ÿØÿà JFIF    ÿÛ „  ( %"1!%)+...383,7(-.+  -+++--++++---+-+-----+---------------+---+-++7-----ÿÀ  ß â" ÿÄ     ÿÄ H    !1AQaq"‘¡2B±ÁÑð#R“Ò Tbr‚²á3csƒ’ÂñDS¢³$CÿÄ   ÿÄ %  !1AQa"23‘ÿÚ   ? ôÿ ¨pŸªáÿ —åYõõ\?àÒü©ŠÄï¨pŸªáÿ —åYõõ\?àÓü©ŠÄá 0Ÿªáÿ Ÿå[úƒ ú®ði~TÁbqÐ8OÕpÿ ƒOò¤Oè`–RÂáœá™êi€ßÉ< FtŸI“öÌ8úDf´°å}“¾œ6  öFá°y¥jñÇh†ˆ¢ã/ÃÐ:ªcÈ "Y¡ðÑl>ÿ ”ÏËte:qž\oäŠe÷󲍷˜HT4&ÿ ÓÐü6ö®¿øþßèô Ÿ•7Ñi’•j|“ñì>b…þS?*Óôÿ ÓÐü*h¥£ír¶ü UãSç‚Ÿ[AÐaè[ûª•õ&õj?†Éö+EzP—WeÒírJFt ‘BŒ†Ï‡%#tE Øz ¥OÛ«!1›üä±Í™%ºÍãö]°î(–:@<‹ŒÊö×òÆt¦ãº+‡¦%ÌÁ²h´OƒJŒtMÜ>ÀÜÊw3Y´•牋4ǍýʏTì>œú=Íwhyë,¾Ôò×õ¿ßÊa»«þˆѪQ|%6ž™A õ%:øj<>É—ÿ Å_ˆCbõ¥š±ý¯Ýƒï…¶|RëócÍf溪“t.СøTÿ *Ä¿-{†çàczůŽ_–^XþŒ±miB[X±d 1,é”zEù»& î9gœf™9Ð'.;—™i}!ôšåîqêÛ٤ёý£½ÆA–àôe"A$˝Úsäÿ ÷Û #°xŸëí(l »ý3—¥5m! rt`†0~'j2(]S¦¦kv,ÚÇ l¦øJA£Šƒ J3E8ÙiŽ:cÉžúeZ°€¯\®kÖ(79«Ž:¯X”¾³Š&¡* ….‰Ž(ÜíŸ2¥ª‡×Hi²TF¤ò[¨íÈRëÉ䢍mgÑ.Ÿ<öäS0í„ǹÁU´f#Vß;Õ–…P@3ío<ä-±»Ž.L|kªÀê›fÂ6@»eu‚|ÓaÞÆŸ…¨ááå>åŠ?cKü6ùTÍÆ”†sĤÚ;H2RÚ†õ\Ö·Ÿn'¾ ñ#ºI¤Å´%çÁ­‚â7›‹qT3Iï¨ÖÚ5I7Ë!ÅOóŸ¶øÝñØôת¦$Tcö‘[«Ö³šÒ';Aþ ¸èíg A2Z"i¸vdÄ÷.iõ®§)¿]¤À†–‡É&ä{V¶iŽ”.Ó×Õÿ û?h¬Mt–íª[ÿ Ñÿ ÌV(í}=ibÔ¡›¥¢±b Lô¥‡piη_Z<‡z§èŒ)iÖwiÇ 2hÙ3·=’d÷8éŽ1¦¸c¤µ€7›7Ø ð\á)} ¹fËí›pAÃL%âc2 í§æQz¿;T8sæ°qø)QFMð‰XŒÂ±N¢aF¨…8¯!U  Z©RÊ ÖPVÄÀÍin™Ì-GˆªÅËŠ›•zË}º±ŽÍFò¹}Uw×#ä5B¤{î}Ð<ÙD é©¤&‡ïDbàÁôMÁ." ¤‡ú*õ'VŽ|¼´Úgllº¼klz[Æüï÷Aób‡Eÿ dÑ»Xx9ÃÜ£ÁT/`¼¸vI±Ýµ·Ë‚“G³þ*Ÿû´r|*}<¨îºœ @¦mÄ’M¹”.œ«Y–|6ÏU¤jç¥ÕÞqO ˜kDÆÁ¨5ÿ š;Њ¦¦€GÙk \ –Þ=â¼=SͧµªS°ÚÍpÜãQűÀõ¬?ÃÁ1Ñ•õZà?hóœ€ L¦l{Y*K˜Ù›zc˜–ˆâ ø+¾ ­-Ök¥%ùEÜA'}ˆ><ÊIè“bpÍ/qÞâvoX€w,\úªò6Z[XdÒæ­@Ö—€$òJí#é>'°Ú ôª˜<)4ryÙ£|óAÅn5žêŸyÒäMÝ2{"}‰–¤l÷ûWX\l¾Á¸góÉOÔ /óñB¤f¸çñ[.P˜ZsÊË*ßT܈§QN¢’¡¨§V¼(Üù*eÕ“”5T¨‹Âê¥FŒã½Dü[8'Ò¥a…Ú¶k7a *•›¼'Ò·\8¨ª\@\õ¢¦íq+DÙrmÎ…_ªæ»ŠÓœ¡¯’Ré9MÅ×D™lælffc+ŒÑ,ý™ÿ ¯þǤ=Å’Á7µ÷ÚÛ/“Ü€ñýã¼àí¾ÕÑ+ƒ,uµMâÀÄbm:ÒÎPæ{˜Gz[ƒ¯«® KHà`ßØŠéí¯P8Aq.C‰ à€kòpj´kN¶qô€…Õ,ÜNŠª-­{Zö’æû44‰sŽè‰îVíRœÕm" 6?³D9¡ÇTíÅꋇ`4«¸ÝÁô ï’ýorqКÇZ«x4Žâéþuïf¹µö[P ,Q£éaX±`PÉÍZ ¸äYúg üAx ’6Lê‚xÝÓ*äQ  Ï’¨hÍ =²,6ï#rÃ<¯–£»ƒ‹,–ê•€ aÛsñ'%Æ"®ÛüìBᝠHÚ3ß°©$“XnœÖ’î2ËTeûìxîß ¦å¿çÉ ðK§þ{‘t‚Ϋ¬jéîZ[ ”š7L¥4VÚCE×]m¤Øy”ä4-dz£œ§¸x.*ãÊÊ b÷•h:©‡¦s`BTÁRû¾g⻩‹jø sF¢àJøFl‘È•Xᓁà~*j¯ +(ÚÕ6-£¯÷GŠØy‚<Ç’.F‹Hœw(+)ÜÜâÈzÄäT§FߘãÏ;DmVœ3Àu@mÚüXÝü•3B¨òÌÁÛ<·ÃÜ z,Ì@õÅ·d2]ü8s÷IôÞ¯^Ç9¢u„~ëAŸï4«M? K]­ÅàPl@s_ p:°¬ZR”´›JC[CS.h‹ƒïËœ«Æ]–÷ó‚wR×k7X‰k›‘´ù¦=¡«‰¨¨Â')—71ó’c‡Ðúµ `é.{§p¹ój\Ž{1h{o±Ý=áUÊïGÖŒõ–-BÄm+AZX¶¡ ïHðæ¥JmÙ;…ä¡Ÿˆ¦ ° äšiÉg«$üMk5¤L“’çÊvïâï ,=f“"íἊ5ô¬x6{ɏžID0e¸vçmi'︧ºð9$ò¹÷*£’9ÿ ²TÔ…×>JV¥}Œ}$p[bÔ®*[jzS*8 ”·T›Í–ñUîƒwo$áè=LT™ç—~ô·¤ÈÚ$榍q‰„+´kFm)ž‹©i–ËqÞŠ‰à¶ü( ‚•§ •°ò·‡#5ª•µÊ﯅¡X¨šÁ*F#TXJÊ ušJVÍ&=iÄs1‚3•'fý§5Ñ<=[íÞ­ PÚ;ѱÌ_~Ä££8rÞ ²w;’hDT°>ÈG¬8Á²ÚzŽ®ò®qZcqJêäÞ-ö[ܘbň±çb“Š¶31²n×iƒðÕ;1¶þÉ ªX‰,ßqÏ$>•î íZ¥Z 1{ç൵+ƒÕµ¥°T$§K]á»Ûï*·¤tMI’ÂZbŽÕiÒ˜}bÓ0£ª5›¨ [5Ž^ÝœWøÂÝh° ¢OWun£¤5 a2Z.G2³YL]jåtì”ä ÁÓ‘%"©<ÔúÊ°sº UZvä‡ÄiÆÒM .÷V·™ø#kèýiíÌ–ª)µT[)BˆõÑ xB¾B€ÖT¨.¥~ð@VĶr#¸ü*åZNDŽH;âi ],©£öØpù(šºãö¼T.uCê•4@ÿ GÕÛ)Cx›®0ø#:ÏðFÒbR\(€€Ä®fã4Þ‰Fä¯HXƒÅ,†öEÑÔÜ]Öv²?tLÃvBY£ú6Êu5ÅAQ³1‘’¬x–HŒÐ‡ ^ ¸KwJôÖŽ5×CÚ¨vÜ«/B0$×k°=ðbÇ(Ï)w±A†Á† 11Í=èQšµ626ŒÜ/`G«µ<}—-Ö7KEHÈÉðóȤmݱû±·ø«Snmá=“ä«šmݱŸ¡¶~ó·“äUóJæúòB|E LêŽy´jDÔ$G¢þÐñ7óR8ýÒ…Ç› WVe#·Ÿ p·Fx~•ݤF÷0Èÿ K¯æS<6’¡WШ; ´ÿ ¥Êø\Òuî†åÝ–VNœkÒ7oòX¨Á­Ø÷FÎÑä±g÷ÿ M~Çî=p,X´ ÝÌÚÅ‹’ÃjÖ.ØöÏñ qïQ¤ÓZE†° =6·]܈ s¸>v•Ž^Ý\wq9r‰Î\¸¡kURÒ$­*‹Nq?Þª*!sŠÆ:TU_u±T+øX¡ ®¹¡,ÄâÃBTsÜ$Ø›4m椴zÜK]’’›Pƒ @€#â˜`é¹=I‡fiV•Ôî“nRm+µFPOhÍ0B£ €+¬5c v•:P'ÒyÎ ‰V~‚Ó†ÖuókDoh$å\*ö%Ю=£«…aȼ½÷Û.-½VŒŠ¼'lyî±1¬3ó#ÞE¿ÔS¤gV£m›=§\û"—WU¤ÚǼÿ ÂnÁGŒÃ ‚õN D³õNÚíŒÕ;HôyÄÈ©P¹Ä{:?R‘Ô¨âF÷ø£bÅó® JS|‚R÷ivýáâ€Æé¡è³´IئÑT!§˜•Øª‚¬â@q€wnïCWÄ@JU€ê¯m6]Ï:£âx'+ÒðXvÓ¦Úm=–´7œ $ì“B£~p%ÕŸUþ« N@¼üï~w˜ñø5®—'Ôe»¤5ã//€ž~‰Tþ›Å7•#¤× Íö pÄ$ùeåì*«ÓŠEØWEÈsßg ¦ûvžSsLpºÊW–âµEWöˬH; ™!CYõZ ÃÄf æ#1W. \uWâ\,\Çf j’<qTbên›Î[vxx£ë 'ö¨1›˜ÀM¼Pÿ H)ƒêêŒA7s,|F“ 꺸k³9Ìö*ç®;Ö!Ö$Eiž•¹ÒÚ†ýóéÝû¾ÕS®ó$’NÝäŸz¤5r¦ãÄÃD÷Üø!°ø‡Ô&@m™Ì^Ãä­d q5Lnÿ N;.6½·N|#ä"1Nƒx“ã<3('&ñßt  ~ªu”1Tb㫨9ê–›–bìd$ߣ=#ÕãÒmU¯eí$EFù5ýYô櫨æ왍Ǘ±ssM]·á¿0ÕåJRÓªîiƒ+O58ÖñªŠÒx" \µâá¨i’¤i —Ö ” M+M¤ë9‚‰A¦°Qõ¾ßøK~¼Ã‘g…Ö´~÷Ï[3GUœÒ½#…kàÔ®Ò”‰³·dWV‰IP‰Ú8u¹”E ÖqLj¾êÕCBš{A^Âß;–¨`¯¬ìö ˼ ×tìø.tƐm*n¨y4o&Àx¥n¦×î‡aupáÛj8¿m›è¶ã!o½;ß0y^ý×^EÑ¿ÒjzŒ­)vÚÑnÄL …^ªô× ‡—‚3k Îý­hï]içå–îÏ*÷ñþ»Ô CÒjøjÍznˆ´ ¹#b'Fô‹ ‰v¥'’à'T´ƒHýÍ%M‰ ƒ&ÆÇŒï1 ‘ –Þ ‰i¬s žR-Ÿ kŠ¬á¬7:þ 0ŒÅÒÕ/aÙ¬ÃÝ#Úøœ ©aiVc‰. ¹¦ãµ” ›Yg¦›ÆÎýº°f³7ƒhá·¸­}&D9¡ÂsÉÙÞèŠõØàC™¨ñbFC|´Ü(ŸƒÚÒ-%»'a Ì¿)ËÇn¿úÿ ÞŽX…4ÊÅH^ôΑí@ù¹Eh¶“L8Çjù ¼ÎåVªóR©Ï5uà V4lZß®=€xÖŸ–ÑÈ ÷”¨°¾__yM1tÉ?uÆþIkÄgæ@þ[¢†°XÃJ£j·:nkÅ¢u ‘}âGzö­/IµèŠ¬¼48q¦F°ŽR¼=ûì{´¯RýicS ÕÛ íNtÍÙï£,w4rêì®»~x(©Uñ§#Ñ&œÕ¤>ÎåÍÓ9’Ö{9eV­[Öjâ²ãu]˜å2›qÑšÕJç0€sÄ|Êëè0튔bÁ>“{×_F`Ø©ºê:µä,v¤ðfc1±"«ÔÍän1#=· Âøv~H½ÐßA¾¿Ü€Óš]Õ; I¾÷ç‚Qi†î¹9ywÔKG˜áñ zQY—§ÃÕZ07§X‚ Áh;ÁM)iÌCH-¯T‘ë|A0{Ò½LÚ–TâÖkÜ’dÀ“rmm»”جPF³ÖcbE§T€ÒxKºû’Ó®7±²(\4ŽÃ¸Uu@j™yĵ;³µ!Á¢b.W¤=mõ´êµK k ¸K^ÜÛ#p*Ü14qkZç5ïë †°5Ï%ÍÛ<Õ¤×Ô¥ê†C Õ´¼ú$ƒÖ“”]Ù¬qÞÚ[4©ý!ûÏ—Áb쳐XµA¬â~`›Çr¸8ìùÝ䫦<>ä÷«?xs´ÇÑ /á;¹øüÊÈÙà{"@Žïzâ¬[âß‚ U_<ÇŸ½4èN˜ú61®qŠu ¦þF£»äJ_ˆÙÎ~ ÞAã–Ý„Ï—rŠD;xTž‘ô`É«…suãO`?³à™ô Lý#Íc5öoæØ‚y´´÷«ZR§<&JÇ+éâô´€i!Àˆ0æAoàðLèÖ-2ŸõW.’t^–(KÁmHµV@xÜÇy®Ñø­â^:Ú3w· 7½¹°ñ¸â¹®:',«Mœ—n­Á+Ãbš LÈ‘ÄnRÓÅœ%¦²‰¨ùQ:¤f‚ "PÕtô¸…cæl…&˜Ú˜Ôkv‹ž+vŠ,=¢v­6—Xy*¥t£«<™:“aîϲ=¦6rO]XI¿Œ÷¤zÚ­›¶ 6÷”w\d ü~v®ˆÌk«^m<ÿ ¢‰Õ\)ùºŽ;… lîÙÅEŠ®cѾ@vnMÏ,¼“ñ•ŽBxðÃzãÇç%3ˆ"}Ù•Åî> BÉú;Ò]V+P˜F_´ßé> Øše|ï‡ÄOmFæÇ ãqÞ$/xÐx­z`ï9"œÜij‚!7.\Td…9M‡•iŽ‹¾‘50ÞŽn¥ß4ÉôO ¹*í^QêËÜÇÌ8=Ž§s‰'ÂëÙ«á%Pú[O †ÅP¯VsŽ°.‰,kc¶ ¬A9n˜XÎ-ÞšN["¹QÕ‰ƒMýÁߺXJæÍaLj¾×Ãmã¾ãÚ uñÒþåQô¦¥ /ÄUx:‚ÍÜ’ Đ©ØÝ3V¨‰ÕnÐ6ó*óúK­«…c ¯U òhsý­jóÔj#,ímŒRµ«lbïUTŒÑ8†Ä0œÏr`ð¡¬É Ї ë"À² ™ 6¥ f¶ ¢ÚoܱԷ-<Àî)†a¶ž'Ú»¨TXqØæ¶÷YÄHy˜9ÈIW­YÀuMFë ºÏ’AqÌ4·/Ú †ô'i$øä­=Ä Ý|öK×40è|È6p‘0§)o¥ctî§H+CA-“ xØ|ÐXŠç l8íºð3Ø:³¤¬KX¯UÿÙ * Original Contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie. * * @since 11.1 */ class InputFilter extends BaseInputFilter { /** * A flag for Unicode Supplementary Characters (4-byte Unicode character) stripping. * * @var integer * * @since 3.5 */ public $stripUSC = 0; /** * Constructor for inputFilter class. Only first parameter is required. * * @param array $tagsArray List of user-defined tags * @param array $attrArray List of user-defined attributes * @param integer $tagsMethod WhiteList method = 0, BlackList method = 1 * @param integer $attrMethod WhiteList method = 0, BlackList method = 1 * @param integer $xssAuto Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1 * @param integer $stripUSC Strip 4-byte unicode characters = 1, no strip = 0, ask the database driver = -1 * * @since 11.1 */ public function __construct($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1, $stripUSC = -1) { // Make sure user defined arrays are in lowercase $tagsArray = array_map('strtolower', (array) $tagsArray); $attrArray = array_map('strtolower', (array) $attrArray); // Assign member variables $this->tagsArray = $tagsArray; $this->attrArray = $attrArray; $this->tagsMethod = $tagsMethod; $this->attrMethod = $attrMethod; $this->xssAuto = $xssAuto; $this->stripUSC = $stripUSC; /** * If Unicode Supplementary Characters stripping is not set we have to check with the database driver. If the * driver does not support USCs (i.e. there is no utf8mb4 support) we will enable USC stripping. */ if ($this->stripUSC === -1) { try { // Get the database driver $db = \JFactory::getDbo(); // This trick is required to let the driver determine the utf-8 multibyte support $db->connect(); // And now we can decide if we should strip USCs $this->stripUSC = $db->hasUTF8mb4Support() ? 0 : 1; } catch (\RuntimeException $e) { // Could not connect to MySQL. Strip USC to be on the safe side. $this->stripUSC = 1; } } } /** * Returns an input filter object, only creating it if it doesn't already exist. * * @param array $tagsArray List of user-defined tags * @param array $attrArray List of user-defined attributes * @param integer $tagsMethod WhiteList method = 0, BlackList method = 1 * @param integer $attrMethod WhiteList method = 0, BlackList method = 1 * @param integer $xssAuto Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1 * @param integer $stripUSC Strip 4-byte unicode characters = 1, no strip = 0, ask the database driver = -1 * * @return InputFilter The InputFilter object. * * @since 11.1 */ public static function &getInstance($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1, $stripUSC = -1) { $sig = md5(serialize(array($tagsArray, $attrArray, $tagsMethod, $attrMethod, $xssAuto))); if (empty(self::$instances[$sig])) { self::$instances[$sig] = new InputFilter($tagsArray, $attrArray, $tagsMethod, $attrMethod, $xssAuto, $stripUSC); } return self::$instances[$sig]; } /** * Method to be called by another php script. Processes for XSS and * specified bad code. * * @param mixed $source Input string/array-of-string to be 'cleaned' * @param string $type The return type for the variable: * INT: An integer, or an array of integers, * UINT: An unsigned integer, or an array of unsigned integers, * FLOAT: A floating point number, or an array of floating point numbers, * BOOLEAN: A boolean value, * WORD: A string containing A-Z or underscores only (not case sensitive), * ALNUM: A string containing A-Z or 0-9 only (not case sensitive), * CMD: A string containing A-Z, 0-9, underscores, periods or hyphens (not case sensitive), * BASE64: A string containing A-Z, 0-9, forward slashes, plus or equals (not case sensitive), * STRING: A fully decoded and sanitised string (default), * HTML: A sanitised string, * ARRAY: An array, * PATH: A sanitised file path, or an array of sanitised file paths, * TRIM: A string trimmed from normal, non-breaking and multibyte spaces * USERNAME: Do not use (use an application specific filter), * RAW: The raw string is returned with no filtering, * unknown: An unknown filter will act like STRING. If the input is an array it will return an * array of fully decoded and sanitised strings. * * @return mixed 'Cleaned' version of input parameter * * @since 11.1 */ public function clean($source, $type = 'string') { // Strip Unicode Supplementary Characters when requested to do so if ($this->stripUSC) { // Alternatively: preg_replace('/[\x{10000}-\x{10FFFF}]/u', "\xE2\xAF\x91", $source) but it'd be slower. $source = $this->stripUSC($source); } // Handle the type constraint cases switch (strtoupper($type)) { case 'INT': case 'INTEGER': $pattern = '/[-+]?[0-9]+/'; if (is_array($source)) { $result = array(); // Iterate through the array foreach ($source as $eachString) { preg_match($pattern, (string) $eachString, $matches); $result[] = isset($matches[0]) ? (int) $matches[0] : 0; } } else { preg_match($pattern, (string) $source, $matches); $result = isset($matches[0]) ? (int) $matches[0] : 0; } break; case 'UINT': $pattern = '/[-+]?[0-9]+/'; if (is_array($source)) { $result = array(); // Iterate through the array foreach ($source as $eachString) { preg_match($pattern, (string) $eachString, $matches); $result[] = isset($matches[0]) ? abs((int) $matches[0]) : 0; } } else { preg_match($pattern, (string) $source, $matches); $result = isset($matches[0]) ? abs((int) $matches[0]) : 0; } break; case 'FLOAT': case 'DOUBLE': $pattern = '/[-+]?[0-9]+(\.[0-9]+)?([eE][-+]?[0-9]+)?/'; if (is_array($source)) { $result = array(); // Iterate through the array foreach ($source as $eachString) { preg_match($pattern, (string) $eachString, $matches); $result[] = isset($matches[0]) ? (float) $matches[0] : 0; } } else { preg_match($pattern, (string) $source, $matches); $result = isset($matches[0]) ? (float) $matches[0] : 0; } break; case 'BOOL': case 'BOOLEAN': if (is_array($source)) { $result = array(); // Iterate through the array foreach ($source as $eachString) { $result[] = (bool) $eachString; } } else { $result = (bool) $source; } break; case 'WORD': $pattern = '/[^A-Z_]/i'; if (is_array($source)) { $result = array(); // Iterate through the array foreach ($source as $eachString) { $result[] = (string) preg_replace($pattern, '', $eachString); } } else { $result = (string) preg_replace($pattern, '', $source); } break; case 'ALNUM': $pattern = '/[^A-Z0-9]/i'; if (is_array($source)) { $result = array(); // Iterate through the array foreach ($source as $eachString) { $result[] = (string) preg_replace($pattern, '', $eachString); } } else { $result = (string) preg_replace($pattern, '', $source); } break; case 'CMD': $pattern = '/[^A-Z0-9_\.-]/i'; if (is_array($source)) { $result = array(); // Iterate through the array foreach ($source as $eachString) { $cleaned = (string) preg_replace($pattern, '', $eachString); $result[] = ltrim($cleaned, '.'); } } else { $result = (string) preg_replace($pattern, '', $source); $result = ltrim($result, '.'); } break; case 'BASE64': $pattern = '/[^A-Z0-9\/+=]/i'; if (is_array($source)) { $result = array(); // Iterate through the array foreach ($source as $eachString) { $result[] = (string) preg_replace($pattern, '', $eachString); } } else { $result = (string) preg_replace($pattern, '', $source); } break; case 'STRING': if (is_array($source)) { $result = array(); // Iterate through the array foreach ($source as $eachString) { $result[] = (string) $this->remove($this->decode((string) $eachString)); } } else { $result = (string) $this->remove($this->decode((string) $source)); } break; case 'HTML': if (is_array($source)) { $result = array(); // Iterate through the array foreach ($source as $eachString) { $result[] = (string) $this->remove((string) $eachString); } } else { $result = (string) $this->remove((string) $source); } break; case 'ARRAY': $result = (array) $source; break; case 'PATH': $pattern = '/^[A-Za-z0-9_\/-]+[A-Za-z0-9_\.-]*([\\\\\/][A-Za-z0-9_-]+[A-Za-z0-9_\.-]*)*$/'; if (is_array($source)) { $result = array(); // Iterate through the array foreach ($source as $eachString) { preg_match($pattern, (string) $eachString, $matches); $result[] = isset($matches[0]) ? (string) $matches[0] : ''; } } else { preg_match($pattern, $source, $matches); $result = isset($matches[0]) ? (string) $matches[0] : ''; } break; case 'TRIM': if (is_array($source)) { $result = array(); // Iterate through the array foreach ($source as $eachString) { $cleaned = (string) trim($eachString); $cleaned = StringHelper::trim($cleaned, chr(0xE3) . chr(0x80) . chr(0x80)); $result[] = StringHelper::trim($cleaned, chr(0xC2) . chr(0xA0)); } } else { $result = (string) trim($source); $result = StringHelper::trim($result, chr(0xE3) . chr(0x80) . chr(0x80)); $result = StringHelper::trim($result, chr(0xC2) . chr(0xA0)); } break; case 'USERNAME': $pattern = '/[\x00-\x1F\x7F<>"\'%&]/'; if (is_array($source)) { $result = array(); // Iterate through the array foreach ($source as $eachString) { $result[] = (string) preg_replace($pattern, '', $eachString); } } else { $result = (string) preg_replace($pattern, '', $source); } break; case 'RAW': $result = $source; break; default: // Are we dealing with an array? if (is_array($source)) { foreach ($source as $key => $value) { // Filter element for XSS and other 'bad' code etc. if (is_string($value)) { $source[$key] = $this->_remove($this->_decode($value)); } } $result = $source; } else { // Or a string? if (is_string($source) && !empty($source)) { // Filter source for XSS and other 'bad' code etc. $result = $this->_remove($this->_decode($source)); } else { // Not an array or string... return the passed parameter $result = $source; } } break; } return $result; } /** * Function to punyencode utf8 mail when saving content * * @param string $text The strings to encode * * @return string The punyencoded mail * * @since 3.5 */ public function emailToPunycode($text) { $pattern = '/(("mailto:)+[\w\.\-\+]+\@[^"?]+\.+[^."?]+("|\?))/'; if (preg_match_all($pattern, $text, $matches)) { foreach ($matches[0] as $match) { $match = (string) str_replace(array('?', '"'), '', $match); $text = (string) str_replace($match, \JStringPunycode::emailToPunycode($match), $text); } } return $text; } /** * Checks an uploaded for suspicious naming and potential PHP contents which could indicate a hacking attempt. * * The options you can define are: * null_byte Prevent files with a null byte in their name (buffer overflow attack) * forbidden_extensions Do not allow these strings anywhere in the file's extension * php_tag_in_content Do not allow ` true, // Forbidden string in extension (e.g. php matched .php, .xxx.php, .php.xxx and so on) 'forbidden_extensions' => array( 'php', 'phps', 'pht', 'phtml', 'php3', 'php4', 'php5', 'php6', 'php7', 'phar', 'inc', 'pl', 'cgi', 'fcgi', 'java', 'jar', 'py', ), // true, // true, // Which file extensions to scan for short tags 'shorttag_extensions' => array( 'inc', 'phps', 'class', 'php3', 'php4', 'php5', 'txt', 'dat', 'tpl', 'tmpl', ), // Forbidden extensions anywhere in the content 'fobidden_ext_in_content' => true, // Which file extensions to scan for .php in the content 'php_ext_content_extensions' => array('zip', 'rar', 'tar', 'gz', 'tgz', 'bz2', 'tbz', 'jpa'), ); $options = array_merge($defaultOptions, $options); // Make sure we can scan nested file descriptors $descriptors = $file; if (isset($file['name']) && isset($file['tmp_name'])) { $descriptors = self::decodeFileData( array( $file['name'], $file['type'], $file['tmp_name'], $file['error'], $file['size'], ) ); } // Handle non-nested descriptors (single files) if (isset($descriptors['name'])) { $descriptors = array($descriptors); } // Scan all descriptors detected foreach ($descriptors as $fileDescriptor) { if (!isset($fileDescriptor['name'])) { // This is a nested descriptor. We have to recurse. if (!self::isSafeFile($fileDescriptor, $options)) { return false; } continue; } $tempNames = $fileDescriptor['tmp_name']; $intendedNames = $fileDescriptor['name']; if (!is_array($tempNames)) { $tempNames = array($tempNames); } if (!is_array($intendedNames)) { $intendedNames = array($intendedNames); } $len = count($tempNames); for ($i = 0; $i < $len; $i++) { $tempName = array_shift($tempNames); $intendedName = array_shift($intendedNames); // 1. Null byte check if ($options['null_byte']) { if (strstr($intendedName, "\x00")) { return false; } } // 2. PHP-in-extension check (.php, .php.xxx[.yyy[.zzz[...]]], .xxx[.yyy[.zzz[...]]].php) if (!empty($options['forbidden_extensions'])) { $explodedName = explode('.', $intendedName); $explodedName = array_reverse($explodedName); array_pop($explodedName); $explodedName = array_map('strtolower', $explodedName); /* * DO NOT USE array_intersect HERE! array_intersect expects the two arrays to * be set, i.e. they should have unique values. */ foreach ($options['forbidden_extensions'] as $ext) { if (in_array($ext, $explodedName)) { return false; } } } // 3. File contents scanner (PHP tag in file contents) if ($options['php_tag_in_content'] || $options['shorttag_in_content'] || ($options['fobidden_ext_in_content'] && !empty($options['forbidden_extensions']))) { $fp = @fopen($tempName, 'r'); if ($fp !== false) { $data = ''; while (!feof($fp)) { $data .= @fread($fp, 131072); if ($options['php_tag_in_content'] && stristr($data, ' $v) { $result[$k] = self::decodeFileData(array($data[0][$k], $data[1][$k], $data[2][$k], $data[3][$k], $data[4][$k])); } return $result; } return array('name' => $data[0], 'type' => $data[1], 'tmp_name' => $data[2], 'error' => $data[3], 'size' => $data[4]); } /** * Internal method to iteratively remove all unwanted tags and attributes * * @param string $source Input string to be 'cleaned' * * @return string 'Cleaned' version of input parameter * * @since 11.1 * @deprecated 4.0 Use InputFilter::remove() instead */ protected function _remove($source) { return $this->remove($source); } /** * Internal method to iteratively remove all unwanted tags and attributes * * @param string $source Input string to be 'cleaned' * * @return string 'Cleaned' version of input parameter * * @since 3.5 */ protected function remove($source) { // Check for invalid UTF-8 byte sequence if (!preg_match('//u', $source)) { // String contains invalid byte sequence, remove it $source = htmlspecialchars_decode(htmlspecialchars($source, ENT_IGNORE, 'UTF-8')); } // Iteration provides nested tag protection do { $temp = $source; $source = $this->_cleanTags($source); } while ($temp !== $source); return $source; } /** * Internal method to strip a string of certain tags * * @param string $source Input string to be 'cleaned' * * @return string 'Cleaned' version of input parameter * * @since 11.1 * @deprecated 4.0 Use InputFilter::cleanTags() instead */ protected function _cleanTags($source) { return $this->cleanTags($source); } /** * Internal method to strip a string of certain tags * * @param string $source Input string to be 'cleaned' * * @return string 'Cleaned' version of input parameter * * @since 3.5 */ protected function cleanTags($source) { // First, pre-process this for illegal characters inside attribute values $source = $this->_escapeAttributeValues($source); // In the beginning we don't really have a tag, so result is empty $result = ''; $offset = 0; $length = strlen($source); // Is there a tag? If so it will certainly start with a '<'. $tagOpenStartOffset = strpos($source, '<'); // Is there any close tag $tagOpenEndOffset = strpos($source, '>'); while ($offset < $length) { // Preserve '>' character which exists before related '<' if ($tagOpenEndOffset !== false && ($tagOpenStartOffset === false || $tagOpenEndOffset < $tagOpenStartOffset)) { $result .= substr($source, $offset, $tagOpenEndOffset - $offset) . '>'; $offset = $tagOpenEndOffset + 1; // Search for a new closing indicator $tagOpenEndOffset = strpos($source, '>', $offset); continue; } // Add safe text appearing before the '<' if ($tagOpenStartOffset > $offset) { $result .= substr($source, $offset, $tagOpenStartOffset - $offset); $offset = $tagOpenStartOffset; } // There is no more tags if ($tagOpenStartOffset === false && $tagOpenEndOffset === false) { $result .= substr($source, $offset, $length - $offset); $offset = $length; break; } // Remove every '<' character if '>' does not exists or we have '<>' if ($tagOpenStartOffset !== false && $tagOpenEndOffset === false || $tagOpenStartOffset + 1 == $tagOpenEndOffset) { $offset++; // Search for a new opening indicator $tagOpenStartOffset = strpos($source, '<', $offset); continue; } // Check for mal-formed tag where we have a second '<' before the '>' $nextOpenStartOffset = strpos($source, '<', $tagOpenStartOffset + 1); if ($nextOpenStartOffset !== false && $nextOpenStartOffset < $tagOpenEndOffset) { // At this point we have a mal-formed tag, skip previous '<' $offset++; // Set a new opening indicator position $tagOpenStartOffset = $nextOpenStartOffset; continue; } // Let's get some information about our tag and setup attribute pairs // Now we have something like 'span class="" style=""', '/span', 'br/', 'br /' or 'hr disabled /' $tagContent = substr($source, $offset + 1, $tagOpenEndOffset - 1 - $offset); // All ASCII whitespaces replace by 0x20 $tagNormalized = preg_replace('/\s/', ' ', $tagContent); $tagLength = strlen($tagContent); $spaceOffset = strpos($tagNormalized, ' '); // Are we an open tag or a close tag? $isClosingTag = $tagContent[0] === '/' ? 1 : 0; $isSelfClosingTag = substr($tagContent, -1) === '/' ? 1 : 0; if ($spaceOffset !== false) { $tagName = substr($tagContent, $isClosingTag, $spaceOffset - $isClosingTag); } else { $tagName = substr($tagContent, $isClosingTag, $tagLength - $isClosingTag - $isSelfClosingTag); } /* * Exclude all "non-regular" tagnames * OR no tagname * OR remove if xssauto is on and tag is blacklisted */ if (!$tagName || !preg_match("/^[a-z][a-z0-9]*$/i", $tagName) || ($this->xssAuto && in_array(strtolower($tagName), $this->tagBlacklist))) { $offset += $tagLength + 2; $tagOpenStartOffset = strpos($source, '<', $offset); $tagOpenEndOffset = strpos($source, '>', $offset); // Strip tag continue; } $attrSet = array(); /* * Time to grab any attributes from the tag... need this section in * case attributes have spaces in the values. */ while ($spaceOffset !== false && $spaceOffset + 1 < $tagLength) { $attrStartOffset = $spaceOffset + 1; // Find position of equal and open quote if (preg_match('#= *(")[^"]*(")#', $tagNormalized, $matches, PREG_OFFSET_CAPTURE, $attrStartOffset)) { $equalOffset = $matches[0][1]; $quote1Offset = $matches[1][1]; $quote2Offset = $matches[2][1]; $nextSpaceOffset = strpos($tagNormalized, ' ', $quote2Offset); } else { $equalOffset = strpos($tagNormalized, '=', $attrStartOffset); $quote1Offset = strpos($tagNormalized, '"', $attrStartOffset); $nextSpaceOffset = strpos($tagNormalized, ' ', $attrStartOffset); if ($quote1Offset !== false) { $quote2Offset = strpos($tagNormalized, '"', $quote1Offset + 1); } else { $quote2Offset = false; } } // Do we have an attribute to process? [check for equal sign] if ($tagContent[$attrStartOffset] !== '/' && ($equalOffset && $nextSpaceOffset && $nextSpaceOffset < $equalOffset || !$equalOffset)) { // Search for attribute without value, ex: 'checked/' or 'checked ' if ($nextSpaceOffset) { $attrEndOffset = $nextSpaceOffset; } else { $attrEndOffset = strpos($tagContent, '/', $attrStartOffset); if ($attrEndOffset === false) { $attrEndOffset = $tagLength; } } // If there is an ending, use this, if not, do not worry. if ($attrEndOffset > $attrStartOffset) { $attrSet[] = substr($tagContent, $attrStartOffset, $attrEndOffset - $attrStartOffset); } } elseif ($equalOffset !== false) { /* * If the attribute value is wrapped in quotes we need to grab the substring from * the closing quote, otherwise grab until the next space. */ if ($quote1Offset !== false && $quote2Offset !== false) { // Add attribute, ex: 'class="body abc"' $attrSet[] = substr($tagContent, $attrStartOffset, $quote2Offset + 1 - $attrStartOffset); } else { if ($nextSpaceOffset) { $attrEndOffset = $nextSpaceOffset; } else { $attrEndOffset = $tagLength; } // Add attribute, ex: 'class=body' $attrSet[] = substr($tagContent, $attrStartOffset, $attrEndOffset - $attrStartOffset); } } $spaceOffset = $nextSpaceOffset; } // Is our tag in the user input array? $tagFound = in_array(strtolower($tagName), $this->tagsArray); // If the tag is allowed let's append it to the output string. if ((!$tagFound && $this->tagsMethod) || ($tagFound && !$this->tagsMethod)) { // Reconstruct tag with allowed attributes if ($isClosingTag) { $result .= ""; } else { $attrSet = $this->_cleanAttributes($attrSet); // Open or single tag $result .= '<' . $tagName; if ($attrSet) { $result .= ' ' . implode(' ', $attrSet); } // Reformat single tags to XHTML if (strpos($source, "", $tagOpenStartOffset) !== false) { $result .= '>'; } else { $result .= ' />'; } } } $offset += $tagLength + 2; if ($offset < $length) { // Find next tag's start and continue iteration $tagOpenStartOffset = strpos($source, '<', $offset); $tagOpenEndOffset = strpos($source, '>', $offset); } } return $result; } /** * Internal method to strip a tag of certain attributes * * @param array $attrSet Array of attribute pairs to filter * * @return array Filtered array of attribute pairs * * @since 11.1 * @deprecated 4.0 Use InputFilter::cleanAttributes() instead */ protected function _cleanAttributes($attrSet) { return $this->cleanAttributes($attrSet); } /** * Escape < > and " inside attribute values * * @param string $source The source string. * * @return string Filtered string * * @since 3.5 */ protected function escapeAttributeValues($source) { $alreadyFiltered = ''; $remainder = $source; $badChars = array('<', '"', '>'); $escapedChars = array('<', '"', '>'); /* * Process each portion based on presence of =" and ", "/>, or "> * See if there are any more attributes to process */ while (preg_match('#<[^>]*?=\s*?(\"|\')#s', $remainder, $matches, PREG_OFFSET_CAPTURE)) { // Get the portion before the attribute value $quotePosition = $matches[0][1]; $nextBefore = $quotePosition + strlen($matches[0][0]); /* * Figure out if we have a single or double quote and look for the matching closing quote * Closing quote should be "/>, ">, ", or " at the end of the string */ $quote = substr($matches[0][0], -1); $pregMatch = ($quote == '"') ? '#(\"\s*/\s*>|\"\s*>|\"\s+|\"$)#' : "#(\'\s*/\s*>|\'\s*>|\'\s+|\'$)#"; // Get the portion after attribute value if (preg_match($pregMatch, substr($remainder, $nextBefore), $matches, PREG_OFFSET_CAPTURE)) { // We have a closing quote $nextAfter = $nextBefore + $matches[0][1]; } else { // No closing quote $nextAfter = strlen($remainder); } // Get the actual attribute value $attributeValue = substr($remainder, $nextBefore, $nextAfter - $nextBefore); // Escape bad chars $attributeValue = str_replace($badChars, $escapedChars, $attributeValue); $attributeValue = $this->_stripCSSExpressions($attributeValue); $alreadyFiltered .= substr($remainder, 0, $nextBefore) . $attributeValue . $quote; $remainder = substr($remainder, $nextAfter + 1); } // At this point, we just have to return the $alreadyFiltered and the $remainder return $alreadyFiltered . $remainder; } /** * Try to convert to plaintext * * @param string $source The source string. * * @return string Plaintext string * * @since 11.1 * @deprecated 4.0 Use InputFilter::decode() instead */ protected function _decode($source) { return $this->decode($source); } /** * Try to convert to plaintext * * @param string $source The source string. * * @return string Plaintext string * * @since 3.5 */ protected function decode($source) { static $ttr; if (!is_array($ttr)) { // Entity decode $trans_tbl = get_html_translation_table(HTML_ENTITIES, ENT_COMPAT, 'ISO-8859-1'); foreach ($trans_tbl as $k => $v) { $ttr[$v] = utf8_encode($k); } } $source = strtr($source, $ttr); // Convert decimal $source = preg_replace_callback('/&#(\d+);/m', function($m) { return utf8_encode(chr($m[1])); }, $source ); // Convert hex $source = preg_replace_callback('/&#x([a-f0-9]+);/mi', function($m) { return utf8_encode(chr(hexdec($m[1]))); }, $source ); return $source; } /** * Escape < > and " inside attribute values * * @param string $source The source string. * * @return string Filtered string * * @since 11.1 * @deprecated 4.0 Use InputFilter::escapeAttributeValues() instead */ protected function _escapeAttributeValues($source) { return $this->escapeAttributeValues($source); } /** * Remove CSS Expressions in the form of `:expression(...)` * * @param string $source The source string. * * @return string Filtered string * * @since 11.1 * @deprecated 4.0 Use InputFilter::stripCSSExpressions() instead */ protected function _stripCSSExpressions($source) { return $this->stripCSSExpressions($source); } /** * Recursively strip Unicode Supplementary Characters from the source. Not: objects cannot be filtered. * * @param mixed $source The data to filter * * @return mixed The filtered result * * @since 3.5 */ protected function stripUSC($source) { if (is_object($source)) { return $source; } if (is_array($source)) { $filteredArray = array(); foreach ($source as $k => $v) { $filteredArray[$k] = $this->stripUSC($v); } return $filteredArray; } return preg_replace('/[\xF0-\xF7].../s', "\xE2\xAF\x91", $source); } }