From 9aa4a822efac6763c0de22d5d62fe7e6b3c9c31a Mon Sep 17 00:00:00 2001
From: Henry Sudhof <kellanved@phpbb.com>
Date: Sun, 21 Feb 2010 11:35:45 +0000
Subject: [PATCH] Enter stage left: the INTTEXT token (merge)

git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_7@10517 89ea8834-ac86-4346-8a33-228a782c2dd0
---
 phpBB/docs/CHANGELOG.html          | 3 +++
 phpBB/includes/acp/acp_bbcodes.php | 8 +++++++-
 phpBB/includes/bbcode.php          | 2 +-
 phpBB/language/en/acp/posting.php  | 5 +++--
 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html
index 7204f15110..218ed0b90e 100644
--- a/phpBB/docs/CHANGELOG.html
+++ b/phpBB/docs/CHANGELOG.html
@@ -179,7 +179,10 @@
 		<li>[Change] Tweak Q&amp;A CAPTCHA garbage collection.</li>
 		<li>[Change] Show a proper preview for the Q&amp;A CAPTCHA. (Bug #56365)</li>
 		<li>[Change] Speed up topic move operation by adding an index for topic_id on the topics track table. (Bug #56545)</li>
+		<li>[Change] Warn users about potentially dangerous BBcodes.</li>
 		<li>[Feature] Ability to use HTTP authentication in ATOM feeds by passing the GET parameter &quot;auth=http&quot;.</li>
+		<li>[Feature] Add INTTEXT token type to custom bbcodes to allow non-ASCII letters in html attributes.</li>
+
 	</ul>
 
 	<a name="v305"></a><h3>1.ii. Changes since 3.0.5</h3>
diff --git a/phpBB/includes/acp/acp_bbcodes.php b/phpBB/includes/acp/acp_bbcodes.php
index 681794c972..ab042f15bf 100644
--- a/phpBB/includes/acp/acp_bbcodes.php
+++ b/phpBB/includes/acp/acp_bbcodes.php
@@ -315,6 +315,7 @@ class acp_bbcodes
 	{
 		$bbcode_match = trim($bbcode_match);
 		$bbcode_tpl = trim($bbcode_tpl);
+		$utf8 = strpos($bbcode_match, 'INTTEXT') !== false;
 
 		$fp_match = preg_quote($bbcode_match, '!');
 		$fp_replace = preg_replace('#^\[(.*?)\]#', '[$1:$uid]', $bbcode_match);
@@ -342,6 +343,9 @@ class acp_bbcodes
 			'SIMPLETEXT' => array(
 				'!([a-zA-Z0-9-+.,_ ]+)!'	 =>	"$1"
 			),
+			'INTTEXT' => array(
+				'!([\p{L}\p{N}+-,_.\s]+)!u'	 =>	"$1"
+			),
 			'IDENTIFIER' => array(
 				'!([a-zA-Z0-9-_]+)!'	 =>	"$1"
 			),
@@ -359,6 +363,7 @@ class acp_bbcodes
 			'EMAIL' => '(' . get_preg_expression('email') . ')',
 			'TEXT' => '(.*?)',
 			'SIMPLETEXT' => '([a-zA-Z0-9-+.,_ ]+)',
+			'INTTEXT' => '([\p{L}\p{N}+-,_.\s]+)',
 			'IDENTIFIER' => '([a-zA-Z0-9-_]+)',
 			'COLOR' => '([a-zA-Z]+|#[0-9abcdefABCDEF]+)',
 			'NUMBER' => '([0-9]+)',
@@ -366,7 +371,8 @@ class acp_bbcodes
 
 		$pad = 0;
 		$modifiers = 'i';
-
+		$modifiers .= ($utf8) ? 'u' : '';
+		
 		if (preg_match_all('/\{(' . implode('|', array_keys($tokens)) . ')[0-9]*\}/i', $bbcode_match, $m))
 		{
 			foreach ($m[0] as $n => $token)
diff --git a/phpBB/includes/bbcode.php b/phpBB/includes/bbcode.php
index f58852c00b..304191e38d 100644
--- a/phpBB/includes/bbcode.php
+++ b/phpBB/includes/bbcode.php
@@ -360,7 +360,7 @@ class bbcode
 								// In order to use templates with custom bbcodes we need
 								// to replace all {VARS} to corresponding backreferences
 								// Note that backreferences are numbered from bbcode_match
-								if (preg_match_all('/\{(URL|LOCAL_URL|EMAIL|TEXT|SIMPLETEXT|IDENTIFIER|COLOR|NUMBER)[0-9]*\}/', $rowset[$bbcode_id]['bbcode_match'], $m))
+								if (preg_match_all('/\{(URL|LOCAL_URL|EMAIL|TEXT|SIMPLETEXT|INTTEXT|IDENTIFIER|COLOR|NUMBER)[0-9]*\}/', $rowset[$bbcode_id]['bbcode_match'], $m))
 								{
 									foreach ($m[0] as $i => $tok)
 									{
diff --git a/phpBB/language/en/acp/posting.php b/phpBB/language/en/acp/posting.php
index 74cd29ffee..443f4a3ea2 100644
--- a/phpBB/language/en/acp/posting.php
+++ b/phpBB/language/en/acp/posting.php
@@ -41,7 +41,7 @@ $lang = array_merge($lang, array(
 	'ACP_BBCODES_EXPLAIN'		=> 'BBCode is a special implementation of HTML offering greater control over what and how something is displayed. From this page you can add, remove and edit custom BBCodes.',
 	'ADD_BBCODE'				=> 'Add a new BBCode',
 
-	'BBCODE_DANGER'				=> 'The BBCode you are trying to add seems to use a {TEXT} token inside a HTML attribute. This is a possible XSS security issue. Try using the more restrictive {SIMPLETEXT} type instead. Only proceed if you understand the risks involved and you consider the use of {TEXT} absolutely unavoidable.',
+	'BBCODE_DANGER'				=> 'The BBCode you are trying to add seems to use a {TEXT} token inside a HTML attribute. This is a possible XSS security issue. Try using the more restrictive {SIMPLETEXT} or {INTTEXT} types instead. Only proceed if you understand the risks involved and you consider the use of {TEXT} absolutely unavoidable.',
 	'BBCODE_DANGER_PROCEED'		=> 'Proceed', //'I understand the risk',
 
 	'BBCODE_ADDED'				=> 'BBCode added successfully.',
@@ -76,8 +76,9 @@ $lang = array_merge($lang, array(
 	'TOO_MANY_BBCODES'		=> 'You cannot create any more BBCodes. Please remove one or more BBCodes then try again.',
 
 	'tokens'	=>	array(
-		'TEXT'			=> 'Any text, including foreign characters, numbers, etc… You should not use this token in HTML tags. Instead try to use IDENTIFIER or SIMPLETEXT.',
+		'TEXT'			=> 'Any text, including foreign characters, numbers, etc… You should not use this token in HTML tags. Instead try to use IDENTIFIER, INTTEXT or SIMPLETEXT.',
 		'SIMPLETEXT'	=> 'Characters from the latin alphabet (A-Z), numbers, spaces, commas, dots, minus, plus, hyphen and underscore',
+		'INTTEXT'		=> 'Unicode letter characters, numbers, spaces, commas, dots, minus, plus, hyphen, underscore and whitespaces.',
 		'IDENTIFIER'	=> 'Characters from the latin alphabet (A-Z), numbers, hyphen and underscore',
 		'NUMBER'		=> 'Any series of digits',
 		'EMAIL'			=> 'A valid e-mail address',