1C-Bitrix 25.700.0
Загрузка...
Поиск...
Не найдено
simplexss.php
См. документацию.
1<?php
8namespace Bitrix\Security\Filter\Auditor;
9
17class SimpleXss extends Base
18{
19 protected $name = 'SIMPLE_XSS';
20
21 private array $whiteList = array();
22
37 public function process($value)
38 {
39 if (!preg_match('#[(){}\[\]=+&%<>]?#', $value))
40 return false;
41
42 $this->initializeFilters();
43 $this->setFilteredValue('');
44 $found = false;
45
46 $targetValue = $value;
47
48 $last = '';
49 $current = $targetValue;
50 while ($last != $current)
51 {
52 $last = $current;
53 foreach ($this->filters as $searchChar => $filters)
54 {
55 if ($searchChar && mb_strpos($current, $searchChar) === false)
56 continue;
57
58 $current = preg_replace($filters['search'], $filters['replace'], $current);
59 }
60 }
61
62 if ($last != $targetValue)
63 {
64 $this->setFilteredValue($last);
65 $found = true;
66 }
67
68 return $found;
69 }
70
71 protected function initializeWhiteList()
72 {
73 if (!$this->whiteList)
74 {
75 $this->whiteList = $this->getWhiteList();
76 }
77 }
78
79 protected function getFilters()
80 {
81 $_M = '(?:[\x09\x0a\x0d\\\\]*)';
82 $_M3 = '(?:[\x09\x0a\x0d\\\\\s]*)';
83 $_M2 = '(?:(?:[\x09\x0a\x0d\\\\\s]|(?:\/\*.*?\*\/))*)';
84
85 $_Al = '(?<![a-z0-9&_?-])';
86
87 $_Jj = '(?:j|%[64]a|\\\\x[64]a|(?:\\\\0*[64]a))';
88 $_Ja = '(?:a|%[64]1|\\\\x[64]1|(?:\\\\0*[64]1))';
89 $_Jb = '(?:b|%[64]2|\\\\x[64]2|(?:\\\\0*[64]2))';
90
91 $_Jv = '(?:v|%[75]6|\\\\x[75]6|(?:\\\\0*[75]6))';
92 $_Js = '(?:s|%[75]3|\\\\x[75]3|(?:\\\\0*[75]3))';
93 $_Jc = '(?:c|%[64]3|\\\\x[64]3|(?:\\\\0*[64]3))';
94 $_Jr = '(?:r|%[75]2|\\\\x[75]2|(?:\\\\0*[75]2))';
95 $_Ji = '(?:i|%[64]9|\\\\x[64]9|(?:\\\\0*[64]9))';
96 $_Jp = '(?:p|%[75]0|\\\\x[75]0|(?:\\\\0*[75]0))';
97 $_Jt = '(?:t|%[75]4|\\\\x[75]4|(?:\\\\0*[75]4))';
98
99 $_Je = '(?:e|%[64]5|\\\\x[64]5|(?:\\\\0*[64]5))';
100 $_Jx = '(?:x|%[75]8|\\\\x[75]8|(?:\\\\0*[75]8))';
101 $_Jo = '(?:o|%[64]f|\\\\x[64]f|(?:\\\\0*[64]f))';
102 $_Jn = '(?:n|%[64]e|\\\\x[64]e|(?:\\\\0*[64]e))';
103
104 $_Jh = '(?:h|%[64]8|\\\\x[64]8|(?:\\\\0*[64]8))';
105
106 $_Jdd = '(?:\\:|=|%3a|%3d|\\\\x3a|\\\\x3d|(?:\\\\0*3a)|(?:\\\\0*3d))';
107 $_Jss = '(?:\\(|%28|\\\\x28|(?:\\\\0*28))';
108
109 $_WS_OPT = '(?:[\\x00\\x09\\x0A\\x0B\\x0C\\x0D\\s\\\\]|\\xE2\\x80\\xA9)*'; //not modified
110 $replacePattern = $this->getSplittingString(2);
111 $filters = array(
112 0 => array(
113 'search' => array(
114 "/$_Al({$_Jb}{$_M}{$_Je}{$_M}{$_Jh}{$_M})({$_Ja}{$_M}{$_Jv}{$_M}{$_Ji}{$_M}{$_Jo}{$_M}{$_Jr}{$_WS_OPT}{$_Jdd})/is",
115 "/({$_Jj}{$_M3}{$_Ja}{$_M3}{$_Jv}{$_M3})({$_Ja}{$_M3}{$_Js}{$_M3}{$_Jc}{$_M3}{$_Jr}{$_M3}{$_Ji}{$_M3}{$_Jp}{$_M3}{$_Jt}{$_M3}{$_Jdd})/is",
116 "/({$_Jv}{$_M3}{$_Jb}{$_M3})({$_Js}{$_M3}{$_Jc}{$_M3}{$_Jr}{$_M3}{$_Ji}{$_M3}{$_Jp}{$_M3}{$_Jt}{$_M3}{$_Jdd})/is",
117 "/({$_Je}{$_M2}{$_Jx}{$_M2})({$_Jp}{$_M2}{$_Jr}{$_M2}{$_Je}{$_M2}{$_Js}{$_M2}{$_Js}{$_M2}{$_Ji}{$_M2}{$_Jo}{$_M2}{$_Jn}{$_M2}{$_Jss})/is",
118 ),
119 'replace' => $this->getSplittingString(2, " * ")
120 ),
121
122 "<" => array(
123 'search' => array(
124 "/(<{$_M}s{$_M}c{$_M})(r{$_M}i{$_M}p{$_M}t)(?!\\w)/is",
125 "/(<{$_M}\\/{$_M}s{$_M}c{$_M})(r{$_M}i{$_M}p{$_M}t)/is",
126 "/(<{$_M}x{$_M}:{$_M}s{$_M}c{$_M})(r{$_M}i{$_M}p{$_M}t)(?!\\w)/is",
127 "/(<{$_M}a{$_M}p{$_M}p{$_M})(l{$_M}e{$_M}t)(?!\\w)/is",
128 "/(<{$_M}e{$_M}m{$_M}b)(e{$_M}d)(?!\\w)/is",
129 "/(<{$_M}f{$_M}r{$_M}a{$_M})(m{$_M}e)(?!\\w)/is",
130 "/(<{$_M}i{$_M}f{$_M}r{$_M})(a{$_M}m{$_M}e)(?!\\w)/is",
131 "/(<{$_M}f{$_M}o{$_M})(r{$_M}m)(?!\\w)/is",
132 "/(<{$_M}o{$_M}b{$_M})(j{$_M}e{$_M}c{$_M}t)(?!\\w)/is",
133 "/(<{$_M}i{$_M}s{$_M}i{$_M})(n{$_M}d{$_M}e{$_M}x)(?!\\w)/is",
134 ),
135 'replace' => $replacePattern
136 ),
137
138 "=" => array(
139 'search' => array(
140 "/{$_Al}(f{$_M}o{$_M}r{$_M})(m{$_M}a{$_M}c{$_M}t{$_M}i{$_M}o{$_M}n{$_WS_OPT}=)/is",
141 "/{$_Al}(o{$_M}n{$_M}(?:[a-z]{$_M})*?)(([a-z]{$_M}){3}{$_WS_OPT}=)/is",
142 "/{$_Al}(s{$_M}e{$_M}e{$_M})(k{$_M}S{$_M}e{$_M}g{$_M}m{$_M}e{$_M}n{$_M}t{$_M}T{$_M}i{$_M}m{$_M}e{$_WS_OPT}=)/is",
143 "/{$_Al}(F{$_M}S{$_M}C{$_M})(o{$_M}m{$_M}m{$_M}a{$_M}n{$_M}d{$_WS_OPT}=)/is",
144 ),
145 'replace' => $replacePattern
146 ),
147
148 ":" => array(
149 'search' => array(
150 "/(u{$_M}r{$_M}n{$_M2}:{$_M2}s{$_M})(c{$_M}h{$_M}e{$_M}m{$_M}a{$_M}s{$_M}-{$_M}m{$_M}i{$_M}c{$_M}r{$_M}o{$_M}s{$_M}o{$_M}f{$_M}t{$_M}-{$_M}c{$_M}o{$_M}m{$_M2}:)/",
151 "/((?:'|\"|=|:|;){$_M3}d{$_M}a{$_M}t{$_M})(a{$_M}:)(?![0-9]|image)/is",
152 ),
153 'replace' => $replacePattern
154 ),
155
156 "-" => array(
157 'search' => array(
158 "/(-{$_M}m{$_M}o{$_M}z{$_M}-{$_M}b{$_M}i{$_M})(n{$_M}d{$_M}i{$_M}n{$_M}g{$_M}{$_WS_OPT}:{$_WS_OPT}{$_M}u{$_M}r{$_M}l)/is",
159 ),
160 'replace' => $replacePattern
161 ),
162
163 );
164
165 return $filters;
166 }
167}
Bitrix\Security\Filter\Auditor\Base\getSplittingString
getSplittingString($splitItemsCount=2, $customSplitChar='')
Определения base.php:137
Bitrix\Security\Filter\Auditor\Base\setFilteredValue
setFilteredValue($string)
Определения base.php:94
array
</td ></tr ></table ></td ></tr >< tr >< td class="bx-popup-label bx-width30"><?=GetMessage("PAGE_NEW_TAGS")?> array( $site)
Определения file_new.php:804