Fixes #3370 running the anti-spam option of htmlawed when filtering f…

…or output
Elgg · Oct 30, 2011 · edec092 · edec092
1 parent 56046b1
commit edec092
Show file tree

Hide file tree

Showing 3 changed files with 101 additions and 80 deletions.
diff --git a/engine/lib/input.php b/engine/lib/input.php
@@ -8,7 +8,7 @@
  */
 
 /**
- * Get some input from variables passed on the GET or POST line.
+ * Get some input from variables passed submitted through GET or POST.
  *
  * If using any data obtained from get_input() in a web page, please be aware that
  * it is a possible vector for a reflected XSS attack. If you are expecting an
@@ -18,41 +18,41 @@
  * because of the filtering done in htmlawed from the filter_tags call.
  * @todo Is this ^ still true?
  *
- * @param string $variable      The variable we want to return.
+ * @param string $variable      The variable name we want.
  * @param mixed  $default       A default value for the variable if it is not found.
- * @param bool   $filter_result If true then the result is filtered for bad tags.
+ * @param bool   $filter_result If true, then the result is filtered for bad tags.
  *
- * @return string
+ * @return mixed
  */
 function get_input($variable, $default = NULL, $filter_result = TRUE) {
 
 	global $CONFIG;
 
+	$result = $default;
+
+	elgg_push_context('input');
+
 	if (isset($CONFIG->input[$variable])) {
-		$var = $CONFIG->input[$variable];
+		$result = $CONFIG->input[$variable];
 
 		if ($filter_result) {
-			$var = filter_tags($var);
+			$result = filter_tags($result);
 		}
-
-		return $var;
-	}
-
-	if (isset($_REQUEST[$variable])) {
+	} elseif (isset($_REQUEST[$variable])) {
 		if (is_array($_REQUEST[$variable])) {
-			$var = $_REQUEST[$variable];
+			$result = $_REQUEST[$variable];
 		} else {
-			$var = trim($_REQUEST[$variable]);
+			$result = trim($_REQUEST[$variable]);
 		}
 
 		if ($filter_result) {
-			$var = filter_tags($var);
+			$result = filter_tags($result);
 		}
-
-		return $var;
 	}
 
-	return $default;
+	elgg_pop_context();
+
+	return $result;
 }
 
 /**

diff --git a/mod/htmlawed/start.php b/mod/htmlawed/start.php
@@ -2,26 +2,95 @@
 /**
  * Elgg htmLawed tag filtering.
  *
+ * http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/
+ *
  * @package ElgghtmLawed
  */
 
+
+elgg_register_event_handler('init', 'system', 'htmlawed_init');
+
 /**
- * Initialise plugin
- *
+ * Initialize the htmlawed plugin
  */
 function htmlawed_init() {
 	elgg_register_plugin_hook_handler('validate', 'input', 'htmlawed_filter_tags', 1);
+
+	$lib = elgg_get_plugins_path() . "htmlawed/vendors/htmLawed/htmLawed.php";
+	elgg_register_library('htmlawed', $lib);
 }
 
 /**
- * Hooked for all elements in htmlawed.
- * Used to filter out style attributes we don't want.
+ * htmLawed filtering of data
+ *
+ * Called on the 'validate', 'input' plugin hook
+ *
+ * Triggers the 'config', 'htmlawed' plugin hook so that plugins can change
+ * htmlawed's configuration. For information on configuraton options, see
+ * http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s2.2
  *
- * @param $element
- * @param $attribute_array
- * @return unknown_type
+ * @param string $hook   Hook name
+ * @param string $type   The type of hook
+ * @param mixed  $result Data to filter
+ * @param array  $params Not used
+ * @return mixed
  */
-function htmlawed_hook($element, $attribute_array) {
+function htmlawed_filter_tags($hook, $type, $result, $params) {
+	$var = $result;
+
+	elgg_load_library('htmlawed');
+
+	$htmlawed_config = array(
+		// seems to handle about everything we need.
+		'safe' => true,
+		'deny_attribute' => 'class, on*',
+		'hook_tag' => 'htmlawed_tag_post_processor',
+
+		'schemes' => '*:http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto',
+		// apparent this doesn't work.
+		// 'style:color,cursor,text-align,font-size,font-weight,font-style,border,margin,padding,float'
+	);
+
+	// add nofollow to all links on output
+	if (!elgg_in_context('input')) {
+		$htmlawed_config['anti_link_spam'] = array('/./', '');
+	}
+
+	$htmlawed_config = elgg_trigger_plugin_hook('config', 'htmlawed', null, $htmlawed_config);
+
+	if (!is_array($var)) {
+		$result = htmLawed($var, $htmlawed_config);
+	} else {
+		array_walk_recursive($var, 'htmLawedArray', $htmlawed_config);
+		$result = $var;
+	}
+
+	return $result;
+}
+
+/**
+ * wrapper function for htmlawed for handling arrays
+ */
+function htmLawedArray(&$v, $k, $htmlawed_config) {
+	$v = htmLawed($v, $htmlawed_config);
+}
+
+/**
+ * Post processor for tags in htmlawed
+ * 
+ * This runs after htmlawed has filtered. It runs for each tag and filters out
+ * style attributes we don't want.
+ *
+ * This function triggers the 'allowed_styles', 'htmlawed' plugin hook.
+ *
+ * @todo since these styles are created for tinymce, shouldn't they be in the
+ * tinymce plugin?
+ *
+ * @param string $element    The tag element name
+ * @param array  $attributes An array of attributes
+ * @return string
+ */
+function htmlawed_tag_post_processor($element, $attributes) {
 	// these are the default styles used by tinymce.
 	$allowed_styles = array(
 		'color', 'cursor', 'text-align', 'vertical-align', 'font-size',
@@ -30,13 +99,14 @@ function htmlawed_hook($element, $attribute_array) {
 		'margin', 'margin-top', 'margin-bottom', 'margin-left',
 		'margin-right',	'padding', 'float', 'text-decoration'
 	);
-
-	$allowed_styles = elgg_trigger_plugin_hook('allowed_styles', 'htmlawed', NULL, $allowed_styles);
+
+	$params = array('tag' => $element);
+	$allowed_styles = elgg_trigger_plugin_hook('allowed_styles', 'htmlawed', $params, $allowed_styles);
 
 	// must return something.
 	$string = '';
 
-	foreach ($attribute_array as $attr => $value) {
+	foreach ($attributes as $attr => $value) {
 		if ($attr == 'style') {
 			$styles = explode(';', $value);
 
@@ -55,6 +125,7 @@ function htmlawed_hook($element, $attribute_array) {
 			}
 
 			if ($style_str) {
+				$style_str = trim($style_str);
 				$string .= " style=\"$style_str\"";
 			}
 
@@ -72,53 +143,3 @@ function htmlawed_hook($element, $attribute_array) {
 	$r = "<$element$string>";
 	return $r;
 }
-
-/**
- * htmLawed filtering of tags, called on a plugin hook
- *
- * @param mixed $var Variable to filter
- * @return mixed
- */
-function htmlawed_filter_tags($hook, $entity_type, $returnvalue, $params) {
-	$return = $returnvalue;
-	$var = $returnvalue;
-
-	if (include_once(dirname(__FILE__) . "/vendors/htmLawed/htmLawed.php")) {
-
-		$htmlawed_config = array(
-			// seems to handle about everything we need.
-			'safe' => true,
-			'deny_attribute' => 'class, on*',
-			'hook_tag' => 'htmlawed_hook',
-
-			'schemes' => '*:http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto'
-				// apparent this doesn't work.
-				//. 'style:color,cursor,text-align,font-size,font-weight,font-style,border,margin,padding,float'
-		);
-
-		$htmlawed_config = elgg_trigger_plugin_hook('config', 'htmlawed', NULL, $htmlawed_config);
-
-		if (!is_array($var)) {
-			$return = "";
-			$return = htmLawed($var, $htmlawed_config);
-		} else {
-
-			array_walk_recursive($var, 'htmLawedArray', $htmlawed_config);
-
-			$return = $var;
-		}
-	}
-
-	return $return;
-}
-
-/**
- * wrapper function for htmlawed for handling arrays
- */
-function htmLawedArray(&$v, $k, $htmlawed_config) {
-	$v = htmLawed($v, $htmlawed_config);
-}
-
-
-
-elgg_register_event_handler('init', 'system', 'htmlawed_init');
diff --git a/views/default/output/longtext.php b/views/default/output/longtext.php
@@ -25,12 +25,12 @@
 $text = $vars['value'];
 unset($vars['value']);
 
-$text = filter_tags($text);
-
 if ($parse_urls) {
 	$text = parse_urls($text);
 }
 
+$text = filter_tags($text);
+
 $text = autop($text);
 
 $attributes = elgg_format_attributes($vars);