Permalink
Browse files

Fixes #3370 running the anti-spam option of htmlawed when filtering f…

…or output
  • Loading branch information...
1 parent 56046b1 commit edec092e1aa616561063214a66620f9b6852875d @cash cash committed Oct 30, 2011
Showing with 101 additions and 80 deletions.
  1. +17 −17 engine/lib/input.php
  2. +82 −61 mod/htmlawed/start.php
  3. +2 −2 views/default/output/longtext.php
View
@@ -8,7 +8,7 @@
*/
/**
- * Get some input from variables passed on the GET or POST line.
+ * Get some input from variables passed submitted through GET or POST.
*
* If using any data obtained from get_input() in a web page, please be aware that
* it is a possible vector for a reflected XSS attack. If you are expecting an
@@ -18,41 +18,41 @@
* because of the filtering done in htmlawed from the filter_tags call.
* @todo Is this ^ still true?
*
- * @param string $variable The variable we want to return.
+ * @param string $variable The variable name we want.
* @param mixed $default A default value for the variable if it is not found.
- * @param bool $filter_result If true then the result is filtered for bad tags.
+ * @param bool $filter_result If true, then the result is filtered for bad tags.
*
- * @return string
+ * @return mixed
*/
function get_input($variable, $default = NULL, $filter_result = TRUE) {
global $CONFIG;
+ $result = $default;
+
+ elgg_push_context('input');
+
if (isset($CONFIG->input[$variable])) {
- $var = $CONFIG->input[$variable];
+ $result = $CONFIG->input[$variable];
if ($filter_result) {
- $var = filter_tags($var);
+ $result = filter_tags($result);
}
-
- return $var;
- }
-
- if (isset($_REQUEST[$variable])) {
+ } elseif (isset($_REQUEST[$variable])) {
if (is_array($_REQUEST[$variable])) {
- $var = $_REQUEST[$variable];
+ $result = $_REQUEST[$variable];
} else {
- $var = trim($_REQUEST[$variable]);
+ $result = trim($_REQUEST[$variable]);
}
if ($filter_result) {
- $var = filter_tags($var);
+ $result = filter_tags($result);
}
-
- return $var;
}
- return $default;
+ elgg_pop_context();
+
+ return $result;
}
/**
View
@@ -2,26 +2,95 @@
/**
* Elgg htmLawed tag filtering.
*
+ * http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/
+ *
* @package ElgghtmLawed
*/
+
+elgg_register_event_handler('init', 'system', 'htmlawed_init');
+
/**
- * Initialise plugin
- *
+ * Initialize the htmlawed plugin
*/
function htmlawed_init() {
elgg_register_plugin_hook_handler('validate', 'input', 'htmlawed_filter_tags', 1);
+
+ $lib = elgg_get_plugins_path() . "htmlawed/vendors/htmLawed/htmLawed.php";
+ elgg_register_library('htmlawed', $lib);
}
/**
- * Hooked for all elements in htmlawed.
- * Used to filter out style attributes we don't want.
+ * htmLawed filtering of data
+ *
+ * Called on the 'validate', 'input' plugin hook
+ *
+ * Triggers the 'config', 'htmlawed' plugin hook so that plugins can change
+ * htmlawed's configuration. For information on configuraton options, see
+ * http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s2.2
*
- * @param $element
- * @param $attribute_array
- * @return unknown_type
+ * @param string $hook Hook name
+ * @param string $type The type of hook
+ * @param mixed $result Data to filter
+ * @param array $params Not used
+ * @return mixed
*/
-function htmlawed_hook($element, $attribute_array) {
+function htmlawed_filter_tags($hook, $type, $result, $params) {
+ $var = $result;
+
+ elgg_load_library('htmlawed');
+
+ $htmlawed_config = array(
+ // seems to handle about everything we need.
+ 'safe' => true,
+ 'deny_attribute' => 'class, on*',
+ 'hook_tag' => 'htmlawed_tag_post_processor',
+
+ 'schemes' => '*:http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto',
+ // apparent this doesn't work.
+ // 'style:color,cursor,text-align,font-size,font-weight,font-style,border,margin,padding,float'
+ );
+
+ // add nofollow to all links on output
+ if (!elgg_in_context('input')) {
+ $htmlawed_config['anti_link_spam'] = array('/./', '');
+ }
+
+ $htmlawed_config = elgg_trigger_plugin_hook('config', 'htmlawed', null, $htmlawed_config);
+
+ if (!is_array($var)) {
+ $result = htmLawed($var, $htmlawed_config);
+ } else {
+ array_walk_recursive($var, 'htmLawedArray', $htmlawed_config);
+ $result = $var;
+ }
+
+ return $result;
+}
+
+/**
+ * wrapper function for htmlawed for handling arrays
+ */
+function htmLawedArray(&$v, $k, $htmlawed_config) {
+ $v = htmLawed($v, $htmlawed_config);
+}
+
+/**
+ * Post processor for tags in htmlawed
+ *
+ * This runs after htmlawed has filtered. It runs for each tag and filters out
+ * style attributes we don't want.
+ *
+ * This function triggers the 'allowed_styles', 'htmlawed' plugin hook.
+ *
+ * @todo since these styles are created for tinymce, shouldn't they be in the
+ * tinymce plugin?
+ *
+ * @param string $element The tag element name
+ * @param array $attributes An array of attributes
+ * @return string
+ */
+function htmlawed_tag_post_processor($element, $attributes) {
// these are the default styles used by tinymce.
$allowed_styles = array(
'color', 'cursor', 'text-align', 'vertical-align', 'font-size',
@@ -30,13 +99,14 @@ function htmlawed_hook($element, $attribute_array) {
'margin', 'margin-top', 'margin-bottom', 'margin-left',
'margin-right', 'padding', 'float', 'text-decoration'
);
-
- $allowed_styles = elgg_trigger_plugin_hook('allowed_styles', 'htmlawed', NULL, $allowed_styles);
+
+ $params = array('tag' => $element);
+ $allowed_styles = elgg_trigger_plugin_hook('allowed_styles', 'htmlawed', $params, $allowed_styles);
// must return something.
$string = '';
- foreach ($attribute_array as $attr => $value) {
+ foreach ($attributes as $attr => $value) {
if ($attr == 'style') {
$styles = explode(';', $value);
@@ -55,6 +125,7 @@ function htmlawed_hook($element, $attribute_array) {
}
if ($style_str) {
+ $style_str = trim($style_str);
$string .= " style=\"$style_str\"";
}
@@ -72,53 +143,3 @@ function htmlawed_hook($element, $attribute_array) {
$r = "<$element$string>";
return $r;
}
-
-/**
- * htmLawed filtering of tags, called on a plugin hook
- *
- * @param mixed $var Variable to filter
- * @return mixed
- */
-function htmlawed_filter_tags($hook, $entity_type, $returnvalue, $params) {
- $return = $returnvalue;
- $var = $returnvalue;
-
- if (include_once(dirname(__FILE__) . "/vendors/htmLawed/htmLawed.php")) {
-
- $htmlawed_config = array(
- // seems to handle about everything we need.
- 'safe' => true,
- 'deny_attribute' => 'class, on*',
- 'hook_tag' => 'htmlawed_hook',
-
- 'schemes' => '*:http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto'
- // apparent this doesn't work.
- //. 'style:color,cursor,text-align,font-size,font-weight,font-style,border,margin,padding,float'
- );
-
- $htmlawed_config = elgg_trigger_plugin_hook('config', 'htmlawed', NULL, $htmlawed_config);
-
- if (!is_array($var)) {
- $return = "";
- $return = htmLawed($var, $htmlawed_config);
- } else {
-
- array_walk_recursive($var, 'htmLawedArray', $htmlawed_config);
-
- $return = $var;
- }
- }
-
- return $return;
-}
-
-/**
- * wrapper function for htmlawed for handling arrays
- */
-function htmLawedArray(&$v, $k, $htmlawed_config) {
- $v = htmLawed($v, $htmlawed_config);
-}
-
-
-
-elgg_register_event_handler('init', 'system', 'htmlawed_init');
@@ -25,12 +25,12 @@
$text = $vars['value'];
unset($vars['value']);
-$text = filter_tags($text);
-
if ($parse_urls) {
$text = parse_urls($text);
}
+$text = filter_tags($text);
+
$text = autop($text);
$attributes = elgg_format_attributes($vars);

0 comments on commit edec092

Please sign in to comment.