mirror of
https://github.com/e107inc/e107.git
synced 2025-08-04 21:57:51 +02:00
Add HTML abuse blocker
This commit is contained in:
@@ -784,6 +784,13 @@ $text .= "
|
|||||||
<div class='smalltext field-help'>".PRFLAN_218."</div>
|
<div class='smalltext field-help'>".PRFLAN_218."</div>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td class='label'>".PRFLAN_220.":</td>
|
||||||
|
<td class='control'>
|
||||||
|
".$frm->radio_switch('html_abuse', varset($pref['html_abuse'], 1))."
|
||||||
|
<div class='smalltext field-help'>".PRFLAN_221."</div>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td class='label'>".PRFLAN_122.":</td>
|
<td class='label'>".PRFLAN_122.":</td>
|
||||||
<td class='control'>
|
<td class='control'>
|
||||||
|
@@ -136,6 +136,7 @@
|
|||||||
<core name="post_html">254</core>
|
<core name="post_html">254</core>
|
||||||
<core name="post_script">250</core>
|
<core name="post_script">250</core>
|
||||||
<core name="filter_script">1</core>
|
<core name="filter_script">1</core>
|
||||||
|
<core name="html_abuse">1</core>
|
||||||
<core name="predefinedLoginName"></core>
|
<core name="predefinedLoginName"></core>
|
||||||
<core name="profanity_filter">0</core>
|
<core name="profanity_filter">0</core>
|
||||||
<core name="profanity_replace">[censored]</core>
|
<core name="profanity_replace">[censored]</core>
|
||||||
|
@@ -492,6 +492,10 @@ class e_parse
|
|||||||
{
|
{
|
||||||
$no_encode = TRUE;
|
$no_encode = TRUE;
|
||||||
}
|
}
|
||||||
|
if ($core_pref->get('html_abuse'))
|
||||||
|
{
|
||||||
|
if ($this->htmlAbuseFilter($data)) $no_encode = FALSE;
|
||||||
|
}
|
||||||
if (is_numeric($original_author) && !check_class($core_pref->get('post_html'), '', $original_author))
|
if (is_numeric($original_author) && !check_class($core_pref->get('post_html'), '', $original_author))
|
||||||
{
|
{
|
||||||
$no_encode = FALSE;
|
$no_encode = FALSE;
|
||||||
@@ -520,6 +524,41 @@ class e_parse
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check for HTML closing tag for input elements, without corresponding opening tag
|
||||||
|
*
|
||||||
|
* @param string $data
|
||||||
|
* @param string $tagList - if empty, uses default list of input tags. Otherwise a CSV list of tags to check (any type)
|
||||||
|
*
|
||||||
|
* @return boolean TRUE if an unopened closing tag found
|
||||||
|
* FALSE if nothing found
|
||||||
|
*/
|
||||||
|
function htmlAbuseFilter($data, $tagList = '')
|
||||||
|
{
|
||||||
|
if ($tagList == '')
|
||||||
|
{
|
||||||
|
$checkTags = array('textarea', 'input', 'td', 'tr', 'table');
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$checkTags = explode(',', $tagList);
|
||||||
|
}
|
||||||
|
$data = preg_replace('#\[code\].*?\[\/code\]#i', '', $data); // Ignore code blocks
|
||||||
|
foreach ($checkTags as $tag)
|
||||||
|
{
|
||||||
|
if (($pos = stripos($data, '</'.$tag)) !== FALSE)
|
||||||
|
{
|
||||||
|
if ((($bPos = stripos($data, '<'.$tag )) === FALSE) || ($bPos > $pos))
|
||||||
|
{
|
||||||
|
return TRUE; // Potentially abusive HTML found
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return FALSE; // Nothing detected
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Checks a string for potentially dangerous HTML tags, including malformed tags
|
* Checks a string for potentially dangerous HTML tags, including malformed tags
|
||||||
|
@@ -232,4 +232,7 @@ define('PRFLAN_217', 'Filter HTML content');
|
|||||||
define('PRFLAN_218', 'If \'off\', puts users at increased risk of XSS exploits posted by members of the above class, or prior to 0.7.24');
|
define('PRFLAN_218', 'If \'off\', puts users at increased risk of XSS exploits posted by members of the above class, or prior to 0.7.24');
|
||||||
|
|
||||||
define('PRFLAN_219', 'Not allowed characters found in Cookie name (alphanumeric characters allowed only). Cookie name not saved.');
|
define('PRFLAN_219', 'Not allowed characters found in Cookie name (alphanumeric characters allowed only). Cookie name not saved.');
|
||||||
|
define('PRFLAN_220', 'HTML Abuse filter (experimental)');
|
||||||
|
define('PRFLAN_221', 'Blocks some unmatched tags for those allowed to post HTML');
|
||||||
|
|
||||||
?>
|
?>
|
Reference in New Issue
Block a user