Changeset 155 for trunk/trax/vendor/trax/input_filter.php

Timestamp:

02/28/06 12:49:52 (6 years ago)

Author:

haas

Message:

more documentation

Files:

• trunk/trax/vendor/trax/input_filter.php (modified) (12 diffs)

trunk/trax/vendor/trax/input_filter.php

@@ -1 +1 @@
 <?php
-
 /**
  *  File containing the InputFilter class
@@ -7 +6 @@
  *
  *  @package PHPonTrax
- *  @version 1.2.2_php5
+ *  @version $Id$
  *  @author Daniel Morris
  *  contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider,
@@ -16 +15 @@
 
 /**
+ *  Filter user input to remove potential security threats
  *
- *  @todo Document this class
- *  @package PHPonTrax
+ *  InputFilter has three public methods that are useful in protecting
+ *  a web site from potential security threats from user input.
+ *  <ul>
+ *    <li>{@link safeSQL()} protects SQL from the user.</li>
+ *    <li>{@link process()} protects HTML tags and attributes from the
+ *      user.</li>
+ *    <li>{@link process_all()} applies {@link process()} to all
+ *      possible sources of user input</li>
+ *  </ul>
+ *  @todo Check FIXMEs
  */
 class InputFilter {
     
+    /**
+     *  User-provided list of tags to either accept or reject
+     *
+     *  Whether the tags in this list are accepted or rejected is
+     *  determined by the value of {@link $tagsMethod}.
+     *  <b>FIXME:</b> static declaration must be after visibility declaration
+     *  @var string[]
+     */
     static protected $tagsArray = array();  // default = empty array
+    
+    /**
+     *  User-provided list of attributes to either accept or reject
+     *
+     *  Whether the attributes in this list are accepted or rejected is
+     *  determined by the value of {@link $attrMethod}.
+     *  <b>FIXME:</b> static declaration must be after visibility declaration
+     *  @var string[]
+     */
     static protected $attrArray = array();  // default = empty array
-
+    
+    /**
+     *  How to apply user-provided tags list
+     *
+     *  Which method to use when applying the list of tags provided by
+     *  the user and stored in {@link $tagsArray}.
+     *  @var boolean Tested by {@link filterTags()} to see whether the
+     *               user-provide list of tags in {@link $tagsArray}
+     *               describes those tags which are forbidden, or
+     *               those tags which are permitted.  Default false.
+     *  <ul>
+     *    <li>true =>  Remove  those tags which are in
+     *                 {@link $tagsArray}.</li> 
+     *    <li>false => Allow only those tags which are listed in
+     *                 {@link $tagsArray}.</li> 
+     *  </ul>
+     *  <b>FIXME:</b> static declaration must be after visibility declaration
+     */
     static protected $tagsMethod = 0;   // default = 0
+    
+    /**
+     *  How to apply user-provided attribute list
+     *
+     *  Which method to use when applying the list of attributes
+     *  provided by the user and stored in {@link $attrArray}.
+     *  @var boolean Tested by {@link filterAttr()} to see whether the
+     *               user-provide list of tags in {@link $attrArray}
+     *               describes those tags which are forbidden, or
+     *               those tags which are permitted.  Default false.
+     *  <ul>
+     *    <li>true =>  Remove  those tags which are in
+     *                 {@link $attrArray}.</li> 
+     *    <li>false => Allow only those tags which are listed in
+     *                 {@link $attrArray}.</li> 
+     *  </ul>
+     *  <b>FIXME:</b> static declaration must be after visibility declaration
+     */
     static protected $attrMethod = 0;   // default = 0
 
+    
+    /**
+     *  Whether to remove blacklisted tags and attributes
+     *
+     *  @var boolean Tested by {@link filterAttr()} and
+     *               {@link filterTags()} to see whether to remove
+     *               blacklisted tags and attributes.  Default true.
+     *  <ul>
+     *    <li>true => Remove tags in {@link $tagBlacklist} and
+     *                attributes in {@link $attrBlacklist}, in
+     *                addition to all other potentially suspect tags
+     *                and attributes.</li>
+     *    <li>false => Remove potentially suspect tags and attributes
+     *      without consulting{@link $tagBlacklist} or
+     *      {@link $attrBlacklist}.</li> 
+     *  </ul>
+     *  <b>FIXME:</b> static declaration must be after visibility declaration
+     */
     static protected $xssAuto = 1;     // default = 1
-    static protected $tagBlacklist = array('applet', 'body', 'bgsound', 'base', 'basefont', 'embed', 'frame', 'frameset', 'head', 'html', 'id', 'iframe', 'ilayer', 'layer', 'link', 'meta', 'name', 'object', 'script', 'style', 'title', 'xml');
-    static protected $attrBlacklist = array('action', 'background', 'codebase', 'dynsrc', 'lowsrc');  // also will strip ALL event handlers
+    
+    /**
+     *  List of tags to be removed
+     *
+     *  If {@link $xssAuto} is true, remove the tags in this list.
+     *  @var string[]
+     *  <b>FIXME:</b> static declaration must be after visibility declaration
+     */
+    static protected $tagBlacklist =
+        array('applet', 'body', 'bgsound', 'base', 'basefont', 'embed',
+              'frame', 'frameset', 'head', 'html', 'id', 'iframe',
+              'ilayer', 'layer', 'link', 'meta', 'name', 'object',
+              'script', 'style', 'title', 'xml');
+    
+    /**
+     *  List of attributes to be removed
+     *
+     *  If {@link $xssAuto} is true, remove the attributes in this list.
+     *  @var string[]
+     *  <b>FIXME:</b> static declaration must be after visibility declaration
+     */
+    static protected $attrBlacklist =
+        array('action', 'background', 'codebase', 'dynsrc', 'lowsrc'); 
         
     /** 
-      * Constructor for inputFilter class. Only first parameter is required.
-      *
-      * @param Array $tagsArray - list of user-defined tags
-      * @param Array $attrArray - list of user-defined attributes
-      * @param int $tagsMethod - 0= allow just user-defined, 1= allow all but user-defined
-      * @param int $attrMethod - 0= allow just user-defined, 1= allow all but user-defined
-      * @param int $xssAuto - 0= only auto clean essentials, 1= allow clean blacklisted tags/attr
-      */
-    public function __construct($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1) {       
+     *  Constructor for InputFilter class.
+     *
+     *  @param string[] $tagsArray  User-provided list of tags to
+     *                              either accept or reject.  Default: none
+     *  @param string[] $attrArray  User-provided list of attributes to
+     *                              either accept or reject.  Default: none
+     *  @param boolean $tagsMethod How to apply the list of tags in $tagsArray:
+     *  <ul>
+     *    <li>true =>  Remove  those tags which are listed in
+     *                 $tagsArray.</li>  
+     *    <li>false => Allow only those tags which are listed in
+     *                 $tagsArray.</li>  
+     *  </ul>
+     *  Default: false
+     *  @param boolean $attrMethod How to apply the list of attributess in $attrArray:
+     *  <ul>
+     *    <li>true =>  Remove  those attributes which are listed in
+     *                 $attrArray.</li>  
+     *    <li>false => Allow only those attributes which are listed in
+     *                 $attrArray.</li>  
+     *  </ul>
+     *  Default: false
+     *  @param boolean $xssAuto Behavior of {@link filterTags()}:
+     *  <ul>
+     *    <li>true => Remove tags in {@link $tagBlacklist} and
+     *                attributes in {@link $attrBlacklist}, in
+     *                addition to all other potentially suspect tags
+     *                and attributes.</li>
+     *    <li>false => Remove potentially suspect tags and attributes
+     *      without consulting{@link $tagBlacklist} or
+     *      {@link $attrBlacklist}.</li> 
+     *  </ul>
+     *  Default: true
+     *  @uses $attrArray
+     *  @uses $attrMethod
+     *  @uses $tagsArray
+     *  @uses $tagsMethod
+     */
+    public function __construct($tagsArray = array(), $attrArray = array(),
+                                $tagsMethod = 0, $attrMethod = 0,
+                                $xssAuto = 1) { 
         // make sure user defined arrays are in lowercase
         for ($i = 0; $i < count($tagsArray); $i++) $tagsArray[$i] = strtolower($tagsArray[$i]);
@@ -54 +185 @@
 
     /**
-      * Added by John Peterson
-      * Method to be called by Trax dispatcher to clean all passed in input. Processes for XSS and specified bad code.
-      * @access public
-      *  @todo Document this method
-      */
-    public function process_all($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1) {
-        self::__construct($tagsArray, $attrArray, $tagsMethod, $attrMethod, $xssAuto);
+     *  Remove forbidden tags and attributes from user input
+     *
+     *  Construct an InputFilter object.  Then apply the
+     *  {@link process()} method to each of the user input arrays
+     *  {@link http://www.php.net/reserved.variables#reserved.variables.post $_POST},
+     *  {@link http://www.php.net/reserved.variables#reserved.variables.get $_GET} and
+     *  {@link http://www.php.net/reserved.variables#reserved.variables.request $_REQUEST}.
+     *  <b>FIXME:</b> isn't it partly redundant to do this to $_REQUEST?
+     *  Shouldn't we do it to $_COOKIE instead?
+     *  @param string[] $tagsArray  User-provided list of tags to
+     *                              either accept or reject.  Default: none
+     *  @param string[] $attrArray  User-provided list of attributes to
+     *                              either accept or reject.  Default: none
+     *  @param boolean $tagsMethod How to apply the list of tags in $tagsArray:
+     *  <ul>
+     *    <li>true =>  Remove  those tags which are listed in
+     *                 $tagsArray.</li>  
+     *    <li>false => Allow only those tags which are listed in
+     *                 $tagsArray.</li>  
+     *  </ul>
+     *  Default: false
+     *  @param boolean $attrMethod How to apply the list of attributess in $attrArray:
+     *  <ul>
+     *    <li>true =>  Remove  those attributes which are listed in
+     *                 $attrArray.</li>  
+     *    <li>false => Allow only those attributes which are listed in
+     *                 $attrArray.</li>  
+     *  </ul>
+     *  Default: false
+     *  @param boolean $xssAuto Behavior of {@link filterTags()}:
+     *  <ul>
+     *    <li>true => Remove tags in {@link $tagBlacklist} and
+     *                attributes in {@link $attrBlacklist}, in
+     *                addition to all other potentially suspect tags
+     *                and attributes.</li>
+     *    <li>false => Remove potentially suspect tags and attributes
+     *      without consulting{@link $tagBlacklist} or
+     *      {@link $attrBlacklist}.</li> 
+     *  </ul>
+     *  Default: true
+     *  @author John Peterson
+     *  @uses __construct()
+     *  @uses process()
+     *  @todo Check out FIXMEs
+     */
+    public function process_all($tagsArray = array(), $attrArray = array(),
+                                $tagsMethod = 0, $attrMethod = 0,
+                                $xssAuto = 1) {
+        self::__construct($tagsArray, $attrArray, $tagsMethod,
+                          $attrMethod, $xssAuto);
         if(count($_POST)) {
             $_POST = self::process($_POST);
@@ -73 +247 @@
     
     /** 
-      * Method to be called by another php script. Processes for XSS and specified bad code.
-      * @access public
-      * @param Mixed $source - input string/array-of-string to be 'cleaned'
-      * @return String $source - 'cleaned' version of input parameter
-      */
+     *  Remove forbidden tags and attributes from array of strings
+     *
+     *  Accept a string or array of strings.  For each string in the
+     *  source, remove the forbidden tags and attributes from the string.
+     *  @param mixed $source - input string/array-of-string to be 'cleaned'
+     *  @return mixed 'cleaned' version of input parameter
+     *  @uses decode()
+     *  @uses remove()
+     */
     public function process($source) {
         // clean all elements in this array
@@ -97 +275 @@
 
     /** 
-      * Internal method to iteratively remove all unwanted tags and attributes
-      * @access protected
-      * @param String $source - input string to be 'cleaned'
-      * @return String $source - 'cleaned' version of input parameter
-      */
+     *  Remove forbidden tags and attributes from a string iteratively
+     *
+     *  Call {@link filterTags()} repeatedly until no change in the
+     *  input is produced.
+     *  @param string $source Input string to be 'cleaned'
+     *  @return string 'cleaned' version of $source
+     *  @uses filterTags()
+     */
     protected function remove($source) {
+        //  FIXME: what do we use $loopCounter for?
         $loopCounter=0;
         // provides nested-tag protection
@@ -113 +295 @@
     
     /** 
-      * Internal method to strip a string of certain tags
-      * @access protected
-      * @param String $source - input string to be 'cleaned'
-      * @return String $source - 'cleaned' version of input parameter
-      */
+     *  Remove forbidden tags and attributes from a string
+     *
+     *  Inspect the input for tags "<tagname ...>" and check the tag
+     *  name against a list of forbidden tag names.  Delete all tags
+     *  with forbidden names.  If {@link $xssAuto} is true, delete all
+     *  tags in {@link $tagBlacklist}.  If there is a user-defined tag
+     *  list in {@link $tagsArray}, process according to the value of
+     *  {@link $tagsMethod}.
+     *
+     *  If the tag name is OK, then call {@link filterAttr()} to check
+     *  all attributes of the tag and delete forbidden attributes. 
+     *  @param string $source Input string to be 'cleaned'
+     *  @return string Cleaned version of input parameter
+     *  @uses filterAttr()
+     *  @uses $tagBlacklist
+     *  @uses $tagsArray
+     *  @uses $tagsMethod
+     *  @uses $xssAuto
+     */
     protected function filterTags($source) {
         // filter pass setup
@@ -218 +414 @@
 
     /** 
-      * Internal method to strip a tag of certain attributes
-      * @access protected
-      * @param Array $attrSet
-      * @return Array $newSet
-      */
+     *  Internal method to strip a tag of certain attributes
+     *
+     *  Remove potentially dangerous attributes from a set of
+     *  "attr=value" strings.  Attributes considered dangerous are:
+     *  <ul>
+     *    <li>Any attribute name containing any non-alphabetic
+     *      character</li> 
+     *    <li>Any attribute name beginning "on..."</li>
+     *    <li>If {@link $xssAuto} is true, any attribute name in
+     *      {@link $attrBlacklist}</li>
+     *    <li>Any attribute with a value containing the strings
+     *      'javascript:', 'behaviour:', 'vbscript:', 'mocha:',
+     *      'livescript:'</li> 
+     *    <li>Any attribute whose name contains 'style' and whose
+     *      value contains 'expression'.</li>
+     *    <li>If there is a user-provided list of attributes in
+     *      {@link $attrArray}, process according to the value of
+     *      {@link $attrMethod}.</li>
+     *  </ul>
+     *  @param string[] $attrSet Array of strings "attr=value" parsed
+     *                           from a tag.
+     *  @return string[] Input with potentially dangerous attributes
+     *                   removed
+     *  @uses $attrArray
+     *  @uses $attrBlacklist
+     *  @uses $attrMethod
+     *  @uses $xssAuto
+     */
     protected function filterAttr($attrSet) {   
         $newSet = array();
@@ -274 +493 @@
     
     /** 
-      * Try to convert to plaintext
-      * @access protected
-      * @param String $source
-      * @return String $source
-      */
+     *  Convert HTML entities to characters
+     *
+     *  Convert input string containing HTML entities to the
+     *  corresponding character (&amp; => &).  ISO 8859-1 character
+     *  set is assumed.
+     *  @param string $source Character string containing HTML entities
+     *  @return string Input string, with entities converted to characters
+     *  @uses chr()
+     *  @uses html_entity_decode()
+     *  @uses preg_replace()
+     */
     protected function decode($source) {
         // url decode
         $source = html_entity_decode($source, ENT_QUOTES, "ISO-8859-1");
-        // convert decimal
-        $source = preg_replace('/&#(\d+);/me',"chr(\\1)", $source);             // decimal notation
-        // convert hex
-        $source = preg_replace('/&#x([a-f0-9]+);/mei',"chr(0x\\1)", $source);   // hex notation
+        // convert decimal &#DDD; to character DDD
+        $source = preg_replace('/&#(\d+);/me',"chr(\\1)", $source);
+        // convert hex &#xXXX; to character XXX
+        $source = preg_replace('/&#x([a-f0-9]+);/mei',"chr(0x\\1)", $source);
         return $source;
     }
 
     /** 
-      * Method to be called by another php script. Processes for SQL injection
-      * @access public
-      * @param Mixed $source - input string/array-of-string to be 'cleaned'
-      * @param Buffer $connection - An open MySQL connection
-      * @return String $source - 'cleaned' version of input parameter
-      */
+     *  Remove HTML entities and magic quotes, insert SQL special
+     *  character escapes
+     *
+     *  If the input is a string or an array of strings, then each
+     *  string is edited to convert any HTML entities to the
+     *  corresponding character and remove slashes inserted by
+     *  {@link http://www.php.net/manual/en/security.magicquotes.php magic quotes},
+     *  then the result has SQL special characters
+     *  escaped.
+     *  @param mixed $source Input to be 'cleaned'
+     *  @param resource $connection  An open MySQL connection
+     *  @return mixed $source with HTML entities and GPC magic quotes
+     *                removed from, and SQL special character escapes
+     *                inserted in, the string or array of strings.
+     *  @uses decode()
+     *  @uses quoteSmart()
+     */
     public function safeSQL($source, &$connection) {
         // clean all elements in this array
@@ -312 +548 @@
 
     /** 
-      * @author Chris Tobin
-      * @author Daniel Morris
-      * @access protected
-      * @param String $source
-      * @param Resource $connection - An open MySQL connection
-      * @return String $source
-      */
+     *  Remove GPC magic quotes from input string & escape SQL special
+     *  characters
+     *
+     *  The input is a string that came from a GET or POST HTTP
+     *  operation, or a cookie.  If GPC magic quotes are currently in
+     *  effect, the resulting slashes are stripped.  Then any SQL
+     *  special characters in the string are escaped, taking into
+     *  account the character set in use on $connection.
+     *  @author Chris Tobin, Daniel Morris
+     *  @param string $source Input string to be converted
+     *  @param resource $connection An open MySQL connection
+     *  @return string Input string with any GPC magic quotes stripped
+     *                 and SQL special characters escaped
+     *  @uses escapeString()
+     *  @uses get_magic_quotes_gpc()
+     *  @uses stripslashes()
+     */
     protected function quoteSmart($source, &$connection) {
         // strip slashes
@@ -328 +574 @@
     
     /** 
-      * @author Chris Tobin
-      * @author Daniel Morris
-      * @access protected
-      * @param String $source
-      * @param Resource $connection - An open MySQL connection
-      * @return String $source
-      */    
+     *  Escape SQL special characters in string
+     *
+     *  Escape SQL special characters in the input string, taking into
+     *  account the character set of the connection.
+     *
+     *  <b>FIXME:</b> since we require PHP 5 can't we remove the use
+     *  of mysql_esacape_string()?
+     *
+     *  <b>FIXME:</b>Shouldn't we pass the connection to
+     *  mysql_real_escape_string()? 
+     *
+     *  <b>FIXME:</b>Is this really RDBMS independent?
+     *  @todo Check FIXMEs
+     *  @author Chris Tobin, Daniel Morris
+     *  @param string $string  String to be protected
+     *  @param resource $connection - An open MySQL connection
+     *  @return string Value of $string with characters special in
+     *                 SQL escaped by '\'s
+     *  @uses mysql_escape_string()
+     *  @uses mysql_real_escape_string()
+     *  @uses phpversion()
+     *  @uses version_compare()
+     */ 
     protected function escapeString($string, &$connection) {
         // depreciated function
@@ -344 +606 @@
 }
 
+// -- set Emacs parameters --
+// Local variables:
+// tab-width: 4
+// c-basic-offset: 4
+// c-hanging-comment-ender-p: nil
+// indent-tabs-mode: nil
+// End:
 ?>