mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-03-17 19:09:45 +01:00
Code Issues Releases Wiki Activity

Bbcode test and parser cleanup.

Browse Source
This commit is contained in:
Cameron 2021-01-14 14:46:49 -08:00
parent 7e90b791ba
commit 62d6341303
19 changed files with 310 additions and 623 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
e107_admin/newspost.php
View File

@ -1260,7 +1260,7 @@ class news_admin_ui extends e_admin_ui
if ($sql->select("submitnews", "*", "submitnews_id=".intval($id)))
{
$row = $sql->fetch();
$data['news_title'] = $tp->dataFilter($row['submitnews_title']);
$data['news_title'] = $tp->filter($row['submitnews_title']);
$data['news_body'] = $row['submitnews_item'];
$data['news_category'] = intval( $row['submitnews_category']);
$data['news_body'] .= "\n[[b]".NWSLAN_49." {$row['submitnews_name']}[/b]]";

2
e107_core/bbcodes/bb_code.php
View File

@ -101,7 +101,7 @@ class bb_code extends e_bb_base
// $highlighted_text = highlight_string($code_text, TRUE);
// highlighted_text = str_replace(array("<code>","</code>"),"",$highlighted_text);
$divClass = ($parm) ? $parm : 'code_highlight';
$ret = "<pre class='prettyprint linenums ".$tp -> toAttribute($divClass)." code-box {$class}' style='unicode-bidi: embed; direction: ltr'>".$code_text."</pre>";
$ret = "<pre class='prettyprint linenums ".e107::getParser()->toAttribute($divClass)." code-box {$class}' style='unicode-bidi: embed; direction: ltr'>".$code_text."</pre>";
}

4
e107_core/bbcodes/bb_img.php
View File

@ -163,7 +163,7 @@
$text = '';
foreach($imgParms as $key => $val)
{
$text .= $key . "='" . $tp->toAttribute($val) . "' ";
$text .= $key . "='" . e107::getParser()->toAttribute($val) . "' ";
}
return $text;
@ -223,7 +223,7 @@
$code_text = str_replace($search, $replace, $code_text);
$code_text = $tp->toAttribute($code_text);
$code_text = e107::getParser()->toAttribute($code_text);
$img_file = pathinfo($code_text); // 'External' file name. N.B. - might still contain a constant such as e_IMAGE

7
e107_core/bbcodes/bb_youtube.php
View File

@ -202,8 +202,11 @@ class bb_youtube extends e_bb_base
{
if(empty($code_text)) return '';
list($dimensions,$tmp) = explode('|', $parm, 2);
$t = explode('|', $parm, 2);
$dimensions = varset($t[0]);
$tmp = varset($t[1]);
if($tmp)
{
parse_str(varset($tmp, ''), $bbparm);

4
e107_core/bbcodes/email.bb
View File

@ -23,7 +23,7 @@ if($pref['make_clickable'])
}
// Old method that attracts SPAM.
if ($parm) {
return "<a class='{$class}' href='mailto:".$tp -> toAttribute($parm)."'>".$code_text."</a>";
return "<a class='{$class}' href='mailto:".e107::getParser()->toAttribute($parm)."'>".$code_text."</a>";
} else {
return "<a class='{$class}' href='mailto:".$tp -> toAttribute($code_text)."'>".$code_text."</a>";
return "<a class='{$class}' href='mailto:".e107::getParser()->toAttribute($code_text)."'>".$code_text."</a>";
}

2
e107_core/bbcodes/file.bb
View File

@ -48,5 +48,5 @@ if ((e_PAGE === 'page.php') || (array_key_exists('forum_attach', $pref) && $pref
{
$fname = str_replace('{e_BASE}', SITEURL, $fname); // Translate into an absolute URL
}
return "<a class='{$class}' href='".$tp -> toAttribute($fname)."'><img src='".$image."' alt='' style='border:0; vertical-align:middle' /></a> <a href='".$tp -> toAttribute($fname)."'>".$code_text."</a>";
return "<a class='{$class}' href='".e107::getParser()->toAttribute($fname)."'><img src='".$image."' alt='' style='border:0; vertical-align:middle' /></a> <a href='".e107::getParser()->toAttribute($fname)."'>".$code_text."</a>";
}

2
e107_core/bbcodes/flash.bb
View File

@ -3,7 +3,7 @@ $class = e107::getBB()->getClass('flash');
// USAGE: [flash=width,height,param_name=value&param_name=value]http://www.example.com/file.swf[/flash]
$movie_path = $tp->toAttribute($code_text);
$movie_path = e107::getParser()->toAttribute($code_text);
$parm_array = explode(',', $parm);
$width = preg_replace('#[^0-9%]#', '', varsettrue($parm_array[0], 50));

2
e107_core/bbcodes/justify.bb
View File

@ -1,4 +1,4 @@
//<?
$class = e107::getBB()->getClass('justify');
return "<div class='{$justify}' style='text-align:justify'>$code_text</div>";
return "<div class='{$class}' style='text-align:justify'>$code_text</div>";

7
e107_core/bbcodes/link.bb
View File

@ -3,7 +3,7 @@
$class = "bbcode ".e107::getBB()->getClass('link');
global $pref;
global $pref, $parm;
/**
* e107 BBCodes
@ -28,7 +28,8 @@ global $pref;
*/
$tp = e107::getParser();
$parm = $tp->dataFilter(trim($parm),'link');
$parm = $tp->filter(trim($parm));
/* Fix for people using link=external= */
if(strpos($parm,"external=") !== FALSE)
@ -70,5 +71,5 @@ global $pref;
$insert = ($pref['links_new_window'] && strpos($link,"{e_")===FALSE && substr($link,0,1) != "#" && substr($link,0,1) != "/" && strpos($extras,"rel=internal")===FALSE) ? "rel='external' " : "";
}
if (strtolower(substr($link,0,11)) == 'javascript:') return '';
return "<a class='{$class}' href='".$tp -> toAttribute($link)."' ".$insert.">".$code_text."</a>";
return "<a class='{$class}' href='".e107::getParser() -> toAttribute($link)."' ".$insert.">".$code_text."</a>";

2
e107_core/bbcodes/list.bb
View File

@ -33,7 +33,7 @@ if (empty($parm))
}
else
{
$type = $tp -> toAttribute($parm);
$type = e107::getParser()->toAttribute($parm);
$listtext = "\n<ol class='bbcode ".$type."' style='list-style-type: $type'>";
$trailer = "</ol>";
}

12
e107_core/bbcodes/stream.bb
View File

@ -32,17 +32,19 @@ if (isset($stream_parms['height'])) {
}
$parmStr="";
$MozparmStr = '';
$IEparmStr = '';
foreach($stream_parms as $k => $v)
{
$MozparmStr .= "<param name='".$tp -> toAttribute($k)."' value='".$tp -> toAttribute($v)."'>\n";
$IEparmStr .= $tp -> toAttribute($k)."='".$tp -> toAttribute($v)."' ";
$MozparmStr .= "<param name='".e107::getParser()->toAttribute($k)."' value='".e107::getParser()->toAttribute($v)."'>\n";
$IEparmStr .= e107::getParser()->toAttribute($k)."='".e107::getParser()->toAttribute($v)."' ";
}
$ret = "
<object class='{$class}' id='MediaPlayer' classid='CLSID:22D6F312-B0F6-11D0-94AB-0080C74C7E95' standby='Loading Microsoft<EFBFBD> Windows<EFBFBD> Media Player components...' type='application/x-oleobject' codebase='http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=6,4,7,1112' width='".$tp -> toAttribute($width)."' height='".$tp -> toAttribute($height)."'>\n";
$ret .= "<param name='filename' value='".$tp -> toAttribute($code_text)."'>\n";
<object class='{$class}' id='MediaPlayer' classid='CLSID:22D6F312-B0F6-11D0-94AB-0080C74C7E95' standby='Loading Microsoft<EFBFBD> Windows<EFBFBD> Media Player components...' type='application/x-oleobject' codebase='http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=6,4,7,1112' width='".e107::getParser()->toAttribute($width)."' height='".e107::getParser()->toAttribute($height)."'>\n";
$ret .= "<param name='filename' value='".e107::getParser()->toAttribute($code_text)."'>\n";
$ret .= $MozparmStr;
$ret .= "<embed src='".$tp -> toAttribute($code_text)."' width='".$tp -> toAttribute($width)."' height='".$tp -> toAttribute($height)."' id='mediaPlayer' name='mediaPlayer' {$IEparmStr}>
$ret .= "<embed src='".e107::getParser()->toAttribute($code_text)."' width='".e107::getParser()->toAttribute($width)."' height='".e107::getParser()->toAttribute($height)."' id='mediaPlayer' name='mediaPlayer' {$IEparmStr}>
</object>
";

2
e107_core/bbcodes/textarea.bb
View File

@ -8,6 +8,6 @@ parse_str($parm, $tmp);
foreach($tmp as $key => $p)
{
$tastr .= $tp -> toAttribute($key)." = '".$tp -> toAttribute($p)."' ";
$tastr .= e107::getParser()->toAttribute($key)." = '".e107::getParser()->toAttribute($p)."' ";
}
return "<textarea class='{$class}' $tastr>$code_text</textarea>";

4
e107_core/bbcodes/url.bb
View File

@ -10,12 +10,12 @@ if ($parm && $parm != 'external' && strpos($parm, ' ') === FALSE)
$parm = preg_replace('#^external.#is', '', $parm);
if (strtolower(substr($parm, 0, 11)) === 'javascript:')
return '';
return '<a href="'.$tp->toAttribute($parm).'" class="bbcode '.$class.'"'.$external.'>'.$code_text.'</a>';
return '<a href="'.e107::getParser()->toAttribute($parm).'" class="bbcode '.$class.'"'.$external.'>'.$code_text.'</a>';
}
else
{
if (strtolower(substr($code_text, 0, 11)) === 'javascript:')
return '';
return '<a href="'.$tp->toAttribute($code_text).'" class="bbcode '.$class.'"'.$external.'>'.$code_text.'</a>';
return '<a href="'.e107::getParser()->toAttribute($code_text).'" class="bbcode '.$class.'"'.$external.'>'.$code_text.'</a>';
}

19
e107_handlers/bbcode_handler.php
View File

@ -27,7 +27,7 @@ if (!defined('e107_INIT')) { exit; }
class e_bbcode
{
var $bbList; // Caches the file contents for each bbcode processed
var $bbLocation; // Location for each file - 'core' or a plugin name
var $bbLocation = array(); // Location for each file - 'core' or a plugin name
var $preProcess = FALSE; // Set when processing bbcodes prior to saving
var $core_bb = array();
var $class = FALSE;
@ -224,7 +224,7 @@ class e_bbcode
else
{ // Opening code to process
// If its a single code, we can process it now. Otherwise just stack the value
if (array_key_exists('_'.$bbword,$this->bbLocation))
if (array_key_exists('_'.$bbword, $this->bbLocation))
{ // Single code to process
if (count($code_stack) == 0)
{
@ -387,10 +387,23 @@ class e_bbcode
* @todo - capturing output deprecated
*/
ob_start();
$bbcode_return = eval($bbcode); //FIXME notice removal
try
{
$bbcode_return = eval($bbcode); //FIXME notice removal
}
catch (ParseError $e)
{
$error = $debugFile." -- ".$e->getMessage();
}
$bbcode_output = ob_get_contents();
ob_end_clean();
if(!empty($error))
{
trigger_error($error, E_USER_NOTICE);
}
/* added to remove possibility of nested bbcode exploits ... */
if(strpos($bbcode_return, "[") !== FALSE)
{

687
e107_handlers/e_parse_class.php
View File

@ -29,11 +29,6 @@ class e_parse extends e_parser
*/
protected $utfAction;
// Shortcode processor - see __get()
//var $e_sc;
// BBCode processor
protected $e_bb;
// Profanity filter
public $e_pf;
@ -73,6 +68,8 @@ class e_parse extends e_parser
// BBcode that contain preformatted code.
private $preformatted = array('html', 'markdown');
private $bbList = array();
// Set up the defaults
protected $e_optDefault = array(
@ -265,6 +262,7 @@ class e_parse extends e_parser
$this->e_SuperMods[$key] = array_merge($this->e_optDefault , $this->e_SuperMods[$key]);
$this->e_SuperMods[$key]['context'] = $key;
}
}
@ -621,151 +619,23 @@ class e_parse extends e_parser
*/
public function htmlAbuseFilter($data, $tagList = '')
{
trigger_error('<b>'.__METHOD__.' is deprecated.</b>', E_USER_DEPRECATED); // NO LAN
if (empty($tagList))
{
$checkTags = array('textarea', 'input', 'td', 'tr', 'table');
}
else
{
$checkTags = explode(',', $tagList);
}
$tagArray = array_flip($checkTags);
foreach ($tagArray as &$v) { $v = 0; } // Data fields become zero; keys are tag names.
$data = strtolower(preg_replace('#\[code\].*?\[\/code\]#i', '', $data)); // Ignore code blocks. All lower case simplifies the rest
$matches = array();
if (!preg_match_all('#<(\/|)([^<>]*?[^\/])>#', $data, $matches, PREG_SET_ORDER))
{
//echo "No tags found<br />";
return TRUE; // No tags found; so all OK
}
//print_a($matches);
foreach ($matches as $m)
{
// $m[0] is the complete tag; $m[1] is '/' or empty; $m[2] is the tag and any attributes
list ($tag) = explode(' ', $m[2], 2);
if (!isset($tagArray[$tag]))
{
continue;
} // Not a tag of interest
if ($m[1] === '/')
{ // Closing tag
if ($tagArray[$tag] == 0)
{
//echo "Close before open: {$tag}<br />";
return TRUE; // Closing tag before we've had an opening tag
}
$tagArray[$tag]--; // Obviously had at least one opening tag
}
else
{ // Opening tag
$tagArray[$tag]++;
}
}
//print_a($tagArray);
foreach ($tagArray as $t)
{
if ($t > 0)
{
return TRUE;
} // More opening tags than closing tags
}
return FALSE; // OK now
trigger_error('<b>'.__METHOD__.' is deprecated. Use $tp->cleanHtml() instead.</b>', E_USER_WARNING); // NO LAN
return $data;
}
/**
* @DEPRECATED XXX TODO Remove this horrible thing which adds junk to a db.
* @deprecated
* Checks a string for potentially dangerous HTML tags, including malformed tags
*
*/
public function dataFilter($data, $mode='bbcode')
{
$ans = '';
$vetWords = array('<applet', '<body', '<embed', '<frame', '<script','%3Cscript',
'<frameset', '<html', '<iframe', '<style', '<layer', '<link',
'<ilayer', '<meta', '<object', '<plaintext', 'javascript:',
'vbscript:','data:text/html');
$ret = preg_split('#(\[code.*?\[/code.*?])#mis', $data, -1, PREG_SPLIT_NO_EMPTY | PREG_SPLIT_DELIM_CAPTURE );
foreach ($ret as $s)
{
if (strpos($s, '[code') !== 0)
{
$vl = array();
$t = html_entity_decode(rawurldecode($s), ENT_QUOTES, CHARSET);
$t = str_replace(array("\r", "\n", "\t", "\v", "\f", "\0"), '', $t);
$t1 = strtolower($t);
foreach ($vetWords as $vw)
{
if (strpos($t1, $vw) !== FALSE)
{
$vl[] = $vw; // Add to list of words found
}
if (strpos($vw, '<') === 0)
{
$vw = '</'.substr($vw, 1);
if (strpos($t1, $vw) !== FALSE)
{
$vl[] = $vw; // Add to list of words found
}
}
}
// More checks here
if (count($vl))
{ // Do something
$s = preg_replace_callback('#('.implode('|', $vl).')#mis', array($this, 'modtag'), $t);
}
}
$s = preg_replace('#(?:onmouse.+?|onclick|onfocus)\s*?\=#', '[sanitised]$0[/sanitised]', $s);
$s = preg_replace_callback('#base64([,\(])(.+?)([\)\'\"])#mis', array($this, 'proc64'), $s);
$ans .= $s;
}
if($mode === 'link' && count($vl))
{
return '#sanitized';
}
return $ans;
trigger_error('$tp->dateFilter() is deprecated. Use $tp->filter() instead.', E_USER_WARNING);
return $data;
}
/**
* Check base-64 encoded code
*/
private function proc64($match)
{
$decode = base64_decode($match[2]);
return 'base64'.$match[1].base64_encode($this->dataFilter($decode)).$match[3];
}
// XXX REmove ME.
private function modTag($match)
{
if (isset($match[1]))
{
$chop = (int) (strlen($match[1]) / 2);
$ans = substr($match[1], 0, $chop).'##xss##'.substr($match[1], $chop);
}
else
{
$ans = '?????';
}
return '[sanitised]'.$ans.'[/sanitised]';
}
/**
* Processes data as needed before its written to the DB.
* Currently gives bbcodes the opportunity to do something
@ -775,13 +645,12 @@ class e_parse extends e_parser
*/
public function preFilter($data)
{
if (!is_object($this->e_bb))
if(!$this->isBBcode($data))
{
require_once(e_HANDLER.'bbcode_handler.php');
$this->e_bb = new e_bbcode;
return $data;
}
$ret = $this->e_bb->parseBBCodes($data, defset('USERID'), 'default', 'PRE'); // $postID = logged in user here
return $ret;
return e107::getBB()->parseBBCodes($data, defset('USERID'), 'default', 'PRE'); // $postID = logged in user here
}
@ -868,40 +737,6 @@ class e_parse extends e_parser
}
/**
* Check if we are using the simple-Parse array format, or a legacy .sc format which contains 'return '
*
* @param array $extraCodes
* @return bool
*/
private function isSimpleParse($extraCodes)
{
if(!is_array($extraCodes))
{
return false;
}
foreach ($extraCodes as $sc => $code)
{
if(preg_match('/return(.*);/',$code)) // still problematic. 'return;' Might be used in common speech.
{
return false;
}
return true;
/* if(!strpos($code, 'return '))
{
return true;
}
else
{
return false;
}*/
}
}
/**
* Simple parser
@ -918,6 +753,7 @@ class e_parse extends e_parser
return preg_replace_callback("#\{([a-zA-Z0-9_]+)\}#", array($this, 'simpleReplace'), $template);
}
protected function simpleReplace($tmp)
{
@ -932,7 +768,16 @@ class e_parse extends e_parser
return (!empty($this->replaceVars) && ($this->replaceVars->$key !== null)) ? $this->replaceVars->$key : $unset; // Doesn't work.
}
/**
* @todo find a modern replacement
* @param $str
* @param $width
* @param string $break
* @param string $nobreak
* @param string $nobr
* @param false $utf
* @return string
*/
public function htmlwrap($str, $width, $break = "\n", $nobreak = 'a', $nobr = 'pre', $utf = FALSE)
{
/*
@ -1156,7 +1001,7 @@ class e_parse extends e_parser
* Truncate a HTML string
*
* Cuts a string to the length of $length and adds the value of $ending if the text is longer than length.
*
* @todo find a modern replacement
* @param string $text String to truncate.
* @param integer $length Length of returned string, including ellipsis.
* @param string $ending It will be used as Ending and appended to the trimmed string.
@ -1253,90 +1098,6 @@ class e_parse extends e_parser
return $truncate;
}
/**
* Truncate a HTML string to a maximum length $len ­ append the string $more if it was truncated
*
* @param string $text String to process
* @param integer $len [optional] Length of characters to be truncated - default 200
* @param string $more [optional] String which will be added if truncation - default ' ... '
* @return string
*/
public function html_truncate_old ($text, $len = 200, $more = ' ... ')
{
$pos = 0;
$curlen = 0;
$tmp_pos = 0;
$intag = FALSE;
while($curlen < $len && $curlen < strlen($text))
{
switch($text [$pos] )
{
case '<':
if($text [$pos + 1] === '/')
{
$closing_tag = TRUE;
}
$intag = TRUE;
$tmp_pos = $pos - 1;
$pos++;
break;
case '>':
if($text [$pos - 1] === '/')
{
$closing_tag = TRUE;
}
if($closing_tag == TRUE)
{
$tmp_pos = 0;
$closing_tag = FALSE;
}
$intag = FALSE;
$pos++;
break;
case '&':
if($text [$pos + 1] === '#')
{
$end = strpos(substr($text, $pos, 7), ';');
if($end !== FALSE)
{
$pos += ($end + 1);
if(!$intag)
{
$curlen++;
}
break;
}
}
$pos++;
if(!$intag)
{
$curlen++;
}
break;
default:
$pos++;
if(!$intag)
{
$curlen++;
}
break;
}
}
$ret = ($tmp_pos > 0 ? substr($text, 0, $tmp_pos+1) : substr($text, 0, $pos));
if($pos < strlen($text))
{
$ret .= $more;
}
return $ret;
}
/**
* Truncate a string of text to a maximum length $len ­ append the string $more if it was truncated
@ -1380,7 +1141,7 @@ class e_parse extends e_parser
}
public function textclean ($text, $wrap = 100)
public function textclean($text, $wrap = 100)
{
$text = str_replace("\n\n\n", "\n\n", $text);
$text = $this->htmlwrap($text, $wrap);
@ -1490,30 +1251,10 @@ class e_parse extends e_parser
public function parseBBCodes($text, $postID)
{
if (!is_object($this->e_bb))
{
require_once(e_HANDLER.'bbcode_handler.php');
$this->e_bb = new e_bbcode;
}
$text = $this->e_bb->parseBBCodes($text, $postID);
return $text;
return e107::getBB()->parseBBCodes($text, $postID);
}
/**
* Converts the text (presumably retrieved from the database) for HTML output.
*
@ -1891,35 +1632,30 @@ class e_parse extends e_parser
// BBCode processing (other than the four already done, which shouldn't appear at all in the text)
if ($parseBB !== FALSE)
if ($parseBB !== false)
{
if (!is_object($this->e_bb))
{
require_once(e_HANDLER.'bbcode_handler.php');
$this->e_bb = new e_bbcode;
}
if ($parseBB === TRUE)
if ($parseBB === true)
{
// 'Normal' or 'legacy' processing
if($modifiers === 'WYSIWYG')
{
$sub_blk = $this->e_bb->parseBBCodes($sub_blk, $postID, 'wysiwyg');
$sub_blk = e107::getBB()->parseBBCodes($sub_blk, $postID, 'wysiwyg');
}
else
{
$sub_blk = $this->e_bb->parseBBCodes($sub_blk, $postID);
$sub_blk = e107::getBB()->parseBBCodes($sub_blk, $postID);
}
}
elseif ($parseBB === 'STRIP')
{
// Need to strip all BBCodes
$sub_blk = $this->e_bb->parseBBCodes($sub_blk, $postID, 'default', TRUE);
$sub_blk = e107::getBB()->parseBBCodes($sub_blk, $postID, 'default', TRUE);
}
else
{
// Need to strip just some BBCodes
$sub_blk = $this->e_bb->parseBBCodes($sub_blk, $postID, 'default', $parseBB);
$sub_blk = e107::getBB()->parseBBCodes($sub_blk, $postID, 'default', $parseBB);
}
}
@ -3307,6 +3043,7 @@ class e_parse extends e_parser
return $new;
}
$replace_absolute = array();
if(!empty($mode))
{
@ -3815,7 +3552,7 @@ class e_parse extends e_parser
default:
trigger_error('$e107->$'.$name.' not defined', E_USER_WARNING);
// trigger_error('$e107->$'.$name.' not defined', E_USER_WARNING);
return NULL;
break;
}
@ -4429,6 +4166,7 @@ class e_parser
$linkStart = '';
$linkEnd = '';
$full = !empty($options['base64']) ? true : false;
$file = '';
if(!empty($options['mode']) && $options['mode'] === 'full')
{
@ -4797,6 +4535,11 @@ class e_parser
$html .= "\n";
}
if(empty($path))
{
return null;
}
$html .= "<img {$id}class=\"{$class}\" src=\"".$path. '" alt="' .$alt. '" ' .$srcset.$width.$height.$style.$loading.$title. ' />';
$html .= ($this->convertToWebP) ? "\n</picture>" : '';
@ -4977,13 +4720,12 @@ class e_parser
if(strpos($file, "{e_") === 0)
{
$file = e107::getParser()->replaceConstants($file);
$file = $this->replaceConstants($file);
}
$ext = pathinfo($file,PATHINFO_EXTENSION);
return $ext === 'jpg' || $ext === 'png' || $ext === 'gif' || $ext === 'jpeg';
return ($ext === 'jpg' || $ext === 'png' || $ext === 'gif' || $ext === 'jpeg' || $ext === 'webp');
}
@ -5222,236 +4964,11 @@ class e_parser
/**
* Perform and render XSS Test Comparison
*/
public function test($text='',$advanced = false)
{
// $tp = e107::getParser();
$sql = e107::getDb();
$tp = e107::getParser();
if(empty($text))
{
$text = <<<TMPL
[html]<p><strong>bold print</strong></p>
<pre class="prettyprint linenums">&lt;a href='#'&gt;Something&lt;/a&gt;</pre>
<p>Some text's and things.</p>
<p>&nbsp;</p>
<p><a href="/test.php?w=9&amp;h=12">link</a></p>
<p>日本語 简体中文</p>
<p>&nbsp;</p>
[/html]
TMPL;
}
// $text .= '[code=inline]<b class="something">Something</b>[/code]日本語 ';
// -------------------- Encoding ----------------
$acc = $this->getScriptAccess();
$accName = e107::getUserClass()->getName($acc);
echo "<h2>e107 Parser Test <small>with script access by <span class='label label-warning'>".$accName. '</span></small></h2>';
echo '<h3>User-input <small>(eg. from $_POST)</small></h3>';
print_a($text);
$dbText = $tp->toDB($text,true);
echo '<h3>User-input &gg; toDB() ';
if($this->isHtml == true)
{
echo "<small>detected as <span class='label label-warning'>HTML</span></small>";
}
else
{
echo "<small>detected as <span class='label label-info'>Plain text</span></small>";
}
echo '</h3>';
print_a($dbText);
if(!empty($advanced))
{
echo "<div class='alert alert-warning'>";
$dbText2 = $tp->toDB($text, true, false, 'no_html');
echo "<h3>User-input &gg; toDb(\$text, true, false, 'no_html')</h3>";
print_a($dbText2);
echo "<div class='alert alert-warning'>";
$dbText3 = $tp->toDB($text, false, false, 'pReFs');
echo "<h3>User-input &gg; toDb(\$text, false, false, 'pReFs')</h3>";
print_a($dbText3);
// toClean
$filter3 = $tp->filter($text, 'wds');
echo "<h3>User-input &gg; filter(\$text, 'wds')</h3>";
print_a( $filter3);
// Filter by String.
$filter1 = $tp->filter($text);
echo "<h3>User-input &gg; filter(\$text, 'str')</h3>";
print_a($filter1);
// Filter by Encoded.
$filter2 = $tp->filter($text,'enc');
echo "<h3>User-input &gg; filter(\$text, 'enc')</h3>";
print_a($filter2);
// toAttribute
$toAtt = $tp->toAttribute($text);
echo '<h3>User-input &gg; toAttribute($text)</h3>';
print_a($toAtt);
// toEmail
$toEmail = $tp->toEmail($dbText);
echo '<h3>User-input &gg; toEmail($text) <small>from DB</small></h3>';
print_a($toEmail);
// toEmail
$toRss = $tp->toRss($text);
echo '<h3>User-input &gg; toRss($text)</h3>';
print_a($toRss);
echo '</div>';
}
echo '<h3>toDB() &gg; toHTML()</h3>';
$html = $tp->toHTML($dbText,true);
print_a($html);
echo '<h3>toDB &gg; toHTML() <small>(rendered)</small></h3>';
echo $html;
echo '<h3>toDB &gg; toForm()</h3>';
$toForm = $tp->toForm($dbText);
$toFormRender = e107::getForm()->open('test');
$toFormRender .= "<textarea cols='100' style='width:100%;height:300px' >".$toForm. '</textarea>';
$toFormRender .= e107::getForm()->close();
echo $toFormRender;
echo '<h3>toDB &gg; bbarea</h3>';
echo e107::getForm()->bbarea('name',$toForm);
if(!empty($advanced))
{
echo '<h3>Allowed Tags</h3>';
print_a($this->allowedTags);
echo '<h3>Converted Paths</h3>';
print_a($this->pathList);
echo '<h3>Removed Tags and Attributes</h3>';
print_a($this->removedList);
echo '<h3>Nodes to Convert</h3>';
print_a($this->nodesToConvert);
echo '<h3>Nodes to Disable SC</h3>';
print_a($this->nodesToDisableSC);
}
similar_text($text, html_entity_decode( $toForm, ENT_COMPAT, 'UTF-8'),$perc);
$scoreStyle = ($perc > 98) ? 'label-success' : 'label-danger';
echo "<h3><span class='label ".$scoreStyle."'>Similarity: ".number_format($perc). '%</span></h3>';
echo "<table class='table table-bordered'>
<tr>
<th style='width:50%'>User-input</th>
<th style='width:50%'>toForm() output</th>
</tr>
<tr>
<td>".print_a($text,true). '</td>
<td>' . $toFormRender. '</td>
</tr>
</table>';
/* <tr>
<td>".print_a(json_encode($text),true)."</td>
<td>". print_a(json_encode(html_entity_decode( $toForm, ENT_COMPAT, 'UTF-8')),true)."</td>
</tr>*/
// print_a($text);
return;
//return;
// ---------------------------------
$html = $text;
$sql = e107::getDb();
$tp = e107::getParser();
$dbg = e107::getDebug();
// $html = $this->getXss();
echo '<h2>Unprocessed XSS</h2>';
// echo $html; // Remove Comment for a real mess!
print_a($html);
echo '<h2>Standard v2 Parser</h2>';
echo '<h3>$tp->dataFilter()</h3>';
// echo $tp->dataFilter($html); // Remove Comment for a real mess!
$dbg->logTime('------ Start Parser Test -------');
print_a($tp->dataFilter($html));
$dbg->logTime('tp->dataFilter');
echo '<h3>$tp->toHTML()</h3>';
// echo $tp->dataFilter($html); // Remove Comment for a real mess!
print_a($tp->toHTML($html));
$dbg->logTime('tp->toHtml');
echo '<h3>$tp->toDB()</h3>';
// echo $tp->dataFilter($html); // Remove Comment for a real mess!
$todb = $tp->toDB($html);
print_a( $todb);
$dbg->logTime('tp->toDB');
echo '<h3>$tp->toForm() with toDB input.</h3>';
print_a( $tp->toForm($todb));
echo '<h2>New Parser</h2>';
echo '<h3>Processed</h3>';
$cleaned = $this->cleanHtml($html); // false = don't check html pref.
print_a($cleaned);
$dbg->logTime('new Parser');
// $dbg->logTime('------ End Parser Test -------');
echo '<h3>Processed &amp; Rendered</h3>';
echo $cleaned;
echo '<h2>New Parser - Data</h2>';
echo '<h3>Converted Paths</h3>';
print_a($this->pathList);
echo '<h3>Removed Tags and Attributes</h3>';
print_a($this->removedList);
// print_a($p);
}
/**
* Filters/Validates using the PHP5 filter_var() method.
* @param $text
* @param $type string str|int|email|url|w|wds|file
* @return string | boolean | array
* @param string|array $text
* @param string $type string str|int|email|url|w|wds|file
* @return string|boolean| array
*/
public function filter($text, $type='str', $validate=false)
{
@ -5460,65 +4977,67 @@ return;
return $text;
}
if($type === 'w') // words only.
switch($type)
{
return preg_replace('/[^\w]/', '',$text);
case "w":
$ret = preg_replace('/[^\w]/', '',$text);
break;
case "d":
$ret = preg_replace('/[^\d]/', '',$text);
break;
case "wd":
$ret = preg_replace('/[^\w\d]/', '',$text);
break;
case "wds":
$ret = preg_replace('/[^\w\d ]/', '',$text);
break;
case "file":
$ret = preg_replace('/[^\w\d_\.-]/', '-',$text);
break;
case "version":
$ret = preg_replace('/[^\d_\.]/', '',$text);
break;
default:
if($validate == false)
{
$filterTypes = array(
'int' => FILTER_SANITIZE_NUMBER_INT,
'str' => FILTER_SANITIZE_STRING, // no html.
'email' => FILTER_SANITIZE_EMAIL,
'url' => FILTER_SANITIZE_URL,
'enc' => FILTER_SANITIZE_ENCODED
);
}
else
{
$filterTypes = array(
'int' => FILTER_VALIDATE_INT,
'email' => FILTER_VALIDATE_EMAIL,
'ip' => FILTER_VALIDATE_IP,
'url' => FILTER_VALIDATE_URL,
);
}
if(is_array($text))
{
$ret = filter_var_array($text, $filterTypes[$type]);
}
else
{
$ret = filter_var($text, $filterTypes[$type]);
}
}
if($type === 'd') // digits only.
{
return preg_replace('/[^\d]/', '',$text);
}
if($type === 'wd') // words and digits only.
{
return preg_replace('/[^\w\d]/', '',$text);
}
if($type === 'wds') // words, digits and spaces only.
{
return preg_replace('/[^\w\d ]/', '',$text);
}
if($type === 'file')
{
return preg_replace('/[^\w\d_\.-]/', '-',$text);
}
if($type === 'version')
{
return preg_replace('/[^\d_\.]/', '',$text);
}
if($validate == false)
{
$filterTypes = array(
'int' => FILTER_SANITIZE_NUMBER_INT,
'str' => FILTER_SANITIZE_STRING, // no html.
'email' => FILTER_SANITIZE_EMAIL,
'url' => FILTER_SANITIZE_URL,
'enc' => FILTER_SANITIZE_ENCODED
);
}
else
{
$filterTypes = array(
'int' => FILTER_VALIDATE_INT,
'email' => FILTER_VALIDATE_EMAIL,
'ip' => FILTER_VALIDATE_IP,
'url' => FILTER_VALIDATE_URL,
);
}
if(is_array($text))
{
return filter_var_array($text, $filterTypes[$type]);
}
return filter_var($text, $filterTypes[$type]);
return $ret;
}

2
e107_plugins/banner/e_shortcode.php
View File

@ -23,7 +23,7 @@ class banner_shortcodes extends e_shortcode
// $parm now can be array, old campaign $parm still allowed....
function sc_banner($parm = '')
{
$sql = e107::getDb();
$tp = e107::getParser();
mt_srand((double) microtime() * 1000000);

10
e107_plugins/rss_menu/rss.php
View File

@ -42,20 +42,10 @@ $tp = e107::getParser();
//require_once(e_PLUGIN.'rss_menu/rss_shortcodes.php');
require_once(e_HANDLER.'userclass_class.php');
/*
global $tp;
if (!is_object($tp->e_bb))
{
require_once(e_HANDLER.'bbcode_handler.php');
$tp->e_bb = new e_bbcode;
}
*/
// Get language file
e107::includeLan(e_PLUGIN.'rss_menu/languages/'.e_LANGUAGE.'_admin_rss_menu.php');
// Query handler
if(!empty($_GET['type']))
{

161
e107_tests/tests/unit/e_bbcodeTest.php
View File

@ -27,7 +27,11 @@
$this->assertTrue(false, $e->getMessage());
}
$this->bb->__construct();
}
/*
public function testSetClass()
{
@ -68,12 +72,165 @@
{
}
*/
public function testParseBBCodes()
{
$codes = array (
'_br' =>
array (
),
'b' =>
array (
),
'alert' => array (
'warning' => array('input'=>'Warning Message', 'expected'=>"<div class='alert alert-warning'>Warning Message</div>"),
),
'block' =>
array (
),
'code' =>
array (
),
'glyph' =>
array (
),
'h' =>
array (
),
'img' =>
array (
),
'nobr' =>
array (
),
'p' =>
array (
),
'video' =>
array (
),
'youtube' =>
array (
),
'blockquote' =>
array (
),
'br' =>
array (
),
'center' =>
array (
),
'color' =>
array (
),
'email' =>
array (
),
'file' =>
array (
),
'flash' =>
array (
),
'hide' =>
array (
),
'html' =>
array (
),
'i' =>
array (
),
'index.html' =>
array (
),
'justify' =>
array (
),
'left' =>
array (
),
'link' => array (
// [bbcode=xxxxxx] param [bbcode]xxxxxx[/bbode] expected output
'http://mysite.com external' => array('input'=>'http://mysite.com', 'expected'=>"<a class='bbcode bbcode-link' href='http://mysite.com' rel='external' >http://mysite.com</a>"),
'http://mysite.com rel=external' => array('input'=>'http://mysite.com', 'expected'=>"<a class='bbcode bbcode-link' href='http://mysite.com' rel='external' >http://mysite.com</a>"),
'external' => array('input'=>'http://mysite.com', 'expected'=>"<a class='bbcode bbcode-link' href='http://mysite.com' rel='external' >http://mysite.com</a>"),
'mailto:myemail@email.com' => array('input'=>'My Name', 'expected'=>"<a class='bbcode' rel='external' href='javascript:window.location=\"mai\"+\"lto:\"+\"myemail\"+\"@\"+\"email.com\";self.close();' onmouseover='window.status=\"mai\"+\"lto:\"+\"myemail\"+\"@\"+\"email.com\"; return true;' onmouseout='window.status=\"\";return true;'>My Name</a>"),
'external=http://mysite.com' => array('input'=>'http://mysite.com', 'expected'=>"<a class='bbcode bbcode-link' href='http://mysite.com' rel='external' >http://mysite.com</a>"),
),
'list' =>
array (
),
'quote' =>
array (
),
'right' =>
array (
),
'sanitised' =>
array (
),
'size' =>
array (
),
'spoiler' =>
array (
),
'stream' =>
array (
),
'table' =>
array (
),
'tbody' =>
array (
),
'td' =>
array (
),
'textarea' =>
array (
),
'th' =>
array (
),
'time' =>
array (
),
'tr' =>
array (
),
'u' =>
array (
),
'url' =>
array (
),
);
$ret = [];
foreach($codes as $bbcode=>$var)
{
if(empty($var))
{
$input = '['.$bbcode.']http://mysite.com[/'.$bbcode.']';
$result = $this->bb->parseBBCodes($input, true); // parsing to check for PHP errors.
continue;
}
foreach($var as $parms=>$p)
{
$input2 = '['.$bbcode.'='.$parms.']'.$p['input'].'[/'.$bbcode.']';
$result2 = $this->bb->parseBBCodes($input2);
$this->assertEquals($p['expected'], $result2);
}
}
}
/*
public function testClearClass()
{

2
e107_tests/tests/unit/e_parseTest.php
View File

@ -130,6 +130,7 @@ while(&#036;row = &#036;sql-&gt;fetch())
}
*/
public function testParseTemplateWithEnabledCoreShortcodes()
{
$needle = '<ul class="nav navbar-nav nav-main ml-auto">';
@ -1556,6 +1557,7 @@ while(&#036;row = &#036;sql-&gt;fetch())
4 => array('input' => 'test123 xxx.jpg', 'mode' => 'file', 'expected' => 'test123-xxx.jpg'),
5 => array('input' => '2.1.4 (test)', 'mode' => 'version', 'expected' => '2.1.4'),
6 => array('input' => $url, 'mode'=>'url', 'expected' => $url),
7 => array('input' => array('1', 'xxx'), 'mode'=>'str', 'expected' => array('1', 'xxx')),
);
foreach($tests as $var)