15 public static function check($file, $filename = null)
18 if (!$file || !file_exists($file) || !is_uploaded_file($file))
24 if (($filesize = filesize($file)) == 0)
30 $ext = $filename ? strtolower(substr(strrchr($filename,
'.'), 1)) :
'';
33 $fp = fopen($file,
'rb');
34 $first4kb = fread($fp, 4096);
35 $is_xml = preg_match(
'/<(?:\?xml|!DOCTYPE|html|head|body|meta|script|svg)\b/i', $first4kb);
38 if (($ext ===
'svg' || $is_xml) && !self::_checkSVG($fp, 0, $filesize))
45 if (($ext ===
'xml' || $is_xml) && !self::_checkXML($fp, 0, $filesize))
52 if (($ext ===
'html' || $ext ===
'shtml' || $ext ===
'xhtml' || $ext ===
'phtml' || $is_xml) && !self::_checkHTML($fp, 0, $filesize))
71 protected static function _checkSVG($fp, $from, $to)
73 if (self::_matchStream(
'/<script|<handler\b|xlink:href\s*=\s*"(?!data:)/i', $fp, $from, $to))
77 if (self::_matchStream(
'/\b(?:ev:(?:event|listener|observer)|on[a-z]+)\s*=/i', $fp, $from, $to))
93 protected static function _checkXML($fp, $from, $to)
95 if (self::_matchStream(
'/<!ENTITY/i', $fp, $from, $to))
113 if (self::_matchStream(
'/<\?(?!xml\b)|<!--#(?:include|exec|echo|config|fsize|flastmod|printenv)\b/i', $fp, $from, $to))
137 protected static function _matchStream($regexp, $fp, $from, $to, $block_size = 16384, $overlap_size = 1024)
139 fseek($fp, $position = $from);
140 while (strlen($content = fread($fp, $block_size + $overlap_size)) > 0)
142 if (preg_match($regexp, $content))
146 fseek($fp, min($to, $position += $block_size));
static _checkHTML($fp, $from, $to)
static _checkXML($fp, $from, $to)
static _checkSVG($fp, $from, $to)
static _matchStream($regexp, $fp, $from, $to, $block_size=16384, $overlap_size=1024)
static check($file, $filename=null)