diff --git a/lib/function.php b/lib/function.php index a53f33b..d753631 100644 --- a/lib/function.php +++ b/lib/function.php @@ -537,7 +537,6 @@ function doreplace2($msg, $options='0|0'){ $msg=preg_replace("'\[url\](.*?)\[/url\]'si", '\\1', $msg); $msg=preg_replace("'\[url=(.*?)\](.*?)\[/url\]'si", '\\2', $msg); $msg=str_replace('http://nightkev.110mb.com/justus_layout.css','about:blank',$msg); - $msg=preg_replace("'\[youtube\]([a-zA-Z0-9_-]{11})\[/youtube\]'si", '', $msg); do { @@ -1195,35 +1194,7 @@ function include_js($fn, $as_tag = false) { function dofilters($p){ global $hacks; $temp = $p; - if (filter_bool($_GET['t']) && false) { - $p=preg_replace("''si",'',$p); - $p=preg_replace("'oad',$p); - $p=preg_replace("'onerror'si",'onerror',$p); - $p=preg_replace("'onunload'si",'onunload',$p); - $p=preg_replace("'onchange'si",'onchange',$p); - $p=preg_replace("'onsubmit'si",'onsubmit',$p); - $p=preg_replace("'onreset'si",'onreset',$p); - $p=preg_replace("'onselect'si",'onselect',$p); - $p=preg_replace("'onblur'si",'onblur',$p); - $p=preg_replace("'onfocus'si",'onfocus',$p); - $p=preg_replace("'onclick'si",'onclick',$p); - $p=preg_replace("'ondblclick'si",'ondblclick',$p); - $p=preg_replace("'onmousedown'si",'onmousedown',$p); - $p=preg_replace("'onmousemove'si",'onmousemove',$p); - $p=preg_replace("'onmouseout'si",'onmouseout',$p); - $p=preg_replace("'onmouseover'si",'onmouseover',$p); - $p=preg_replace("'onmouseup'si",'onmouseup',$p); - } - - //$p=preg_replace("''si","",$p); - //$p=preg_replace("'autoplay'si",'',$p); // kills autoplay, need to think of a solution for embeds. - - // Absolute allowed now alongside position:relative div - //$p=preg_replace("'position\s*:\s*(absolute|fixed)'si", "display:none", $p); $p=preg_replace("'position\s*:\s*fixed'si", "display:none", $p); @@ -1244,52 +1215,74 @@ function dofilters($p){ $p=preg_replace("':trolldra:'si", '', $p); $p=preg_replace("':reggie:'si",'',$p); -// $p=preg_replace("'drama'si", 'batter blaster', $p); -// $p=preg_replace("'TheKinoko'si", 'MY NAME MEANS MUSHROOM... IN JAPANESE! HOLY SHIT GUYS THIS IS INCREDIBLE!!!!!!!!!', $p); -// $p=preg_replace("'hopy'si",'I am a dumb',$p); - $p=preg_replace("'crashdance'si",'CrashDunce',$p); - $p=preg_replace("'get blue spheres'si",'HI EVERYBODY I\'M A RETARD PLEASE BAN ME',$p); $p=preg_replace("'zeon'si",'shit',$p); - $p=preg_replace("'faith in humanity'si",'IQ',$p); -// $p=preg_replace("'motorcycles'si",'',$p); -// $p=preg_replace("'card games'si",'',$p); -// $p=preg_replace("'touhou'si", "Baby's First Bullet Hell™", $p); -// $p=preg_replace("'nintendo'si",'grandma',$p); -// $p=preg_replace("'card games on motorcycles'si",'bard dames on rotorcycles',$p); - $p=str_replace("ftp://teconmoon.no-ip.org", 'about:blank', $p); if (filter_bool($hacks['comments'])) { $p=str_replace("", '-->', $p); } $p=preg_replace("'(https?://.*?photobucket.com/)'si",'images/photobucket.png#\\1',$p); - - -// $p=str_replace("http://imageshack.us", "imageshit", $p); $p=preg_replace("'http://.{0,3}\.?tinypic\.com'si",'tinyshit',$p); $p=str_replace('',"",$p); $p=str_replace("tabindex=\"0\" ","title=\"the owner of this button is a fucking dumbass\" ",$p); - $p=str_replace("%WIKISTATSFRAME%","
",$p); - $p=str_replace("%WIKISTATSFRAME2%", '
', $p); + // $p=str_replace("http://xkeeper.shacknet.nu:5/", 'http://xchan.shacknet.nu:5/', $p); // $p=preg_replace("'okie',$p); $p=preg_replace("'eval'si",'eval',$p); - // $p=preg_replace("'document.'si",'docufail.',$p); $p=preg_replace("'script',$p); $p=preg_replace("'/script',$p); $p=preg_replace("'javascript:'si",'javascript:',$p); $p=preg_replace("'iframe',$p); $p=preg_replace("'meta',$p); + */ + + $p = xss_clean($p); + + $p =preg_replace("'\[youtube\]([a-zA-Z0-9_-]{11})\[/youtube\]'si", '', $p); + return $p; } +// https://stackoverflow.com/questions/1336776/xss-filtering-function-in-php +function xss_clean($data) { + // Fix &entity\n; + $data = str_replace(array('&','<','>'), array('&amp;','&lt;','&gt;'), $data); + $data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data); + $data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data); + $data = html_entity_decode($data, ENT_COMPAT, 'UTF-8'); + + // Remove any attribute starting with "on" or xmlns + #$data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data); + do { + $old_data = $data; + $data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(on|xmlns)([^>]*+)>#iu', '$1DISABLED_$2$3>', $data); + } while ($old_data !== $data); + + // Remove javascript: and vbscript: protocols + $data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data); + $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data); + $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data); + + // Remove namespaced elements (we do not need them) + $data = preg_replace('#]*+>#i', '', $data); + + do { + // Remove really unwanted tags + $old_data = $data; + $data = preg_replace('#<(/*(?:applet|b(?:ase|gsound)|embed|frame(?:set)?|i(?:frame|layer)|link|meta|object|script|title|xml)[^>]*+)>#i', '<$1>', $data); + } while ($old_data !== $data); + + return $data; +} + require 'lib/threadpost.php'; // require 'lib/replytoolbar.php';