Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

OK, I've rationalised the text formatting now. Basically, both Moodle…

… and

HTML text allow the same range of HTML tags (so it doesn't matter is you
switch from one to the other).

<IMG> and <A> are now ALLOWED in Moodle text.  However, the clean_text
function now checks for and removes any embedded javascript triggers
to avoid cross-site scripting attacks that way.

clean_text() should be called on ANY text that comes in from students.
  • Loading branch information...
commit 3fe3851d57edb91865702ff7d90c1e1d3f6f2b03 1 parent a0bac19
moodler authored

Showing 1 changed file with 42 additions and 9 deletions. Show diff stats Hide diff stats

  1. +42 9 lib/weblib.php
51 lib/weblib.php
@@ -57,6 +57,13 @@
57 57 $SMILEY_TEXT[] = "}-]";
58 58 $SMILEY_IMAGE[] = "<IMG ALT=\"}-]\" WIDTH=15 HEIGHT=15 SRC=\"$CFG->wwwroot/pix/s/evil.gif\">";
59 59
  60 +$JAVASCRIPT_TAGS = array("javascript:", "onclick=", "ondblclick=", "onkeydown=", "onkeypress=", "onkeyup=",
  61 + "onmouseover=", "onmouseout=", "onmousedown=", "onmouseup=",
  62 + "onblur=", "onfocus=", "onload=", "onselect=");
  63 +
  64 +$ALLOWED_TAGS = "<b><i><u><font><table><tbody><span><div><tr><td><ol><ul><dl><li><dt><dd><h1><h2><h3><hr><img><a>";
  65 +
  66 +
60 67 /// Functions
61 68
62 69 function s($var) {
@@ -137,6 +144,23 @@ function match_referer($good_referer = "") {
137 144 }
138 145
139 146
  147 +function stri_replace($find, $replace, $string ) {
  148 +// This does a search and replace, ignoring case
  149 +// This function is only here because one doesn't exist yet in PHP
  150 +// Unlike str_replace(), this only works on single values (not arrays)
  151 +
  152 + $parts = explode(strtolower($find), strtolower($string));
  153 +
  154 + $pos = 0;
  155 +
  156 + foreach ($parts as $key => $part) {
  157 + $parts[$key] = substr($string, $pos, strlen($part));
  158 + $pos += strlen($part) + strlen($find);
  159 + }
  160 +
  161 + return (join($replace, $parts));
  162 +}
  163 +
140 164 function read_template($filename, &$var) {
141 165 // return a (big) string containing the contents of a template file with all
142 166 // the variables interpolated. all the variables must be in the $var[] array or
@@ -339,7 +363,7 @@ function format_text($text, $format, $options=NULL) {
339 363
340 364 case FORMAT_HTML:
341 365 $text = replace_smilies($text);
342   - return $text; // Is re-cleaning needed?
  366 + return $text;
343 367 break;
344 368 }
345 369 }
@@ -349,14 +373,22 @@ function clean_text($text, $format) {
349 373 // Given raw text (eg typed in by a user), this function cleans it up
350 374 // and removes any nasty tags that could mess up Moodle pages.
351 375
352   - switch ($format) {
  376 + global $JAVASCRIPT_TAGS, $ALLOWED_TAGS;
  377 +
  378 + switch ($format) { // Does the same thing, currently, but it's nice to have the option
353 379 case FORMAT_MOODLE:
354   - return strip_tags($text, '<b><i><u><font><ol><ul><dl><li><dt><dd><h1><h2><h3><hr><img>');
355   - break;
  380 + $text = strip_tags($text, $ALLOWED_TAGS);
  381 + foreach ($JAVASCRIPT_TAGS as $tag) {
  382 + $text = stri_replace($tag, "", $text);
  383 + }
  384 + return $text;
356 385
357 386 case FORMAT_HTML:
358   - return $text; // XX May want to add some cleaning on this.
359   - break;
  387 + $text = strip_tags($text, $ALLOWED_TAGS);
  388 + foreach ($JAVASCRIPT_TAGS as $tag) {
  389 + $text = stri_replace($tag, "", $text);
  390 + }
  391 + return $text;
360 392 }
361 393 }
362 394
@@ -368,6 +400,7 @@ function replace_smilies($text) {
368 400
369 401 function text_to_html($text, $smiley=true, $para=true) {
370 402 // Given plain text, makes it into HTML as nicely as possible.
  403 +// May contain most HTML tags
371 404
372 405 // Remove any whitespace that may be between HTML tags
373 406 $text = eregi_replace(">([[:space:]]+)<", "><", $text);
@@ -376,9 +409,9 @@ function text_to_html($text, $smiley=true, $para=true) {
376 409 $text = eregi_replace("([\n\r])<", " <", $text);
377 410 $text = eregi_replace(">([\n\r])", "> ", $text);
378 411
379   - // Make URLs into links. eg http://moodle.com/
380   - $text = eregi_replace("([[:alnum:]]+)://([^[:space:]]*)([[:alnum:]#?/&=])",
381   - "<A HREF=\"\\1://\\2\\3\" TARGET=\"newpage\">\\1://\\2\\3</A>", $text);
  412 + // Make lone URLs into links. eg http://moodle.com/
  413 + $text = eregi_replace("([ ([])([[:alnum:]]+)://([^[:space:]]*)([[:alnum:]#?/&=])",
  414 + "\\1<A HREF=\"\\2://\\3\\4\" TARGET=\"newpage\">\\2://\\3\\4</A>", $text);
382 415
383 416 // eg www.moodle.com
384 417 $text = eregi_replace("([[:space:]])www.([^[:space:]]*)([[:alnum:]#?/&=])",

0 comments on commit 3fe3851

Please sign in to comment.
Something went wrong with that request. Please try again.