diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2014-03-14 21:25:01 -0300 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2014-03-14 21:25:01 -0300 |
| commit | 3651c99a195685f3a868e159e72c4daf8cb371d3 (patch) | |
| tree | cb004dd7b6ca55215a2c20112fe0c5209d98c18e /engine/lib/output.php | |
| parent | 97e689213ff4e829f251af526ed4e796a3cc2b71 (diff) | |
| parent | c2707bb867ddb285af85d7a0e75db26ef692d68c (diff) | |
| download | elgg-3651c99a195685f3a868e159e72c4daf8cb371d3.tar.gz elgg-3651c99a195685f3a868e159e72c4daf8cb371d3.tar.bz2 | |
Merge branch 'master' into saravea
Conflicts:
mod/blog/views/default/blog/sidebar/archives.php
Diffstat (limited to 'engine/lib/output.php')
| -rw-r--r-- | engine/lib/output.php | 52 |
1 files changed, 37 insertions, 15 deletions
diff --git a/engine/lib/output.php b/engine/lib/output.php index da8e1ab86..de4f911fb 100644 --- a/engine/lib/output.php +++ b/engine/lib/output.php @@ -13,28 +13,33 @@ * @param string $text The input string * * @return string The output string with formatted links - **/ + */ function parse_urls($text) { + + // URI specification: http://www.ietf.org/rfc/rfc3986.txt + // This varies from the specification in the following ways: + // * Supports non-ascii characters + // * Does not allow parentheses and single quotes + // * Cuts off commas, exclamation points, and periods off as last character + // @todo this causes problems with <attr = "val"> // must be in <attr="val"> format (no space). // By default htmlawed rewrites tags to this format. // if PHP supported conditional negative lookbehinds we could use this: // $r = preg_replace_callback('/(?<!=)(?<![ ])?(?<!["\'])((ht|f)tps?:\/\/[^\s\r\n\t<>"\'\!\(\),]+)/i', - // - // we can put , in the list of excluded char but need to keep . because of domain names. - // it is removed in the callback. - $r = preg_replace_callback('/(?<!=)(?<!["\'])((ht|f)tps?:\/\/[^\s\r\n\t<>"\'\!\(\),]+)/i', + $r = preg_replace_callback('/(?<![=\/"\'])((ht|f)tps?:\/\/[^\s\r\n\t<>"\']+)/i', create_function( '$matches', ' $url = $matches[1]; - $period = \'\'; - if (substr($url, -1, 1) == \'.\') { - $period = \'.\'; - $url = trim($url, \'.\'); + $punc = ""; + $last = substr($url, -1, 1); + if (in_array($last, array(".", "!", ",", "(", ")"))) { + $punc = $last; + $url = rtrim($url, ".!,()"); } $urltext = str_replace("/", "/<wbr />", $url); - return "<a href=\"$url\">$urltext</a>$period"; + return "<a href=\"$url\" rel=\"nofollow\">$urltext</a>$punc"; ' ), $text); @@ -284,11 +289,9 @@ function elgg_get_friendly_title($title) { return $result; } - // handle some special cases - $title = str_replace('&', 'and', $title); - // quotes and angle brackets stored in the database as html encoded - $title = htmlspecialchars_decode($title); - + // titles are often stored HTML encoded + $title = html_entity_decode($title, ENT_QUOTES, 'UTF-8'); + $title = ElggTranslit::urlize($title); return $title; @@ -418,6 +421,25 @@ function _elgg_html_decode($string) { } /** + * Prepares query string for output to prevent CSRF attacks. + * + * @param string $string + * @return string + * + * @access private + */ +function _elgg_get_display_query($string) { + //encode <,>,&, quotes and characters above 127 + if (function_exists('mb_convert_encoding')) {
+ $display_query = mb_convert_encoding($string, 'HTML-ENTITIES', 'UTF-8');
+ } else {
+ // if no mbstring extension, we just strip characters
+ $display_query = preg_replace("/[^\x01-\x7F]/", "", $string);
+ }
+ return htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false); +} + +/** * Unit tests for Output * * @param string $hook unit_test |