introducing a sanitize HTML function for the internal and the public API. This

allows to easily convert strings to HTML before displaying them on the web page
to reduce the risk of xss vulnerabilities.
This commit is contained in:
Bjoern Schiessle 2012-06-19 17:20:19 +02:00
parent 0b9a48b4b6
commit d2936bd90c
2 changed files with 28 additions and 1 deletions

View File

@ -264,6 +264,18 @@ class Util {
public static function callCheck(){ public static function callCheck(){
return(\OC_Util::callCheck()); return(\OC_Util::callCheck());
} }
/**
* @brief Used to sanitize HTML
*
* This function is used to sanitize HTML and should be applied on any string or array of strings before displaying it on a web page.
*
* @param string or array of strings
* @return array with sanitized strings or a single sinitized string, depends on the input parameter.
*/
public static function sanitizeHTML( $value ){
return(\OC_Util::sanitizeHTML($value)); //Specify encoding for PHP<5.4
}
} }
?> ?>

View File

@ -370,7 +370,7 @@ class OC_Util {
$_SESSION['requesttoken-'.$token]=time(); $_SESSION['requesttoken-'.$token]=time();
// cleanup old tokens garbage collector // cleanup old tokens garbage collector
// only run every 20th time so we don´t waste cpu cycles // only run every 20th time so we don't waste cpu cycles
if(rand(0,20)==0) { if(rand(0,20)==0) {
foreach($_SESSION as $key=>$value) { foreach($_SESSION as $key=>$value) {
// search all tokens in the session // search all tokens in the session
@ -426,4 +426,19 @@ class OC_Util {
exit; exit;
} }
} }
/**
* @brief Public function to sanitize HTML
*
* This function is used to sanitize HTML and should be applied on any string or array of strings before displaying it on a web page.
*
* @param string or array of strings
* @return array with sanitized strings or a single sinitized string, depends on the input parameter.
*/
public static function sanitizeHTML( &$value ){
if (is_array($value) || is_object($value)) array_walk_recursive($value,'OC_Util::sanitizeHTML');
else $value = htmlentities($value, ENT_QUOTES, 'UTF-8'); //Specify encoding for PHP<5.4
return $value;
}
} }