Merge pull request #5946 from WoltLab/bugfix/article-bb-code-permission

Check for disallowed BB codes in the content
WoltLab · Jun 18, 2024 · ba1f653 · ba1f653
2 parents 57f1b96 + 55bec5c
commit ba1f653
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/wcfsetup/install/files/acp/templates/articleAdd.tpl b/wcfsetup/install/files/acp/templates/articleAdd.tpl
@@ -582,6 +582,8 @@
 									<small class="innerError">
 										{if $errorType == 'empty'}
 											{lang}wcf.global.form.error.empty{/lang}
+										{elseif $errorType == 'disallowedBBCodes'}
+											{lang}wcf.message.error.disallowedBBCodes{/lang}
 										{else}
 											{lang}wcf.acp.article.content.error.{@$errorType}{/lang}
 										{/if}

diff --git a/wcfsetup/install/files/lib/acp/form/ArticleAddForm.class.php b/wcfsetup/install/files/lib/acp/form/ArticleAddForm.class.php
@@ -14,6 +14,7 @@
 use wcf\data\user\User;
 use wcf\form\AbstractForm;
 use wcf\system\attachment\AttachmentHandler;
+use wcf\system\bbcode\BBCodeHandler;
 use wcf\system\cache\builder\ArticleCategoryLabelCacheBuilder;
 use wcf\system\exception\UserInputException;
 use wcf\system\html\input\HtmlInputProcessor;
@@ -424,6 +425,8 @@ public function validate()
             }
         }
 
+        $this->setDisallowedBBCodes();
+
         if ($this->isMultilingual) {
             foreach (LanguageFactory::getInstance()->getLanguages() as $language) {
                 // title
@@ -441,6 +444,12 @@ public function validate()
                     'com.woltlab.wcf.article.content',
                     0
                 );
+
+                $disallowedBBCodes = $this->htmlInputProcessors[$language->languageID]->validate();
+                if (!empty($disallowedBBCodes)) {
+                    WCF::getTPL()->assign('disallowedBBCodes', $disallowedBBCodes);
+                    throw new UserInputException('content', 'disallowedBBCodes');
+                }
             }
         } else {
             // title
@@ -454,6 +463,12 @@ public function validate()
 
             $this->htmlInputProcessors[0] = new HtmlInputProcessor();
             $this->htmlInputProcessors[0]->process($this->content[0], 'com.woltlab.wcf.article.content', 0);
+
+            $disallowedBBCodes = $this->htmlInputProcessors[0]->validate();
+            if (!empty($disallowedBBCodes)) {
+                WCF::getTPL()->assign('disallowedBBCodes', $disallowedBBCodes);
+                throw new UserInputException('content', 'disallowedBBCodes');
+            }
         }
 
         $this->validateLabelIDs();
@@ -616,6 +631,8 @@ public function readData()
                 }
             }
         }
+
+        $this->setDisallowedBBCodes();
     }
 
     /**
@@ -677,4 +694,14 @@ public function assignVariables()
             'tmpHash' => $this->tmpHash,
         ]);
     }
+
+    protected function setDisallowedBBCodes(): void
+    {
+        BBCodeHandler::getInstance()->setDisallowedBBCodes(
+            \explode(
+                ',',
+                WCF::getSession()->getPermission('user.message.disallowedBBCodes')
+            )
+        );
+    }
 }