Fixes #3926, #4135 - support for attributes onchange, onclick etc. when script access is enabled.

2025-08-01 12:20:44 +02:00 · 2020-04-30 14:52:44 -07:00
parent c7fe56f525
commit e4de8502c5
2 changed files with 91 additions and 12 deletions
--- a/e107_handlers/e_parse_class.php
+++ b/e107_handlers/e_parse_class.php
@@ -3851,7 +3851,12 @@ class e_parser
                                        'small', 'caption', 'noscript', 'hr', 'section', 'iframe', 'sub', 'sup', 'cite', 'x-bbcode', 'label'
                                   );
    protected $scriptTags 		= array('script','applet','form','input','button', 'embed', 'object', 'ins', 'select','textarea'); //allowed when $pref['post_script'] is enabled.
-	
+
+    protected $scriptAttributes = array('onclick', 'onchange', 'onblur', 'onload', 'onfocus', 'onkeydown', 'onkeypress', 'onkeyup',
+                                        'ondblclick', 'onmousedown', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel',
+                                        'onwheel', 'oncopy', 'oncut', 'onpaste'
+                                    );
+
 	protected $blockTags		= array('pre','div','h1','h2','h3','h4','h5','h6','blockquote'); // element includes its own line-break. 


@@ -3932,7 +3937,11 @@ class e_parser
 	public function getAllowedTags()
 	{
 		return $this->allowedTags;
+	}

+    public function getAllowedAttributes()
+	{
+		return $this->allowedAttributes;
 	}


@@ -3941,6 +3950,11 @@ class e_parser
 		return $this->scriptAccess;
 	}

+	public function getRemoved()
+    {
+        return $this->removedList;
+    }
+
 	/**
     * Set Allowed Attributes. 
     * @param $array 
@@ -5356,6 +5370,24 @@ return;
 	}


+    private function grantScriptAccess()
+    {
+         $this->allowedTags = array_merge($this->allowedTags, $this->scriptTags);
+
+        foreach($this->allowedAttributes as $tag => $att)
+        {
+            foreach($this->scriptAttributes as $new)
+            {
+                $this->allowedAttributes[$tag][] = $new;
+            }
+        }
+
+
+        return null;
+    }
+
+
+
    /**
     * Process and clean HTML from user input.
     * TODO Html5 tag support.
@@ -5399,6 +5431,7 @@ return;
 			$this->init();	
 		}

+
 		if($this->scriptAccess === false)
 		{
 	        $this->scriptAccess = e107::getConfig()->get('post_script', e_UC_MAINADMIN); // Pref to Allow <script> tags11;
@@ -5406,7 +5439,7 @@ return;

 		if(check_class($this->scriptAccess))
        {
-            $this->allowedTags = array_merge($this->allowedTags, $this->scriptTags);
+            $this->grantScriptAccess();
        }

 		
@@ -5458,7 +5491,8 @@ return;
                $name = $attr->nodeName;
                $value = $attr->nodeValue;

-                $allow = varset($this->allowedAttributes[$tag], $this->allowedAttributes['default']);
+                $allow = isset($this->allowedAttributes[$tag]) ? $this->allowedAttributes[$tag] : $this->allowedAttributes['default'];
+
                $removeAttributes = array();

                if(!in_array($name, $allow))