
*
* @param string $expression
* @return Mage_Core_Model_Input_Filter_MaliciousCode
*/
public function addExpression($expression)
{
if (!in_array($expression, $this->_expressions)) {
$this->_expressions[] = $expression;
}
return $this;
}
/**
* Set expressions
*
* @param array $expressions
* @return Mage_Core_Model_Input_Filter_MaliciousCode
*/
public function setExpressions(array $expressions)
{
$this->_expressions = $expressions;
return $this;
}
}