diff options
author | brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2009-11-02 20:48:58 +0000 |
---|---|---|
committer | brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2009-11-02 20:48:58 +0000 |
commit | 0d329d2421f7040c45c3587bcd1655d28da7bd4c (patch) | |
tree | 4deb0878181ef35a3f0e30cba3492112284b9432 /mod/htmlawed | |
parent | 1c5466186dc8012c848fa5c7fe40e55325db8038 (diff) | |
download | elgg-0d329d2421f7040c45c3587bcd1655d28da7bd4c.tar.gz elgg-0d329d2421f7040c45c3587bcd1655d28da7bd4c.tar.bz2 |
Updated htmlawed to disallow many style attributes.
git-svn-id: http://code.elgg.org/elgg/trunk@3612 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'mod/htmlawed')
-rw-r--r-- | mod/htmlawed/start.php | 72 |
1 files changed, 57 insertions, 15 deletions
diff --git a/mod/htmlawed/start.php b/mod/htmlawed/start.php index b180be811..52cefa1da 100644 --- a/mod/htmlawed/start.php +++ b/mod/htmlawed/start.php @@ -1,7 +1,7 @@ <?php /** * Elgg htmLawed tag filtering. - * + * * @package ElgghtmLawed * @author Curverider Ltd * @author Brett Profitt @@ -20,14 +20,56 @@ // seems to handle about everything we need. 'safe' => true, 'deny_attribute' => 'class', - - 'schemes' => '*: http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto;' - . 'style: color,cursor,text-align,font-size,font-weight,font-style,border,margin,padding,float' + 'hook_tag' => 'htmlawed_hook', + + 'schemes' => '*:http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto;' + // apparent this doesn't work. + //. 'style:color,cursor,text-align,font-size,font-weight,font-style,border,margin,padding,float' ); - + register_plugin_hook('validate', 'input', 'htmlawed_filter_tags', 1); } - + + function htmlawed_hook($element, $attribute_array) { + $allowed_styles = array( + 'color', 'cursor', 'text-align', 'font-size', 'font-weight', 'font-style', 'border', 'margin', 'padding', 'float' + ); + + if (array_key_exists('style', $attribute_array)) { + $string = ''; + + foreach ($attribute_array as $attr => $value) { + if ($attr == 'style') { + $styles = explode(';', $value); + + $style_str = ''; + foreach ($styles as $style) { + if (!$style) { + continue; + } + list($style_attr, $style_value) = explode(':', trim($style)); + $style_attr = trim($style_attr); + $style_value = trim($style_value); + + if (in_array($style_attr, $allowed_styles)) { + $style_str .= "$style_attr: $style_value; "; + } + } + + if ($style_str) { + $string .= " style = \"$style_str\""; + } + + } else { + $string .= " $attr = \"$value\""; + } + } + + $string = trim($string); + return "<$element $string >"; + } + } + /** * htmLawed filtering of tags, called on a plugin hook * @@ -38,29 +80,29 @@ { $return = $returnvalue; $var = $returnvalue; - + if (@include_once(dirname(__FILE__) . "/vendors/htmLawed/htmLawed.php")) { - + global $CONFIG; - + $htmlawed_config = $CONFIG->htmlawed_config; - + if (!is_array($var)) { $return = ""; $return = htmLawed($var, $htmlawed_config); } else { $return = array(); - + foreach($var as $key => $el) { $return[$key] = htmLawed($el, $htmlawed_config); } } } - + return $return; } - - + + register_elgg_event_handler('init','system','htmlawed_init'); - + ?> |