';
}
return $output;
}
/**
* @brief Generates a random string.
*
* @param number $size
* @param int $type
*
* @return string
*/
function random_string($size = 64, $type = RANDOM_STRING_HEX) {
// generate a bit of entropy and run it through the whirlpool
$s = hash('whirlpool', (string) rand() . uniqid(rand(),true) . (string) rand(),(($type == RANDOM_STRING_TEXT) ? true : false));
$s = (($type == RANDOM_STRING_TEXT) ? str_replace("\n","",base64url_encode($s,true)) : $s);
return(substr($s, 0, $size));
}
/**
* @brief This is our primary input filter.
*
* The high bit hack only involved some old IE browser, forget which (IE5/Mac?)
* that had an XSS attack vector due to stripping the high-bit on an 8-bit character
* after cleansing, and angle chars with the high bit set could get through as markup.
*
* This is now disabled because it was interfering with some legitimate unicode sequences
* and hopefully there aren't a lot of those browsers left.
*
* Use this on any text input where angle chars are not valid or permitted
* They will be replaced with safer brackets. This may be filtered further
* if these are not allowed either.
*
* @param string $string Input string
*
* @return string Filtered string
*/
function notags($string) {
return(str_replace(array("<",">"), array('[',']'), $string));
// High-bit filter no longer used
// return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string));
}
/**
* use this on "body" or "content" input where angle chars shouldn't be removed,
* and allow them to be safely displayed.
*
* @param string $string
*
* @return string
*/
function escape_tags($string) {
if (!$string) {
return EMPTY_STR;
}
return (htmlspecialchars($string, ENT_COMPAT, 'UTF-8', false));
}
function unescape_tags($string) {
if (!$string) {
return EMPTY_STR;
}
return (htmlspecialchars_decode($string, ENT_COMPAT));
}
/**
* Escape URL's so they're safe for use in HTML and in HTML element attributes.
*/
function escape_url($input) {
if (empty($input)) {
return EMPTY_STR;
}
// This is a bit crude but seems to do the trick for now. It makes no
// guarantees that the URL is valid for use after escaping.
return htmlspecialchars($input, ENT_HTML5 | ENT_QUOTES);
}
function z_input_filter($s,$type = 'text/bbcode',$allow_code = false) {
if($type === 'text/bbcode')
return escape_tags($s);
if($type == 'text/plain')
return escape_tags($s);
if($type == 'application/x-pdl')
return escape_tags($s);
if(App::$is_sys) {
return $s;
}
if($allow_code) {
if($type === 'text/markdown')
return htmlspecialchars($s,ENT_QUOTES);
return $s;
}
if($type === 'text/markdown') {
$x = new Zlib\MarkdownSoap($s);
return $x->clean();
}
if($type === 'text/html')
return purify_html($s);
return escape_tags($s);
}
/**
* @brief Use HTMLPurifier to get standards compliant HTML.
*
* Use the HTMLPurifier
* library to get filtered and standards compliant HTML.
*
* @see HTMLPurifier
*
* @param string $s raw HTML
* @param boolean $allow_position allow CSS position
* @return string standards compliant filtered HTML
*/
function purify_html($s, $allow_position = false) {
/**
* @FIXME this function has html output, not bbcode - so safely purify these
* require_once('include/html2bbcode.php');
* $s = html2bb_video($s);
* $s = oembed_html2bbcode($s);
*/
$config = HTMLPurifier_Config::createDefault();
$config->set('Cache.DefinitionImpl', null);
$config->set('Attr.EnableID', true);
// If enabled, target=blank attributes are added to all links.
//$config->set('HTML.TargetBlank', true);
//$config->set('Attr.AllowedFrameTargets', ['_blank', '_self', '_parent', '_top']);
// restore old behavior of HTMLPurifier < 4.8, only used when targets allowed at all
// do not add rel="noreferrer" to all links with target attributes
//$config->set('HTML.TargetNoreferrer', false);
// do not add noopener rel attributes to links which have a target attribute associated with them
//$config->set('HTML.TargetNoopener', false);
//Allow some custom data- attributes used by built-in libs.
//In this way members which do not have allowcode set can still use the built-in js libs in webpages to some extent.
$def = $config->getHTMLDefinition(true);
//data- attributes used by the foundation library
// f6 navigation
//dropdown menu
$def->info_global_attr['data-dropdown-menu'] = new HTMLPurifier_AttrDef_Text;
//drilldown menu
$def->info_global_attr['data-drilldown'] = new HTMLPurifier_AttrDef_Text;
//accordion menu
$def->info_global_attr['data-accordion-menu'] = new HTMLPurifier_AttrDef_Text;
//responsive navigation
$def->info_global_attr['data-responsive-menu'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-responsive-toggle'] = new HTMLPurifier_AttrDef_Text;
//magellan
$def->info_global_attr['data-magellan'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-magellan-target'] = new HTMLPurifier_AttrDef_Text;
// f6 containers
//accordion
$def->info_global_attr['data-accordion'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-accordion-item'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-tab-content'] = new HTMLPurifier_AttrDef_Text;
//dropdown
$def->info_global_attr['data-dropdown'] = new HTMLPurifier_AttrDef_Text;
//off-canvas
$def->info_global_attr['data-off-canvas-wrapper'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-off-canvas'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-off-canvas-content'] = new HTMLPurifier_AttrDef_Text;
//reveal
$def->info_global_attr['data-reveal'] = new HTMLPurifier_AttrDef_Text;
//tabs
$def->info_global_attr['data-tabs'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-tabs-content'] = new HTMLPurifier_AttrDef_Text;
// f6 media
//orbit
$def->info_global_attr['data-orbit'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-slide'] = new HTMLPurifier_AttrDef_Text;
//tooltip
$def->info_global_attr['data-tooltip'] = new HTMLPurifier_AttrDef_Text;
// f6 plugins
//abide - the use is pointless since we can't do anything with forms
//equalizer
$def->info_global_attr['data-equalizer'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-equalizer-watch'] = new HTMLPurifier_AttrDef_Text;
//interchange - potentially dangerous since it can load content
//toggler
$def->info_global_attr['data-toggler'] = new HTMLPurifier_AttrDef_Text;
//sticky
$def->info_global_attr['data-sticky'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-sticky-container'] = new HTMLPurifier_AttrDef_Text;
// f6 common
$def->info_global_attr['data-options'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-toggle'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-close'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-open'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-position'] = new HTMLPurifier_AttrDef_Text;
//data- attributes used by the bootstrap library
$def->info_global_attr['data-bs-target'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-ride'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-slide'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-toggle'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-animation'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-title'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-delay'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-parent'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-offset'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-dismiss'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-backdrop'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-keyboard'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-content'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-container'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-trigger'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-spy'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-placement'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-slide-to'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-interval'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-pause'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-wrap'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-display'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-root-margin'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-smooth-scroll'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-dismiss'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-delay'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-autohide'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-scroll'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-reference'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-config'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-custom-class'] = new HTMLPurifier_AttrDef_Text;
//old
$def->info_global_attr['data-bs-show'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-offset-top'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bs-offset-bottom'] = new HTMLPurifier_AttrDef_Text;
//some html5 elements
//Block
$def->addElement('section', 'Block', 'Flow', 'Common');
$def->addElement('nav', 'Block', 'Flow', 'Common');
$def->addElement('article', 'Block', 'Flow', 'Common');
$def->addElement('aside', 'Block', 'Flow', 'Common');
$def->addElement('header', 'Block', 'Flow', 'Common');
$def->addElement('footer', 'Block', 'Flow', 'Common');
//Inline
$def->addElement('button', 'Inline', 'Inline', 'Common');
$def->addElement('mark', 'Inline', 'Inline', 'Common');
if($allow_position) {
$cssDefinition = $config->getCSSDefinition();
$cssDefinition->info['position'] = new HTMLPurifier_AttrDef_Enum(array('absolute', 'fixed', 'relative', 'static', 'inherit'), false);
$cssDefinition->info['left'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
new HTMLPurifier_AttrDef_CSS_Length(),
new HTMLPurifier_AttrDef_CSS_Percentage()
));
$cssDefinition->info['right'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
new HTMLPurifier_AttrDef_CSS_Length(),
new HTMLPurifier_AttrDef_CSS_Percentage()
));
$cssDefinition->info['top'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
new HTMLPurifier_AttrDef_CSS_Length(),
new HTMLPurifier_AttrDef_CSS_Percentage()
));
$cssDefinition->info['bottom'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
new HTMLPurifier_AttrDef_CSS_Length(),
new HTMLPurifier_AttrDef_CSS_Percentage()
));
}
$purifier = new HTMLPurifier($config);
return $purifier->purify($s);
}
/**
* @brief Generate a string that's random, but usually pronounceable.
*
* Used to generate initial passwords.
*
* @note In order to create "pronounceable" strings some consonant pairs or
* letters that does not make a very good word ending are chopped off, so that
* the returned string length can be lower than $len.
*
* @param int $len max length of generated string
* @return string Genereated random, but usually pronounceable string
*/
function autoname($len) {
if ($len <= 0)
return '';
$vowels = array('a','a','ai','au','e','e','e','ee','ea','i','ie','o','ou','u');
if (mt_rand(0, 5) == 4)
$vowels[] = 'y';
$cons = array(
'b','bl','br',
'c','ch','cl','cr',
'd','dr',
'f','fl','fr',
'g','gh','gl','gr',
'h',
'j',
'k','kh','kl','kr',
'l',
'm',
'n',
'p','ph','pl','pr',
'qu',
'r','rh',
's','sc','sh','sm','sp','st',
't','th','tr',
'v',
'w','wh',
'x',
'z','zh'
);
$midcons = array('ck','ct','gn','ld','lf','lm','lt','mb','mm', 'mn','mp',
'nd','ng','nk','nt','rn','rp','rt');
// avoid these consonant pairs at the end of the string
$noend = array('bl', 'br', 'cl','cr','dr','fl','fr','gl','gr',
'kh', 'kl','kr','mn','pl','pr','rh','tr','qu','wh');
$start = mt_rand(0, 2);
if ($start == 0)
$table = $vowels;
else
$table = $cons;
$word = '';
for ($x = 0; $x < $len; $x ++) {
$r = mt_rand(0, count($table) - 1);
$word .= $table[$r];
if ($table == $vowels)
$table = array_merge($cons, $midcons);
else
$table = $vowels;
}
$word = substr($word, 0, $len);
foreach ($noend as $noe) {
if ((strlen($word) > 2) && (substr($word, -2) == $noe)) {
$word = substr($word, 0, -1);
break;
}
}
// avoid the letter 'q' as it does not make a very good word ending
if (substr($word, -1) == 'q')
$word = substr($word, 0, -1);
return $word;
}
/**
* @brief escape text ($str) for XML transport
*
* @param string $str
* @return string Escaped text.
*/
function xmlify($str) {
//$buffer = '';
if (!$str)
return EMPTY_STR;
if(is_array($str)) {
// allow to fall through so we ge a PHP error, as the log statement will
// probably get lost in the noise unless we're specifically looking for it.
btlogger('xmlify called with array: ' . print_r($str,true), LOGGER_NORMAL, LOG_WARNING);
}
/*
$len = mb_strlen($str);
for($x = 0; $x < $len; $x ++) {
$char = mb_substr($str,$x,1);
switch( $char ) {
case "\r" :
break;
case "&" :
$buffer .= '&';
break;
case "'" :
$buffer .= ''';
break;
case "\"" :
$buffer .= '"';
break;
case '<' :
$buffer .= '<';
break;
case '>' :
$buffer .= '>';
break;
case "\n" :
$buffer .= "\n";
break;
default :
$buffer .= $char;
break;
}
}
$buffer = trim($buffer);
return($buffer);
*/
$buffer = htmlspecialchars($str, ENT_QUOTES, "UTF-8");
$buffer = trim($buffer);
return $buffer;
}
/**
* @brief Undo an xmlify.
*
* Pass xml escaped text ($s), returns unescaped text.
*
* @param string $s
*
* @return string
*/
function unxmlify($s) {
/*
$ret = str_replace('&', '&', $s);
$ret = str_replace(array('<', '>', '"', '''), array('<', '>', '"', "'"), $ret);
return $ret;
*/
if (!$s)
return EMPTY_STR;
if(is_array($s)) {
// allow to fall through so we ge a PHP error, as the log statement will
// probably get lost in the noise unless we're specifically looking for it.
btlogger('unxmlify called with array: ' . print_r($s,true), LOGGER_NORMAL, LOG_WARNING);
}
$ret = htmlspecialchars_decode($s, ENT_QUOTES);
return $ret;
}
/**
* @brief Automatic pagination.
*
* To use, get the count of total items.
* Then call App::set_pager_total($number_items);
* Optionally call App::set_pager_itemspage($n) to the number of items to display on each page
* Then call paginate($a) after the end of the display loop to insert the pager block on the page
* (assuming there are enough items to paginate).
* When using with SQL, the setting LIMIT %d, %d => App::$pager['start'],App::$pager['itemspage']
* will limit the results to the correct items for the current page.
* The actual page handling is then accomplished at the application layer.
*
*/
function paginate() {
$o = '';
$stripped = preg_replace('/(&page=[0-9]*)/','',App::$query_string);
// $stripped = preg_replace('/&zid=(.*?)([\?&]|$)/ism','',$stripped);
$stripped = str_replace('q=','',$stripped);
$stripped = trim($stripped,'/');
$pagenum = App::$pager['page'];
$url = z_root() . '/' . $stripped;
if(App::$pager['total'] > App::$pager['itemspage']) {
$o .= '