Saturday, July 4th, 2009

How to create an advanced (bad, naughty) words filter

by Gabriel on 26/10/08 at 4:47 pm

Save to StumbleUpon Stumble Upon it!     Save to Del.icio.us Save to Del.icio.us    Share on Twitter! Share on Twitter!

Greetings! Subscribe to my RSS feed or get my latest post directly in your mailbox. Thanks for visiting!

This is a PHP Class useful if you need to filter (bad, naughty) words from a string (text), whether is a simple string or one containing HTML tags. Here’s the complete source code (we will explain it below):

filter.string.class.php

<?php
/*
Credits: Bit Repository
*/

class Filter_String  {

var $strings;
var $text;
var $keep_first_last;
var $replace_matches_inside_words;

function filter()
{
$new_text = '';

$regex = '/<\/?(?:\w+(?:=["\'][^\'"]*["\'])?\s*)*>/'; // Tag Extractor

preg_match_all($regex, $this->text, $out, PREG_OFFSET_CAPTURE);

$array = $out[0];

if(!empty($array))
{
	if($array[0][1] > 0)
	{
	$new_text .= $this->do_filter(substr($this->text, 0, $array[0][1]));
	}

   foreach($array as $value)
   {
   $tag = $value[0];
   $offset = $value[1];

   $strlen = strlen($tag); // characters length of the tag

   $start_str_pos = ($offset + $strlen); // start position for the non-tag element
   $next = next($array);

   // end position for the non-tag element
   $end_str_pos = $next[1];

   // no end position?
   // This is the last text from the string and it is not followed by any tags
   if(!$end_str_pos) $end_str_pos = strlen($this->text);

// Start constructing the new resulted string. We'll add tags now!
   $new_text .= substr($this->text, $offset, $strlen);

   $diff = ($end_str_pos - $start_str_pos);

       // Is this a simple string without any tags? Apply the filter to it
       if($diff > 0)
       {
       $str = substr($this->text, $start_str_pos, $diff);

       $str = $this->do_filter($str);

       $new_text .= $str; // Continue constructing the text with the (filtered) text
       }
   }
}
else // No tags were found in the string? Just apply the filter
{
$new_text = $this->do_filter($this->text);
}

return $new_text;
}

function do_filter($var)
{
if(is_string($words)) $this->strings = array($this->strings);

   foreach($this->strings as $word)
   {
	  $word = trim($word);

	  $replacement = '';

	  $str = strlen($word);

	  $first = ($this->keep_first_last) ? $word[0] : '';
	  $str = ($this->keep_first_last) ? $str - 2 : $str;
	  $last = ($this->keep_first_last) ? $word[strlen($word) - 1] : '';

	  $replacement = str_repeat('*', $str);

	  if($this->replace_matches_inside_words)
	  {
	     $var = str_replace($word, $first.$replacement.$last, $var);
	  }
	  else
	  {
	     $var = preg_replace('/\b'.$word.'\b/i', $first.$replacement.$last, $var);
	  }
   }

return $var;
}

}
?>

How it works?

First, a regex is used to extract the HTML tags (if any). To do that we use preg_match_all() with the flag PREG_OFFSET_CAPTURE. This is used to get the actual position (offset) of the matched element. Based on this information we will calculate the numeric position for elements that aren’t tags & apply the filter to them.

How to use it?

In this example the script is replacing all the words from the array and keeps the first and last letter for each one. It replaces the middle letters with stars (*). For example the word ‘turpis’ will be replaced with ‘t****s’ (notice that four stars are used in this case). The filter ignores the HTML tags. The attribute ‘href’ is not replaced in the A tag.

<?php
error_reporting (E_ALL ^ E_NOTICE);

include 'filter.string.class.php';

$filter = new Filter_String;

$filter->strings = array('consectetuer','consequat','turpis', 'href');

$filter->text = 'Lorem ipsum dolor sit amet, href <a href="http://www.domain.com/">consectetuer</a> adipiscing elit. Nulla mi nunc, consequat vitae, condimentum at, iaculis at, turpis. Praesent suscipit. Maecenas et lectus.';

$filter->keep_first_last = false;
$filter->replace_matches_inside_words = false;

$new_text = $filter->filter();

echo $new_text;
?>
Lorem ipsum dolor sit amet, h**f c**********r adipiscing elit. Nulla mi nunc, c*******t vitae, condimentum at, iaculis at, t****s. Praesent suscipit. Maecenas et lectus.

For example you need to filter the word ‘eat’ and there is a word in the text ‘create’. In this case, if we set $filter->replace_matches_inside_words to true ‘create’ will become ‘cr***te’. If set to false, ‘create’ will remain the same. This is the case when only the distinct word ‘eat’ is filtered.

Be notified when we have new posts by subscribing to BitRepository RSS Feed.
Support us!Did you like this post?
Please spread the word!		 Save to StumbleUpon  Save to Del.icio.us  Share on Twitter!    

2 Comments

Mike

Oct 27th, 2008

Just taking a quick glance at this… The regex on line 17 is not going to catch tags which don’t have quotes around attributes. While not valid, browsers will accept it in some circumstances…

You could still easily <script src=mysite.com/script.js></script> or whatever for your XSS.

Stuff like this is hard. REALLY hard.

Gabriel

Oct 27th, 2008

People can use this class on their own sites (and many others) where they know that standard is respected & only VALID syntax is used. I’ve seen many word filters in PHP that didn’t even check any tags in the string. This script is GOOD ENOUGH. I realize this stuff is really hard.

Leave a Comment