mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-08-04 13:47:31 +02:00
Code Issues Releases Wiki Activity

Clean toDB() handling of post_html and post_script preferences and abuse filtering.

Browse Source
This commit is contained in:
Cameron
2013-04-30 02:57:33 -07:00
parent 00284e8fa0
commit a8a257f8d2
1 changed files with 27 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
e107_handlers/e_parse_class.php
View File

@@ -481,23 +481,29 @@ class e_parse extends e_parser
$data = stripslashes($data); $data = stripslashes($data);
} }
if ($mod != 'pReFs') if ($mod != 'pReFs') //XXX We're not saving prefs.
{ {
$data = $this->preFilter($data); $data = $this->preFilter($data);
if (!check_class($core_pref->get('post_html', e_UC_MAINADMIN)) || !check_class($core_pref->get('post_script', e_UC_MAINADMIN)))
if (strip_tags($data) != $data) // html tags present.
{ {
$data = $this->dataFilter($data); $data = $this->cleanHtml($data); // sanitize all html.
// if ($this->htmlAbuseFilter($data)) $no_encode = FALSE; //XXX cleanHtml() is more effective.
}
if (!check_class($core_pref->get('post_html', e_UC_MAINADMIN)))
{
$data = strip_tags($data); // remove tags from cleaned html.
$data = str_replace(array('[html]','[/html]'),'',$data);
// $data = $this->dataFilter($data);
} }
} }
if (/*$core_pref->is('post_html') && */check_class($core_pref->get('post_html'))) if (check_class($core_pref->get('post_html'))) /*$core_pref->is('post_html') && */
{ {
$no_encode = TRUE; $no_encode = TRUE;
} }
if ($core_pref->get('html_abuse'))
{
if ($this->htmlAbuseFilter($data)) $no_encode = FALSE;
}
if (is_numeric($original_author) && !check_class($core_pref->get('post_html'), '', $original_author)) if (is_numeric($original_author) && !check_class($core_pref->get('post_html'), '', $original_author))
{ {
$no_encode = FALSE; $no_encode = FALSE;
@@ -515,7 +521,8 @@ class e_parse extends e_parser
$ret = preg_replace("/&#(\d*?);/", "&#\\1;", $data); $ret = preg_replace("/&#(\d*?);/", "&#\\1;", $data);
} }
// XXX - php_bbcode pref missing?
// XXX - php_bbcode has been deprecated.
if ((strpos($mod, 'no_php') !== FALSE) || !check_class($core_pref->get('php_bbcode'))) if ((strpos($mod, 'no_php') !== FALSE) || !check_class($core_pref->get('php_bbcode')))
{ {
$ret = preg_replace("#\[(php)#i", "[\\1", $ret); $ret = preg_replace("#\[(php)#i", "[\\1", $ret);
@@ -2401,12 +2408,12 @@ class e_parser
'i', 'pre','code', 'strong', 'u', 'em','ul','li','img','h1','h2','h3','h4','h5','h6','p', 'i', 'pre','code', 'strong', 'u', 'em','ul','li','img','h1','h2','h3','h4','h5','h6','p',
'div','pre','section','article', 'blockquote','hgroup','aside','figure','span', 'video', 'br', 'div','pre','section','article', 'blockquote','hgroup','aside','figure','span', 'video', 'br',
'small', 'caption' 'small', 'caption'
); );
private $scriptTags = array('script','applet','iframe'); //allowed whem $pref['post_script'] is enabled.
public function __construct() public function __construct()
{ {
$this->init(); $this->init();
/* /*
$meths = get_class_methods('DomDocument'); $meths = get_class_methods('DomDocument');
sort($meths); sort($meths);
@@ -2420,7 +2427,6 @@ class e_parser
function init() function init()
{ {
$this->domObj = new DOMDocument(); $this->domObj = new DOMDocument();
} }
/** /**
@@ -2625,7 +2631,14 @@ class e_parser
{ {
$this->init(); $this->init();
} }
$post_scripts = e107::getConfig()->get('post_html', e_UC_MAINADMIN); // Pref to Allow <script> tags
if(check_class($post_scripts))
{
$this->allowedTags = array_merge($this->allowedTags,$this->scriptTags);
}
// Set it up for processing. // Set it up for processing.
$doc = $this->domObj; $doc = $this->domObj;