$clean) { $cleaned[$key] = preg_replace("/[^{$allow}a-zA-Z0-9]/", '', $clean); } return $cleaned; } /** * Makes a string SQL-safe. * * @param string $string String to sanitize * @param string $connection Database connection being used * @return string SQL safe string */ public static function escape($string, $connection = 'default') { if (is_numeric($string) || $string === null || is_bool($string)) { return $string; } $db = ConnectionManager::getDataSource($connection); $string = $db->value($string, 'string'); $start = 1; if ($string{0} === 'N') { $start = 2; } return substr(substr($string, $start), 0, -1); } /** * Returns given string safe for display as HTML. Renders entities. * * strip_tags() does not validating HTML syntax or structure, so it might strip whole passages * with broken HTML. * * ### Options: * * - remove (boolean) if true strips all HTML tags before encoding * - charset (string) the charset used to encode the string * - quotes (int) see http://php.net/manual/en/function.htmlentities.php * - double (boolean) double encode html entities * * @param string $string String from where to strip tags * @param array $options Array of options to use. * @return string Sanitized string */ public static function html($string, $options = array()) { static $defaultCharset = false; if ($defaultCharset === false) { $defaultCharset = Configure::read('App.encoding'); if ($defaultCharset === null) { $defaultCharset = 'UTF-8'; } } $defaults = array( 'remove' => false, 'charset' => $defaultCharset, 'quotes' => ENT_QUOTES, 'double' => true ); $options += $defaults; if ($options['remove']) { $string = strip_tags($string); } return htmlentities($string, $options['quotes'], $options['charset'], $options['double']); } /** * Strips extra whitespace from output * * @param string $str String to sanitize * @return string whitespace sanitized string */ public static function stripWhitespace($str) { return preg_replace('/\s{2,}/u', ' ', preg_replace('/[\n\r\t]+/', '', $str)); } /** * Strips image tags from output * * @param string $str String to sanitize * @return string Sting with images stripped. */ public static function stripImages($str) { $preg = array( '/(]*>)(]+alt=")([^"]*)("[^>]*>)(<\/a>)/i' => '$1$3$5
', '/(]+alt=")([^"]*)("[^>]*>)/i' => '$2
', '/]*>/i' => '' ); return preg_replace(array_keys($preg), array_values($preg), $str); } /** * Strips scripts and stylesheets from output * * @param string $str String to sanitize * @return string String with , ,