$clean) { $cleaned[$key] = preg_replace("/[^{$allow}a-zA-Z0-9]/", '', $clean); } } else { $cleaned = preg_replace("/[^{$allow}a-zA-Z0-9]/", '', $string); } return $cleaned; } /** * Makes a string SQL-safe. * * @param string $string String to sanitize * @param string $connection Database connection being used * @return string SQL safe string */ public static function escape($string, $connection = 'default') { $db = ConnectionManager::getDataSource($connection); if (is_numeric($string) || $string === null || is_bool($string)) { return $string; } $string = $db->value($string, 'string'); if ($string[0] === 'N') { $string = substr($string, 2); } else { $string = substr($string, 1); } $string = substr($string, 0, -1); return $string; } /** * Returns given string safe for display as HTML. Renders entities. * * strip_tags() does not validating HTML syntax or structure, so it might strip whole passages * with broken HTML. * * ### Options: * * - remove (boolean) if true strips all HTML tags before encoding * - charset (string) the charset used to encode the string * - quotes (int) see http://php.net/manual/en/function.htmlentities.php * - double (boolean) doube encode html entities * * @param string $string String from where to strip tags * @param array $options Array of options to use. * @return string Sanitized string */ public static function html($string, $options = array()) { static $defaultCharset = false; if ($defaultCharset === false) { $defaultCharset = Configure::read('App.encoding'); if ($defaultCharset === null) { $defaultCharset = 'UTF-8'; } } $default = array( 'remove' => false, 'charset' => $defaultCharset, 'quotes' => ENT_QUOTES, 'double' => true ); $options = array_merge($default, $options); if ($options['remove']) { $string = strip_tags($string); } return htmlentities($string, $options['quotes'], $options['charset'], $options['double']); } /** * Strips extra whitespace from output * * @param string $str String to sanitize * @return string whitespace sanitized string */ public static function stripWhitespace($str) { $r = preg_replace('/[\n\r\t]+/', '', $str); return preg_replace('/\s{2,}/u', ' ', $r); } /** * Strips image tags from output * * @param string $str String to sanitize * @return string Sting with images stripped. */ public static function stripImages($str) { $str = preg_replace('/(]*>)(]+alt=")([^"]*)("[^>]*>)(<\/a>)/i', '$1$3$5
', $str); $str = preg_replace('/(]+alt=")([^"]*)("[^>]*>)/i', '$2
', $str); $str = preg_replace('/]*>/i', '', $str); return $str; } /** * Strips scripts and stylesheets from output * * @param string $str String to sanitize * @return string String with