first commit
This commit is contained in:
CHIEFSOFT\ameye
@@ -0,0 +1,109 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
/**
|
||||
* This file is part of CodeIgniter 4 framework.
|
||||
*
|
||||
* (c) CodeIgniter Foundation <admin@codeigniter.com>
|
||||
*
|
||||
* For the full copyright and license information, please view
|
||||
* the LICENSE file that was distributed with this source code.
|
||||
*/
|
||||
|
||||
// CodeIgniter Security Helpers
|
||||
|
||||
if (! function_exists('sanitize_filename')) {
|
||||
/**
|
||||
* Sanitize Filename
|
||||
*
|
||||
* Tries to sanitize filenames in order to prevent directory traversal attempts
|
||||
* and other security threats, which is particularly useful for files that
|
||||
* were supplied via user input.
|
||||
*
|
||||
* If it is acceptable for the user input to include relative paths,
|
||||
* e.g. file/in/some/approved/folder.txt, you can set the second optional
|
||||
* parameter, $relativePath to TRUE.
|
||||
*
|
||||
* @param string $filename Input file name
|
||||
* @param bool $relativePath Whether to preserve paths
|
||||
*/
|
||||
function sanitize_filename(string $filename, bool $relativePath = false): string
|
||||
{
|
||||
// List of sanitized filename strings
|
||||
$bad = [
|
||||
'../',
|
||||
'<!--',
|
||||
'-->',
|
||||
'<',
|
||||
'>',
|
||||
"'",
|
||||
'"',
|
||||
'&',
|
||||
'$',
|
||||
'#',
|
||||
'{',
|
||||
'}',
|
||||
'[',
|
||||
']',
|
||||
'=',
|
||||
';',
|
||||
'?',
|
||||
'%20',
|
||||
'%22',
|
||||
'%3c',
|
||||
'%253c',
|
||||
'%3e',
|
||||
'%0e',
|
||||
'%28',
|
||||
'%29',
|
||||
'%2528',
|
||||
'%26',
|
||||
'%24',
|
||||
'%3f',
|
||||
'%3b',
|
||||
'%3d',
|
||||
];
|
||||
|
||||
if (! $relativePath) {
|
||||
$bad[] = './';
|
||||
$bad[] = '/';
|
||||
}
|
||||
|
||||
$filename = remove_invisible_characters($filename, false);
|
||||
|
||||
do {
|
||||
$old = $filename;
|
||||
$filename = str_replace($bad, '', $filename);
|
||||
} while ($old !== $filename);
|
||||
|
||||
return stripslashes($filename);
|
||||
}
|
||||
}
|
||||
|
||||
if (! function_exists('strip_image_tags')) {
|
||||
/**
|
||||
* Strip Image Tags
|
||||
*/
|
||||
function strip_image_tags(string $str): string
|
||||
{
|
||||
return preg_replace(
|
||||
[
|
||||
'#<img[\s/]+.*?src\s*=\s*(["\'])([^\\1]+?)\\1.*?\>#i',
|
||||
'#<img[\s/]+.*?src\s*=\s*?(([^\s"\'=<>`]+)).*?\>#i',
|
||||
],
|
||||
'\\2',
|
||||
$str,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
if (! function_exists('encode_php_tags')) {
|
||||
/**
|
||||
* Convert PHP tags to entities
|
||||
*/
|
||||
function encode_php_tags(string $str): string
|
||||
{
|
||||
return str_replace(['<?', '?>'], ['<?', '?>'], $str);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user