improved kses cleaning of html SC#204; merged from MOODLE_15_STABLE

2025-04-21 00:12:56 +02:00 · 2006-03-02 21:38:20 +00:00 · 2006-03-02 21:38:20 +00:00 · 29939bea87
commit 29939bea87
parent e56e5ed720
2 changed files with 24 additions and 2 deletions
--- a/lib/kses.php
+++ b/lib/kses.php
@ -470,7 +470,7 @@ function kses_bad_protocol_once($string, $allowed_protocols)
 ###############################################################################
 {
  return preg_replace('/^((&[^;]*;|[\sA-Za-z0-9])*)'.
-                      '(:|&#58;|&#[Xx]3[Aa];)\s*/e',
+                      '(:|&#0*58;|&#[Xx]3[Aa];)\s*/e',
                      'kses_bad_protocol_once2("\\1", $allowed_protocols)',
                      $string);
 } # function kses_bad_protocol_once
--- a/lib/weblib.php
+++ b/lib/weblib.php
@ -1456,6 +1456,10 @@ function clean_text($text, $format=FORMAT_MOODLE) {

        default:

+        /// Fix non standard entity notations
+            $text = preg_replace('/(&#[0-9]+)(;?)/', "\\1;", $text);
+            $text = preg_replace('/(&#x[0-9a-fA-F]+)(;?)/', "\\1;", $text);
+
        /// Remove tags that are not allowed
            $text = strip_tags($text, $ALLOWED_TAGS);

@ -1518,7 +1522,25 @@ function cleanAttributes2($htmlArray){

    $attStr = '';
    foreach ($attrArray as $arreach) {
-        $attStr .=  ' '.strtolower($arreach['name']).'="'.$arreach['value'].'" ';
+        $arreach['name'] = strtolower($arreach['name']);
+        if ($arreach['name'] == 'style') {
+            $value = $arreach['value'];
+            while (true) {
+                $prevvalue = $value;
+                $value = kses_no_null($value);
+                $value = preg_replace("/\/\*.*\*\//Us", '', $value);
+                $value = kses_decode_entities($value);
+                $value = preg_replace('/(&#[0-9]+)(;?)/', "\\1;", $value);
+                $value = preg_replace('/(&#x[0-9a-fA-F]+)(;?)/', "\\1;", $value);
+                if ($value === $prevvalue) {
+                    $arreach['value'] = $value;
+                    break;
+                }
+            }
+            $arreach['value'] = preg_replace("/j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t/i", "Xjavascript", $arreach['value']);
+            $arreach['value'] = preg_replace("/e\s*x\s*p\s*r\s*e\s*s\s*s\s*i\s*o\s*n/i", "Xexpression", $arreach['value']);
+        }
+        $attStr .=  ' '.$arreach['name'].'="'.$arreach['value'].'" ';
    }

    // Remove last space from attribute list