Merge pull request #5770 from JoshyPHP/ticket/16250

[ticket/16250] Add a service to check BBCodes safeness in ACP

phpBB/phpbb/textformatter/acp_utils_interface.php

@@ -0,0 +1,54 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\textformatter;
+
+interface acp_utils_interface
+{
+	/**
+	* There is an issue with the definition
+	*/
+	const BBCODE_STATUS_INVALID_DEFINITION = 'invalid_definition';
+
+	/**
+	* There is an issue with the template
+	*/
+	const BBCODE_STATUS_INVALID_TEMPLATE = 'invalid_template';
+
+	/**
+	* The BBCode is valid and can be safely used by anyone
+	*/
+	const BBCODE_STATUS_SAFE = 'safe';
+
+	/**
+	* The BBCode is valid but may be unsafe to use
+	*/
+	const BBCODE_STATUS_UNSAFE = 'unsafe';
+
+	/**
+	* Analyse given BBCode definition for issues and safeness
+	*
+	* Required elements in the return array:
+	*  - status: see BBCODE_STATUS_* constants
+	*
+	* Optional elements in the return array:
+	*  - name:       Name of the BBCode based on the definition. Required if status is "safe".
+	*  - error_text: Textual description of the issue in plain text or as a L_* string.
+	*  - error_html: Visual description of the issue in HTML.
+	*
+	* @param  string $definition BBCode definition, e.g. [b]{TEXT}[/b]
+	* @param  string $template   BBCode template, e.g. <b>{TEXT}</b>
+	* @return array
+	*/
+	public function analyse_bbcode(string $definition, string $template): array;
+}

phpBB/phpbb/textformatter/s9e/acp_utils.php

@@ -0,0 +1,67 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\textformatter\s9e;
+
+use phpbb\textformatter\acp_utils_interface;
+use s9e\TextFormatter\Configurator\Exceptions\UnsafeTemplateException;
+
+class acp_utils implements acp_utils_interface
+{
+	/**
+	* @var factory $factory
+	*/
+	protected $factory;
+
+	/**
+	* @param factory $factory
+	*/
+	public function __construct(factory $factory)
+	{
+		$this->factory = $factory;
+	}
+
+	/**
+	* {@inheritdoc}
+	*/
+	public function analyse_bbcode(string $definition, string $template): array
+	{
+		$configurator = $this->factory->get_configurator();
+		$return       = ['status' => self::BBCODE_STATUS_SAFE];
+
+		// Capture and normalize the BBCode name manually because there's no easy way to retrieve
+		// it in TextFormatter <= 2.x
+		if (preg_match('(\\[([-\\w]++))', $definition, $m))
+		{
+			$return['name'] = strtoupper($m[1]);
+		}
+
+		try
+		{
+			$configurator->BBCodes->addCustom($definition, $template);
+		}
+		catch (UnsafeTemplateException $e)
+		{
+			$return['status']     = self::BBCODE_STATUS_UNSAFE;
+			$return['error_text'] = $e->getMessage();
+			$return['error_html'] = $e->highlightNode('<span class="highlight">');
+		}
+		catch (\Exception $e)
+		{
+			$return['status']     = (preg_match('(xml|xpath|xsl)i', $e->getMessage())) ? self::BBCODE_STATUS_INVALID_TEMPLATE : self::BBCODE_STATUS_INVALID_DEFINITION;
+			$return['error_text'] = $e->getMessage();
+		}
+
+		return $return;
+	}
+}