mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-08-04 21:57:51 +02:00
Code Issues Releases Wiki Activity

Add HTML abuse blocker

Browse Source
This commit is contained in:
e107steved
2010-12-18 22:55:27 +00:00
parent 3240652607
commit 9d181bf566
4 changed files with 50 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
e107_admin/prefs.php
View File

@@ -784,6 +784,13 @@ $text .= "
<div class='smalltext field-help'>".PRFLAN_218."</div> <div class='smalltext field-help'>".PRFLAN_218."</div>
</td> </td>
</tr> </tr>
<tr>
<td class='label'>".PRFLAN_220.":</td>
<td class='control'>
".$frm->radio_switch('html_abuse', varset($pref['html_abuse'], 1))."
<div class='smalltext field-help'>".PRFLAN_221."</div>
</td>
</tr>
<tr> <tr>
<td class='label'>".PRFLAN_122.":</td> <td class='label'>".PRFLAN_122.":</td>
<td class='control'> <td class='control'>

1
e107_core/xml/default_install.xml
View File

@@ -136,6 +136,7 @@
<core name="post_html">254</core> <core name="post_html">254</core>
<core name="post_script">250</core> <core name="post_script">250</core>
<core name="filter_script">1</core> <core name="filter_script">1</core>
<core name="html_abuse">1</core>
<core name="predefinedLoginName"></core> <core name="predefinedLoginName"></core>
<core name="profanity_filter">0</core> <core name="profanity_filter">0</core>
<core name="profanity_replace">[censored]</core> <core name="profanity_replace">[censored]</core>

39
e107_handlers/e_parse_class.php
View File

@@ -492,6 +492,10 @@ class e_parse
{ {
$no_encode = TRUE; $no_encode = TRUE;
} }
if ($core_pref->get('html_abuse'))
{
if ($this->htmlAbuseFilter($data)) $no_encode = FALSE;
}
if (is_numeric($original_author) && !check_class($core_pref->get('post_html'), '', $original_author)) if (is_numeric($original_author) && !check_class($core_pref->get('post_html'), '', $original_author))
{ {
$no_encode = FALSE; $no_encode = FALSE;
@@ -520,6 +524,41 @@ class e_parse
/**
* Check for HTML closing tag for input elements, without corresponding opening tag
*
* @param string $data
* @param string $tagList - if empty, uses default list of input tags. Otherwise a CSV list of tags to check (any type)
*
* @return boolean TRUE if an unopened closing tag found
* FALSE if nothing found
*/
function htmlAbuseFilter($data, $tagList = '')
{
if ($tagList == '')
{
$checkTags = array('textarea', 'input', 'td', 'tr', 'table');
}
else
{
$checkTags = explode(',', $tagList);
}
$data = preg_replace('#\[code\].*?\[\/code\]#i', '', $data); // Ignore code blocks
foreach ($checkTags as $tag)
{
if (($pos = stripos($data, '</'.$tag)) !== FALSE)
{
if ((($bPos = stripos($data, '<'.$tag )) === FALSE) || ($bPos > $pos))
{
return TRUE; // Potentially abusive HTML found
}
}
}
return FALSE; // Nothing detected
}
/** /**
* Checks a string for potentially dangerous HTML tags, including malformed tags * Checks a string for potentially dangerous HTML tags, including malformed tags

3
e107_languages/English/admin/lan_prefs.php
View File

@@ -232,4 +232,7 @@ define('PRFLAN_217', 'Filter HTML content');
define('PRFLAN_218', 'If \'off\', puts users at increased risk of XSS exploits posted by members of the above class, or prior to 0.7.24'); define('PRFLAN_218', 'If \'off\', puts users at increased risk of XSS exploits posted by members of the above class, or prior to 0.7.24');
define('PRFLAN_219', 'Not allowed characters found in Cookie name (alphanumeric characters allowed only). Cookie name not saved.'); define('PRFLAN_219', 'Not allowed characters found in Cookie name (alphanumeric characters allowed only). Cookie name not saved.');
define('PRFLAN_220', 'HTML Abuse filter (experimental)');
define('PRFLAN_221', 'Blocks some unmatched tags for those allowed to post HTML');
?> ?>