Add HTML abuse blocker

2025-01-17 04:38:27 +01:00 · 2010-12-18 22:55:27 +00:00 · 2010-12-18 22:55:27 +00:00 · 9d181bf566
commit 9d181bf566
parent 3240652607
4 changed files with 50 additions and 0 deletions
--- a/e107_admin/prefs.php
+++ b/e107_admin/prefs.php
@ -784,6 +784,13 @@ $text .= "
 							<div class='smalltext field-help'>".PRFLAN_218."</div>
 						</td>
 					</tr>
+					<tr>
+						<td class='label'>".PRFLAN_220.":</td>
+						<td class='control'>
+							".$frm->radio_switch('html_abuse', varset($pref['html_abuse'], 1))."
+							<div class='smalltext field-help'>".PRFLAN_221."</div>
+						</td>
+					</tr>
 					<tr>
 						<td class='label'>".PRFLAN_122.":</td>
 						<td class='control'>
--- a/e107_core/xml/default_install.xml
+++ b/e107_core/xml/default_install.xml
@ -136,6 +136,7 @@
 		<core name="post_html">254</core>
 		<core name="post_script">250</core>
 		<core name="filter_script">1</core>
+		<core name="html_abuse">1</core>
 		<core name="predefinedLoginName"></core>
 		<core name="profanity_filter">0</core>
 		<core name="profanity_replace">[censored]</core>
--- a/e107_handlers/e_parse_class.php
+++ b/e107_handlers/e_parse_class.php
@ -492,6 +492,10 @@ class e_parse
 		{
 			$no_encode = TRUE;
 		}
+		if ($core_pref->get('html_abuse'))
+		{
+			if ($this->htmlAbuseFilter($data)) $no_encode = FALSE;
+		}
 		if (is_numeric($original_author) && !check_class($core_pref->get('post_html'), '', $original_author))
 		{
 			$no_encode = FALSE;
@ -520,6 +524,41 @@ class e_parse



+	/**
+	 *	Check for HTML closing tag for input elements, without corresponding opening tag
+	 *
+	 *	@param string $data
+	 *	@param string $tagList - if empty, uses default list of input tags. Otherwise a CSV list of tags to check (any type)
+	 *
+	 *	@return boolean TRUE if an unopened closing tag found
+	 *					FALSE if nothing found
+	 */
+	function htmlAbuseFilter($data, $tagList = '')
+	{
+		if ($tagList == '')
+		{
+			$checkTags = array('textarea', 'input', 'td', 'tr', 'table');
+		}
+		else
+		{
+			$checkTags = explode(',', $tagList);
+		}
+		$data = preg_replace('#\[code\].*?\[\/code\]#i', '', $data);		// Ignore code blocks
+		foreach ($checkTags as $tag)
+		{
+			if (($pos = stripos($data, '</'.$tag)) !== FALSE)
+			{
+				if ((($bPos = stripos($data, '<'.$tag )) === FALSE) || ($bPos > $pos))
+				{
+					return TRUE;		// Potentially abusive HTML found
+				}
+			}
+		}
+		return FALSE;		// Nothing detected
+	}
+
+
+

 	/**
 	 *	Checks a string for potentially dangerous HTML tags, including malformed tags
--- a/e107_languages/English/admin/lan_prefs.php
+++ b/e107_languages/English/admin/lan_prefs.php
@ -232,4 +232,7 @@ define('PRFLAN_217', 'Filter HTML content');
 define('PRFLAN_218', 'If \'off\', puts users at increased risk of XSS exploits posted by members of the above class, or prior to 0.7.24');

 define('PRFLAN_219', 'Not allowed characters found in Cookie name (alphanumeric characters allowed only). Cookie name not saved.');
+define('PRFLAN_220', 'HTML Abuse filter (experimental)');
+define('PRFLAN_221', 'Blocks some unmatched tags for those allowed to post HTML');
+
 ?>