diff options
author | Brion Vibber <brion@pobox.com> | 2010-10-06 13:07:29 -0700 |
---|---|---|
committer | Brion Vibber <brion@pobox.com> | 2010-10-06 13:07:29 -0700 |
commit | 71176b9a98ef5298162f821c621a0e467dd9570b (patch) | |
tree | 24f80145ce647304bff94c616135eb0059a84cba /lib/util.php | |
parent | 8ff45823bad2d2464be69c0f25162c3238f8f518 (diff) | |
parent | 707b45097428b0dbcdbf9ae2590129080207f254 (diff) |
Merge branch '0.9.x' into 1.0.x
Diffstat (limited to 'lib/util.php')
-rw-r--r-- | lib/util.php | 42 |
1 files changed, 35 insertions, 7 deletions
diff --git a/lib/util.php b/lib/util.php index b20ed8225..df339d4b1 100644 --- a/lib/util.php +++ b/lib/util.php @@ -933,6 +933,28 @@ function common_shorten_links($text, $always = false) } } +/** + * Very basic stripping of invalid UTF-8 input text. + * + * @param string $str + * @return mixed string or null if invalid input + * + * @todo ideally we should drop bad chars, and maybe do some of the checks + * from common_xml_safe_str. But we can't strip newlines, etc. + * @todo Unicode normalization might also be useful, but not needed now. + */ +function common_validate_utf8($str) +{ + // preg_replace will return NULL on invalid UTF-8 input. + return preg_replace('//u', '', $str); +} + +/** + * Make sure an arbitrary string is safe for output in XML as a single line. + * + * @param string $str + * @return string + */ function common_xml_safe_str($str) { // Replace common eol and extra whitespace input chars @@ -1675,19 +1697,25 @@ function common_config($main, $sub) array_key_exists($sub, $config[$main])) ? $config[$main][$sub] : false; } +/** + * Pull arguments from a GET/POST/REQUEST array with first-level input checks: + * strips "magic quotes" slashes if necessary, and kills invalid UTF-8 strings. + * + * @param array $from + * @return array + */ function common_copy_args($from) { $to = array(); $strip = get_magic_quotes_gpc(); foreach ($from as $k => $v) { - if($strip) { - if(is_array($v)) { - $to[$k] = common_copy_args($v); - } else { - $to[$k] = stripslashes($v); - } + if(is_array($v)) { + $to[$k] = common_copy_args($v); } else { - $to[$k] = $v; + if ($strip) { + $v = stripslashes($v); + } + $to[$k] = strval(common_validate_utf8($v)); } } return $to; |