Bad Word Filter for File Names, Title, Keyword and Caption Bad Word Filter for File Names, Title, Keyword and Caption
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Bad Word Filter for File Names, Title, Keyword and Caption

Started by Joe Carver, May 13, 2009, 02:21:47 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Joe Carver

May 13, 2009, 02:21:47 PM Last Edit: May 13, 2009, 05:47:41 PM by i-imagine
Filter Bad Words from User's Filename, Title, etc.

This mod. will filter bad words from the user input when they upload files. Bad words are replaced with an underscore. The code snip is borrowed from db_input.php, Coppermine's bad word list in the language file is also used, as is the case with bad word filtering for comments. This is for HTTP uploads, when the users uploads from their own computer. It has not been tested yet with url/uri uploads.

Modify file upload.php
    Sections
    • File name filtering
    • Text input - Title, Caption, etc filtering

QuoteIn file upload.php find this:[/list]
Code Select
$picture_name = replace_forbidden($_FILES['file_upload_array']['name'][$counter]);

QuoteAdd below it this:
Code Select
// Filter input for bad words. Replace with underscore
if ($CONFIG['filter_bad_words']) {
        $ercp = array();
        foreach($lang_bad_words as $word) {
            $ercp[] = '/' . ($word[0] == '*' ? '': '\b') . str_replace('*', '', $word) . ($word[(strlen($word)-1)] ==

'*' ? '': '\b') . '/i';
        }
        $picture_name = preg_replace($ercp, '_', $picture_name);
    }
//
QuoteIn file upload.php find:
Code Select
$title = addslashes($_POST['title']);

QuoteAdd below it this:
Code Select
// Filter input for bad words. Replace with underscore
if ($CONFIG['filter_bad_words']) {
        $ercp = array();
        foreach($lang_bad_words as $word) {
            $ercp[] = '/' . ($word[0] == '*' ? '': '\b') . str_replace('*', '', $word) . ($word[(strlen($word)-1)] ==

'*' ? '': '\b') . '/i';
        }
        $title = preg_replace($ercp, '_', $title);
    }
//

For each additional field that you want filitered.

QuoteIn file upload.php
Code Select
        $caption = addslashes($_POST['caption']);
        $keywords = addslashes($_POST['keywords']);
        $user1 = addslashes($_POST['user1']);
        $user2 = addslashes($_POST['user2']);
        $user3 = addslashes($_POST['user3']);
        $user4 = addslashes($_POST['user4']);

QuoteSelect the field names
Code Select
$caption - $keywords - $user1 - $user2 - $user2 - $user4 -

QuoteInsert filter code as shown above - Replace $VARIABLE with the field you want filtered
Code Select
        $VARIABLE = preg_replace($ercp, '_', $VARIABLE);

The mod. was hastily applied to my user's gallery after I found a .jpg named "f  _off" in one of their albums. After a gentle reminder to the artist I realized that this would not be the first time and that maybe a mod. would be less painful than a battle over perceived freedoms of expression.

There might be more efficient ways to apply/code this, the author is an amateur and was rushing to apply a working mod.. Comments and change suggestions are very welcome.

And yes, there are more places that users can be "creative" with their wording, but I wanted for visitors to not turn away when seeing the title of a file.
Print
Go Up Pages1
User actions