From 0d329d2421f7040c45c3587bcd1655d28da7bd4c Mon Sep 17 00:00:00 2001 From: brettp Date: Mon, 2 Nov 2009 20:48:58 +0000 Subject: Updated htmlawed to disallow many style attributes. git-svn-id: http://code.elgg.org/elgg/trunk@3612 36083f99-b078-4883-b0ff-0f9b5a30f544 --- mod/htmlawed/start.php | 72 +++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 57 insertions(+), 15 deletions(-) diff --git a/mod/htmlawed/start.php b/mod/htmlawed/start.php index b180be811..52cefa1da 100644 --- a/mod/htmlawed/start.php +++ b/mod/htmlawed/start.php @@ -1,7 +1,7 @@ true, 'deny_attribute' => 'class', - - 'schemes' => '*: http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto;' - . 'style: color,cursor,text-align,font-size,font-weight,font-style,border,margin,padding,float' + 'hook_tag' => 'htmlawed_hook', + + 'schemes' => '*:http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto;' + // apparent this doesn't work. + //. 'style:color,cursor,text-align,font-size,font-weight,font-style,border,margin,padding,float' ); - + register_plugin_hook('validate', 'input', 'htmlawed_filter_tags', 1); } - + + function htmlawed_hook($element, $attribute_array) { + $allowed_styles = array( + 'color', 'cursor', 'text-align', 'font-size', 'font-weight', 'font-style', 'border', 'margin', 'padding', 'float' + ); + + if (array_key_exists('style', $attribute_array)) { + $string = ''; + + foreach ($attribute_array as $attr => $value) { + if ($attr == 'style') { + $styles = explode(';', $value); + + $style_str = ''; + foreach ($styles as $style) { + if (!$style) { + continue; + } + list($style_attr, $style_value) = explode(':', trim($style)); + $style_attr = trim($style_attr); + $style_value = trim($style_value); + + if (in_array($style_attr, $allowed_styles)) { + $style_str .= "$style_attr: $style_value; "; + } + } + + if ($style_str) { + $string .= " style = \"$style_str\""; + } + + } else { + $string .= " $attr = \"$value\""; + } + } + + $string = trim($string); + return "<$element $string >"; + } + } + /** * htmLawed filtering of tags, called on a plugin hook * @@ -38,29 +80,29 @@ { $return = $returnvalue; $var = $returnvalue; - + if (@include_once(dirname(__FILE__) . "/vendors/htmLawed/htmLawed.php")) { - + global $CONFIG; - + $htmlawed_config = $CONFIG->htmlawed_config; - + if (!is_array($var)) { $return = ""; $return = htmLawed($var, $htmlawed_config); } else { $return = array(); - + foreach($var as $key => $el) { $return[$key] = htmLawed($el, $htmlawed_config); } } } - + return $return; } - - + + register_elgg_event_handler('init','system','htmlawed_init'); - + ?> -- cgit v1.2.3