<?php /** * Zend Framework * * LICENSE * * This source file is subject to the new BSD license that is bundled * with this package in the file LICENSE.txt. * It is also available through the world-wide-web at this URL: * http://framework.zend.com/license/new-bsd * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@zend.com so we can send you a copy immediately. * * @category Zend * @package Zend_Filter * @copyright Copyright (c) 2005-2014 Zend Technologies USA Inc. (http://www.zend.com) * @license http://framework.zend.com/license/new-bsd New BSD License * @version $Id$ */ /** * @see Zend_Filter_Interface */ require_once 'Zend/Filter/Interface.php'; /** * @category Zend * @package Zend_Filter * @copyright Copyright (c) 2005-2014 Zend Technologies USA Inc. (http://www.zend.com) * @license http://framework.zend.com/license/new-bsd New BSD License */ class Zend_Filter_StripTags implements Zend_Filter_Interface { /** * Unique ID prefix used for allowing comments */ const UNIQUE_ID_PREFIX = '__Zend_Filter_StripTags__'; /** * Whether comments are allowed * * If false (the default), then comments are removed from the input string. * * This setting is now deprecated, and ignored internally. * * @deprecated * @var boolean */ public $commentsAllowed = false; /** * Array of allowed tags and allowed attributes for each allowed tag * * Tags are stored in the array keys, and the array values are themselves * arrays of the attributes allowed for the corresponding tag. * * @var array */ protected $_tagsAllowed = array(); /** * Array of allowed attributes for all allowed tags * * Attributes stored here are allowed for all of the allowed tags. * * @var array */ protected $_attributesAllowed = array(); /** * Sets the filter options * Allowed options are * 'allowTags' => Tags which are allowed * 'allowAttribs' => Attributes which are allowed * 'allowComments' => Are comments allowed ? * * @param string|array|Zend_Config $options * @return void */ public function __construct($options = null) { if ($options instanceof Zend_Config) { $options = $options->toArray(); } else if ((!is_array($options)) || (is_array($options) && !array_key_exists('allowTags', $options) && !array_key_exists('allowAttribs', $options) && !array_key_exists('allowComments', $options))) { $options = func_get_args(); $temp['allowTags'] = array_shift($options); if (!empty($options)) { $temp['allowAttribs'] = array_shift($options); } if (!empty($options)) { $temp['allowComments'] = array_shift($options); } $options = $temp; } if (array_key_exists('allowTags', $options)) { $this->setTagsAllowed($options['allowTags']); } if (array_key_exists('allowAttribs', $options)) { $this->setAttributesAllowed($options['allowAttribs']); } if (array_key_exists('allowComments', $options)) { $this->setCommentsAllowed($options['allowComments']); } } /** * Returns the commentsAllowed option * * This setting is now deprecated and ignored internally. * * @deprecated * @return bool */ public function getCommentsAllowed() { return $this->commentsAllowed; } /** * Sets the commentsAllowed option * * This setting is now deprecated and ignored internally. * * @deprecated * @param boolean $commentsAllowed * @return Zend_Filter_StripTags Provides a fluent interface */ public function setCommentsAllowed($commentsAllowed) { $this->commentsAllowed = (boolean) $commentsAllowed; return $this; } /** * Returns the tagsAllowed option * * @return array */ public function getTagsAllowed() { return $this->_tagsAllowed; } /** * Sets the tagsAllowed option * * @param array|string $tagsAllowed * @return Zend_Filter_StripTags Provides a fluent interface */ public function setTagsAllowed($tagsAllowed) { if (!is_array($tagsAllowed)) { $tagsAllowed = array($tagsAllowed); } foreach ($tagsAllowed as $index => $element) { // If the tag was provided without attributes if (is_int($index) && is_string($element)) { // Canonicalize the tag name $tagName = strtolower($element); // Store the tag as allowed with no attributes $this->_tagsAllowed[$tagName] = array(); } // Otherwise, if a tag was provided with attributes else if (is_string($index) && (is_array($element) || is_string($element))) { // Canonicalize the tag name $tagName = strtolower($index); // Canonicalize the attributes if (is_string($element)) { $element = array($element); } // Store the tag as allowed with the provided attributes $this->_tagsAllowed[$tagName] = array(); foreach ($element as $attribute) { if (is_string($attribute)) { // Canonicalize the attribute name $attributeName = strtolower($attribute); $this->_tagsAllowed[$tagName][$attributeName] = null; } } } } return $this; } /** * Returns the attributesAllowed option * * @return array */ public function getAttributesAllowed() { return $this->_attributesAllowed; } /** * Sets the attributesAllowed option * * @param array|string $attributesAllowed * @return Zend_Filter_StripTags Provides a fluent interface */ public function setAttributesAllowed($attributesAllowed) { if (!is_array($attributesAllowed)) { $attributesAllowed = array($attributesAllowed); } // Store each attribute as allowed foreach ($attributesAllowed as $attribute) { if (is_string($attribute)) { // Canonicalize the attribute name $attributeName = strtolower($attribute); $this->_attributesAllowed[$attributeName] = null; } } return $this; } /** * Defined by Zend_Filter_Interface * * @todo improve docblock descriptions * * @param string $value * @return string */ public function filter($value) { $value = (string) $value; // Strip HTML comments first while (strpos($value, '<!--') !== false) { $pos = strrpos($value, '<!--'); $start = substr($value, 0, $pos); $value = substr($value, $pos); // If there is no comment closing tag, strip whole text if (!preg_match('/--\s*>/s', $value)) { $value = ''; } else { $value = preg_replace('/<(?:!(?:--[\s\S]*?--\s*)?(>))/s', '', $value); } $value = $start . $value; } // Initialize accumulator for filtered data $dataFiltered = ''; // Parse the input data iteratively as regular pre-tag text followed by a // tag; either may be empty strings preg_match_all('/([^<]*)(<?[^>]*>?)/', (string) $value, $matches); // Iterate over each set of matches foreach ($matches[1] as $index => $preTag) { // If the pre-tag text is non-empty, strip any ">" characters from it if (strlen($preTag)) { $preTag = str_replace('>', '', $preTag); } // If a tag exists in this match, then filter the tag $tag = $matches[2][$index]; if (strlen($tag)) { $tagFiltered = $this->_filterTag($tag); } else { $tagFiltered = ''; } // Add the filtered pre-tag text and filtered tag to the data buffer $dataFiltered .= $preTag . $tagFiltered; } // Return the filtered data return $dataFiltered; } /** * Filters a single tag against the current option settings * * @param string $tag * @return string */ protected function _filterTag($tag) { // Parse the tag into: // 1. a starting delimiter (mandatory) // 2. a tag name (if available) // 3. a string of attributes (if available) // 4. an ending delimiter (if available) $isMatch = preg_match('~(</?)(\w*)((/(?!>)|[^/>])*)(/?>)~', $tag, $matches); // If the tag does not match, then strip the tag entirely if (!$isMatch) { return ''; } // Save the matches to more meaningfully named variables $tagStart = $matches[1]; $tagName = strtolower($matches[2]); $tagAttributes = $matches[3]; $tagEnd = $matches[5]; // If the tag is not an allowed tag, then remove the tag entirely if (!isset($this->_tagsAllowed[$tagName])) { return ''; } // Trim the attribute string of whitespace at the ends $tagAttributes = trim($tagAttributes); // If there are non-whitespace characters in the attribute string if (strlen($tagAttributes)) { // Parse iteratively for well-formed attributes preg_match_all('/([\w-]+)\s*=\s*(?:(")(.*?)"|(\')(.*?)\')/s', $tagAttributes, $matches); // Initialize valid attribute accumulator $tagAttributes = ''; // Iterate over each matched attribute foreach ($matches[1] as $index => $attributeName) { $attributeName = strtolower($attributeName); $attributeDelimiter = empty($matches[2][$index]) ? $matches[4][$index] : $matches[2][$index]; $attributeValue = empty($matches[3][$index]) ? $matches[5][$index] : $matches[3][$index]; // If the attribute is not allowed, then remove it entirely if (!array_key_exists($attributeName, $this->_tagsAllowed[$tagName]) && !array_key_exists($attributeName, $this->_attributesAllowed)) { continue; } // Add the attribute to the accumulator $tagAttributes .= " $attributeName=" . $attributeDelimiter . $attributeValue . $attributeDelimiter; } } // Reconstruct tags ending with "/>" as backwards-compatible XHTML tag if (strpos($tagEnd, '/') !== false) { $tagEnd = " $tagEnd"; } // Return the filtered tag return $tagStart . $tagName . $tagAttributes . $tagEnd; } }