From edec092e1aa616561063214a66620f9b6852875d Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Sun, 30 Oct 2011 13:08:20 -0400 Subject: Fixes #3370 running the anti-spam option of htmlawed when filtering for output --- engine/lib/input.php | 34 ++++----- mod/htmlawed/start.php | 143 ++++++++++++++++++++++---------------- views/default/output/longtext.php | 4 +- 3 files changed, 101 insertions(+), 80 deletions(-) diff --git a/engine/lib/input.php b/engine/lib/input.php index 4900817a5..2f68195f2 100644 --- a/engine/lib/input.php +++ b/engine/lib/input.php @@ -8,7 +8,7 @@ */ /** - * Get some input from variables passed on the GET or POST line. + * Get some input from variables passed submitted through GET or POST. * * If using any data obtained from get_input() in a web page, please be aware that * it is a possible vector for a reflected XSS attack. If you are expecting an @@ -18,41 +18,41 @@ * because of the filtering done in htmlawed from the filter_tags call. * @todo Is this ^ still true? * - * @param string $variable The variable we want to return. + * @param string $variable The variable name we want. * @param mixed $default A default value for the variable if it is not found. - * @param bool $filter_result If true then the result is filtered for bad tags. + * @param bool $filter_result If true, then the result is filtered for bad tags. * - * @return string + * @return mixed */ function get_input($variable, $default = NULL, $filter_result = TRUE) { global $CONFIG; + $result = $default; + + elgg_push_context('input'); + if (isset($CONFIG->input[$variable])) { - $var = $CONFIG->input[$variable]; + $result = $CONFIG->input[$variable]; if ($filter_result) { - $var = filter_tags($var); + $result = filter_tags($result); } - - return $var; - } - - if (isset($_REQUEST[$variable])) { + } elseif (isset($_REQUEST[$variable])) { if (is_array($_REQUEST[$variable])) { - $var = $_REQUEST[$variable]; + $result = $_REQUEST[$variable]; } else { - $var = trim($_REQUEST[$variable]); + $result = trim($_REQUEST[$variable]); } if ($filter_result) { - $var = filter_tags($var); + $result = filter_tags($result); } - - return $var; } - return $default; + elgg_pop_context(); + + return $result; } /** diff --git a/mod/htmlawed/start.php b/mod/htmlawed/start.php index 04a654998..10bea2a52 100644 --- a/mod/htmlawed/start.php +++ b/mod/htmlawed/start.php @@ -2,26 +2,95 @@ /** * Elgg htmLawed tag filtering. * + * http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/ + * * @package ElgghtmLawed */ + +elgg_register_event_handler('init', 'system', 'htmlawed_init'); + /** - * Initialise plugin - * + * Initialize the htmlawed plugin */ function htmlawed_init() { elgg_register_plugin_hook_handler('validate', 'input', 'htmlawed_filter_tags', 1); + + $lib = elgg_get_plugins_path() . "htmlawed/vendors/htmLawed/htmLawed.php"; + elgg_register_library('htmlawed', $lib); } /** - * Hooked for all elements in htmlawed. - * Used to filter out style attributes we don't want. + * htmLawed filtering of data + * + * Called on the 'validate', 'input' plugin hook + * + * Triggers the 'config', 'htmlawed' plugin hook so that plugins can change + * htmlawed's configuration. For information on configuraton options, see + * http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s2.2 * - * @param $element - * @param $attribute_array - * @return unknown_type + * @param string $hook Hook name + * @param string $type The type of hook + * @param mixed $result Data to filter + * @param array $params Not used + * @return mixed */ -function htmlawed_hook($element, $attribute_array) { +function htmlawed_filter_tags($hook, $type, $result, $params) { + $var = $result; + + elgg_load_library('htmlawed'); + + $htmlawed_config = array( + // seems to handle about everything we need. + 'safe' => true, + 'deny_attribute' => 'class, on*', + 'hook_tag' => 'htmlawed_tag_post_processor', + + 'schemes' => '*:http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto', + // apparent this doesn't work. + // 'style:color,cursor,text-align,font-size,font-weight,font-style,border,margin,padding,float' + ); + + // add nofollow to all links on output + if (!elgg_in_context('input')) { + $htmlawed_config['anti_link_spam'] = array('/./', ''); + } + + $htmlawed_config = elgg_trigger_plugin_hook('config', 'htmlawed', null, $htmlawed_config); + + if (!is_array($var)) { + $result = htmLawed($var, $htmlawed_config); + } else { + array_walk_recursive($var, 'htmLawedArray', $htmlawed_config); + $result = $var; + } + + return $result; +} + +/** + * wrapper function for htmlawed for handling arrays + */ +function htmLawedArray(&$v, $k, $htmlawed_config) { + $v = htmLawed($v, $htmlawed_config); +} + +/** + * Post processor for tags in htmlawed + * + * This runs after htmlawed has filtered. It runs for each tag and filters out + * style attributes we don't want. + * + * This function triggers the 'allowed_styles', 'htmlawed' plugin hook. + * + * @todo since these styles are created for tinymce, shouldn't they be in the + * tinymce plugin? + * + * @param string $element The tag element name + * @param array $attributes An array of attributes + * @return string + */ +function htmlawed_tag_post_processor($element, $attributes) { // these are the default styles used by tinymce. $allowed_styles = array( 'color', 'cursor', 'text-align', 'vertical-align', 'font-size', @@ -30,13 +99,14 @@ function htmlawed_hook($element, $attribute_array) { 'margin', 'margin-top', 'margin-bottom', 'margin-left', 'margin-right', 'padding', 'float', 'text-decoration' ); - - $allowed_styles = elgg_trigger_plugin_hook('allowed_styles', 'htmlawed', NULL, $allowed_styles); + + $params = array('tag' => $element); + $allowed_styles = elgg_trigger_plugin_hook('allowed_styles', 'htmlawed', $params, $allowed_styles); // must return something. $string = ''; - foreach ($attribute_array as $attr => $value) { + foreach ($attributes as $attr => $value) { if ($attr == 'style') { $styles = explode(';', $value); @@ -55,6 +125,7 @@ function htmlawed_hook($element, $attribute_array) { } if ($style_str) { + $style_str = trim($style_str); $string .= " style=\"$style_str\""; } @@ -72,53 +143,3 @@ function htmlawed_hook($element, $attribute_array) { $r = "<$element$string>"; return $r; } - -/** - * htmLawed filtering of tags, called on a plugin hook - * - * @param mixed $var Variable to filter - * @return mixed - */ -function htmlawed_filter_tags($hook, $entity_type, $returnvalue, $params) { - $return = $returnvalue; - $var = $returnvalue; - - if (include_once(dirname(__FILE__) . "/vendors/htmLawed/htmLawed.php")) { - - $htmlawed_config = array( - // seems to handle about everything we need. - 'safe' => true, - 'deny_attribute' => 'class, on*', - 'hook_tag' => 'htmlawed_hook', - - 'schemes' => '*:http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto' - // apparent this doesn't work. - //. 'style:color,cursor,text-align,font-size,font-weight,font-style,border,margin,padding,float' - ); - - $htmlawed_config = elgg_trigger_plugin_hook('config', 'htmlawed', NULL, $htmlawed_config); - - if (!is_array($var)) { - $return = ""; - $return = htmLawed($var, $htmlawed_config); - } else { - - array_walk_recursive($var, 'htmLawedArray', $htmlawed_config); - - $return = $var; - } - } - - return $return; -} - -/** - * wrapper function for htmlawed for handling arrays - */ -function htmLawedArray(&$v, $k, $htmlawed_config) { - $v = htmLawed($v, $htmlawed_config); -} - - - -elgg_register_event_handler('init', 'system', 'htmlawed_init'); diff --git a/views/default/output/longtext.php b/views/default/output/longtext.php index ffdfd87cc..200f27de5 100644 --- a/views/default/output/longtext.php +++ b/views/default/output/longtext.php @@ -25,12 +25,12 @@ unset($vars['parse_urls']); $text = $vars['value']; unset($vars['value']); -$text = filter_tags($text); - if ($parse_urls) { $text = parse_urls($text); } +$text = filter_tags($text); + $text = autop($text); $attributes = elgg_format_attributes($vars); -- cgit v1.2.3