From: Bjoern Schiessle <schiessle@owncloud.com>
Date: Tue, 19 Jun 2012 15:20:19 +0000 (+0200)
Subject: introducing a sanitize HTML function for the internal and the public API. This
X-Git-Tag: v4.5.0beta1~74^2~409^2~9
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=d2936bd90caa2b256d32e7d349449ed58b28107b;p=nextcloud-server.git

introducing a sanitize HTML function for the internal and the public API. This
allows to easily convert strings to HTML before displaying them on the web page
to reduce the risk of xss vulnerabilities.
---

diff --git a/lib/public/util.php b/lib/public/util.php
index d79d3f26b1e..7c0cb666077 100644
--- a/lib/public/util.php
+++ b/lib/public/util.php
@@ -264,6 +264,18 @@ class Util {
 	public static function callCheck(){
 		return(\OC_Util::callCheck());
 	}
+	
+	/**
+	 * @brief Used to sanitize HTML
+	 *
+	 * This function is used to sanitize HTML and should be applied on any string or array of strings before displaying it on a web page.
+	 *
+	 * @param string or array of strings
+	 * @return array with sanitized strings or a single sinitized string, depends on the input parameter.
+	 */
+	public static function sanitizeHTML( $value ){
+		return(\OC_Util::sanitizeHTML($value)); //Specify encoding for PHP<5.4
+	}
 }
 
 ?>
diff --git a/lib/util.php b/lib/util.php
index 0266a8ecc5f..bcfeb417c1d 100755
--- a/lib/util.php
+++ b/lib/util.php
@@ -370,7 +370,7 @@ class OC_Util {
 		$_SESSION['requesttoken-'.$token]=time();
 
 		// cleanup old tokens garbage collector
-		// only run every 20th time so we don´t waste cpu cycles
+		// only run every 20th time so we don't waste cpu cycles
 		if(rand(0,20)==0) {  
 			foreach($_SESSION as $key=>$value) {
 				// search all tokens in the session
@@ -426,4 +426,19 @@ class OC_Util {
 			exit;
 		}
 	}
+	
+	/**
+	 * @brief Public function to sanitize HTML
+	 *
+	 * This function is used to sanitize HTML and should be applied on any string or array of strings before displaying it on a web page.
+	 * 
+	 * @param string or array of strings
+	 * @return array with sanitized strings or a single sinitized string, depends on the input parameter.
+	 */
+	public static function sanitizeHTML( &$value ){
+		if (is_array($value) || is_object($value)) array_walk_recursive($value,'OC_Util::sanitizeHTML');
+		else $value = htmlentities($value, ENT_QUOTES, 'UTF-8'); //Specify encoding for PHP<5.4
+		return $value;
+	}
+
 }