143 lines
5.1 KiB
PHP
143 lines
5.1 KiB
PHP
<?php
|
|
/*********************************************************************************
|
|
*
|
|
* TimeTrex is a Workforce Management program developed by
|
|
* TimeTrex Software Inc. Copyright (C) 2003 - 2021 TimeTrex Software Inc.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it under
|
|
* the terms of the GNU Affero General Public License version 3 as published by
|
|
* the Free Software Foundation with the addition of the following permission
|
|
* added to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED
|
|
* WORK IN WHICH THE COPYRIGHT IS OWNED BY TIMETREX, TIMETREX DISCLAIMS THE
|
|
* WARRANTY OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
|
* FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
|
|
* details.
|
|
*
|
|
*
|
|
* You should have received a copy of the GNU Affero General Public License along
|
|
* with this program; if not, see http://www.gnu.org/licenses or write to the Free
|
|
* Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
* 02110-1301 USA.
|
|
*
|
|
*
|
|
* You can contact TimeTrex headquarters at Unit 22 - 2475 Dobbin Rd. Suite
|
|
* #292 West Kelowna, BC V4T 2E9, Canada or at email address info@timetrex.com.
|
|
*
|
|
*
|
|
* The interactive user interfaces in modified source and object code versions
|
|
* of this program must display Appropriate Legal Notices, as required under
|
|
* Section 5 of the GNU Affero General Public License version 3.
|
|
*
|
|
*
|
|
* In accordance with Section 7(b) of the GNU Affero General Public License
|
|
* version 3, these Appropriate Legal Notices must retain the display of the
|
|
* "Powered by TimeTrex" logo. If the display of the logo is not reasonably
|
|
* feasible for technical reasons, the Appropriate Legal Notices must display
|
|
* the words "Powered by TimeTrex".
|
|
*
|
|
********************************************************************************/
|
|
|
|
|
|
/**
|
|
* @package Core
|
|
*/
|
|
class FormVariables {
|
|
/**
|
|
* @param $form_variables
|
|
* @param string $form_type
|
|
* @param bool $filter_input
|
|
* @param array $filter_ignore_name_arr
|
|
* @return array
|
|
*/
|
|
static function getVariables( $form_variables, $form_type = 'BOTH', $filter_input = true, $filter_ignore_name_arr = [ 'next_page', 'batch_next_page' ] ) {
|
|
$form_type = trim( strtoupper( $form_type ) );
|
|
|
|
$retarr = [];
|
|
if ( is_array( $form_variables ) ) {
|
|
foreach ( $form_variables as $variable_name ) {
|
|
$retarr[$variable_name] = null; //Need to set variables to NULL, otherwise we get a lot of variable not set errors.
|
|
switch ( $form_type ) {
|
|
case 'GET':
|
|
if ( isset( $_GET[$variable_name] ) ) {
|
|
$retarr[$variable_name] = $_GET[$variable_name];
|
|
}
|
|
break;
|
|
case 'POST':
|
|
if ( isset( $_POST[$variable_name] ) ) {
|
|
$retarr[$variable_name] = $_POST[$variable_name];
|
|
}
|
|
break;
|
|
default:
|
|
if ( isset( $_GET[$variable_name] ) ) {
|
|
$retarr[$variable_name] = $_GET[$variable_name];
|
|
} else if ( isset( $_POST[$variable_name] ) ) {
|
|
$retarr[$variable_name] = $_POST[$variable_name];
|
|
}
|
|
}
|
|
|
|
//Ignore next_page, batch_next_page variables as those are encoded URLs passed in, and htmlspecialchars
|
|
//will break them.
|
|
if ( $filter_input == true && isset( $retarr[$variable_name] ) && is_string( $retarr[$variable_name] ) && $retarr[$variable_name] != ''
|
|
&& ( !is_array( $filter_ignore_name_arr ) || ( is_array( $filter_ignore_name_arr ) && !in_array( $variable_name, $filter_ignore_name_arr ) ) ) ) {
|
|
//Remove "javascript:" from all inputs, and run htmlspecialchars over them to help prevent XSS attacks.
|
|
$retarr[$variable_name] = self::sanitize( $retarr[$variable_name] );
|
|
} else if ( strtolower( $filter_input ) == 'recurse' && is_array( $retarr[$variable_name] )
|
|
&& ( !is_array( $filter_ignore_name_arr ) || ( is_array( $filter_ignore_name_arr ) && !in_array( $variable_name, $filter_ignore_name_arr ) ) ) ) {
|
|
self::RecurseFilterArray( $retarr[$variable_name] );
|
|
}
|
|
}
|
|
|
|
if ( empty( $retarr ) == false ) {
|
|
return $retarr;
|
|
}
|
|
}
|
|
|
|
//Return empty array so extract() doesn't complain.
|
|
return [];
|
|
}
|
|
|
|
/**
|
|
* @param $arr
|
|
* @return bool
|
|
*/
|
|
static function RecurseFilterArray( &$arr ) {
|
|
if ( !is_array( $arr ) ) {
|
|
return false;
|
|
}
|
|
|
|
foreach ( $arr as $key => $val ) {
|
|
if ( is_array( $val ) ) {
|
|
self::RecurseFilterArray( $arr[$key] );
|
|
} else {
|
|
$arr[$key] = self::sanitize( $val );
|
|
}
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* @param $val
|
|
* @return string
|
|
*/
|
|
static function sanitize( $val ) {
|
|
return @htmlspecialchars( str_ireplace( [ 'javascript:', 'src=', 'www.example.com' ], '', $val ), ENT_QUOTES, 'UTF-8' ); //Supress warnings due to invalid multibyte sequences
|
|
}
|
|
|
|
/**
|
|
* Reverse sanitation for when HTML is allowed. Make sure we purify the HTML after though.
|
|
* @param $val
|
|
* @return string
|
|
*/
|
|
static function reverseSanitize( $val ) {
|
|
//return htmlspecialchars_decode( $val );
|
|
return html_entity_decode( $val, ENT_COMPAT | ENT_HTML401, 'UTF-8' );
|
|
}
|
|
|
|
}
|
|
|
|
?>
|