Commit 0a8535ee authored by Steven Wittens's avatar Steven Wittens

- Fix: do not call prepare hook when the admin has chosen to escape everything

- Code style: use constants to prevent confusing configuration options
parent 3e5d7498
<?php
// $Id$
define('FILTER_HTML_DONOTHING', 0);
define('FILTER_HTML_STRIP', 1);
define('FILTER_HTML_ESCAPE', 2);
define('FILTER_STYLE_ALLOW', 0);
define('FILTER_STYLE_STRIP', 1);
function filter_help($section = "admin/help#filter") {
switch ($section) {
case 'admin/system/modules#description':
......@@ -15,7 +22,7 @@ function filter_help($section = "admin/help#filter") {
<p>Filters are executed from top-to-bottom. You can use the weight column to rearrange them: heavier filters 'sink' to the bottom. Standard HTML filtering is always run first.</p>");
case 'filter#long-tip':
case 'filter#short-tip':
switch (variable_get("filter_html", 1)) {
switch (variable_get("filter_html", FILTER_HTML_DONOTHING)) {
case 0:
return t("All HTML tags allowed");
break;
......@@ -49,7 +56,7 @@ function filter_admin_order() {
$op = $_POST["op"];
if ($op == t("Save configuration")) {
foreach ($edit as $module => $filter) {
db_query("UPDATE {filters} SET weight = '%d' WHERE module = '%s'", $filter["weight"], $module);
db_query("UPDATE {filters} SET weight = %d WHERE module = '%s'", $filter["weight"], $module);
}
}
......@@ -114,7 +121,7 @@ function filter_refresh() {
if (module_hook($module, "filter")) {
$weight = $filters[$module]["weight"];
db_query("INSERT INTO {filters} (module, weight) VALUES ('%s','%d')", $module, $weight);
db_query("INSERT INTO {filters} (module, weight) VALUES ('%s', %d)", $module, $weight);
}
}
......@@ -143,9 +150,12 @@ function check_output($text) {
// Filter content on output:
$filters = filter_list();
// Give filters the chance to escape HTML-like data before being passed to the HTML stripper
foreach ($filters as $module => $filter) {
$text = module_invoke($module, "filter", "prepare", $text);
// Give filters the chance to escape HTML-like data such as code or formulas
// (from this point on, the input can be treated as HTML)
if (variable_get("filter_html", FILTER_HTML_DONOTHING) != FILTER_HTML_ESCAPE) {
foreach ($filters as $module => $filter) {
$text = module_invoke($module, "filter", "prepare", $text);
}
}
// HTML handling is done before all regular filtering activities
......@@ -172,16 +182,16 @@ function check_output($text) {
}
function filter_default($text) {
if (variable_get("filter_html", 0) == 1) {
if (variable_get("filter_html", FILTER_HTML_DONOTHING) == FILTER_HTML_STRIP) {
// Allow users to enter HTML, but filter it
$text = strip_tags($text, variable_get("allowed_html", ""));
if (variable_get("filter_style", 1)) {
if (variable_get("filter_style", FILTER_STYLE_STRIP)) {
$text = preg_replace("/\Wstyle\s*=[^>]+?>/i", ">", $text);
}
$text = preg_replace("/\Won[a-z]+\s*=[^>]+?>/i", ">", $text);
}
if (variable_get("filter_html", 0) == 2) {
if (variable_get("filter_html", FILTER_HTML_DONOTHING) == FILTER_HTML_ESCAPE) {
// Escape HTML
$text = htmlspecialchars($text);
}
......@@ -190,9 +200,9 @@ function filter_default($text) {
}
function filter_default_settings() {
$group = form_radios(t("Filter HTML tags"), "filter_html", variable_get("filter_html", 0), array(0 => t("Do not filter"), 1 => t("Strip tags"), 2 => t("Escape tags")), t("How to deal with HTML and PHP tags in user-contributed content. If set to \"Strip tags\", dangerous tags are removed (see below). If set to \"Escape tags\", all HTML is escaped and presented as it was typed."));
$group = form_radios(t("Filter HTML tags"), "filter_html", variable_get("filter_html", FILTER_HTML_DONOTHING), array(FILTER_HTML_DONOTHING => t("Do not filter"), FILTER_HTML_STRIP => t("Strip tags"), FILTER_HTML_ESCAPE => t("Escape tags")), t("How to deal with HTML and PHP tags in user-contributed content. If set to \"Strip tags\", dangerous tags are removed (see below). If set to \"Escape tags\", all HTML is escaped and presented as it was typed."));
$group .= form_textfield(t("Allowed HTML tags"), "allowed_html", variable_get("allowed_html", "<a> <b> <dd> <dl> <dt> <i> <li> <ol> <u> <ul>"), 64, 255, t("If \"Strip tags\" is selected, optionally specify tags which should not be stripped. 'ON*' attributes and unclosed tags are always stripped."));
$group .= form_radios(t("HTML style attributes"), "filter_style", variable_get("filter_style", 1), array(t("Allowed"), t("Removed")), t("If \"Strip tags\" is selected, you can choose whether 'STYLE' attributes are allowed or removed from input."));
$group .= form_radios(t("HTML style attributes"), "filter_style", variable_get("filter_style", FILTER_STYLE_STRIP), array(FILTER_STYLE_ALLOW => t("Allowed"), FILTER_STYLE_STRIP => t("Removed")), t("If \"Strip tags\" is selected, you can choose whether 'STYLE' attributes are allowed or removed from input."));
$output .= form_group(t("HTML filtering"), $group);
return $output;
......
<?php
// $Id$
define('FILTER_HTML_DONOTHING', 0);
define('FILTER_HTML_STRIP', 1);
define('FILTER_HTML_ESCAPE', 2);
define('FILTER_STYLE_ALLOW', 0);
define('FILTER_STYLE_STRIP', 1);
function filter_help($section = "admin/help#filter") {
switch ($section) {
case 'admin/system/modules#description':
......@@ -15,7 +22,7 @@ function filter_help($section = "admin/help#filter") {
<p>Filters are executed from top-to-bottom. You can use the weight column to rearrange them: heavier filters 'sink' to the bottom. Standard HTML filtering is always run first.</p>");
case 'filter#long-tip':
case 'filter#short-tip':
switch (variable_get("filter_html", 1)) {
switch (variable_get("filter_html", FILTER_HTML_DONOTHING)) {
case 0:
return t("All HTML tags allowed");
break;
......@@ -49,7 +56,7 @@ function filter_admin_order() {
$op = $_POST["op"];
if ($op == t("Save configuration")) {
foreach ($edit as $module => $filter) {
db_query("UPDATE {filters} SET weight = '%d' WHERE module = '%s'", $filter["weight"], $module);
db_query("UPDATE {filters} SET weight = %d WHERE module = '%s'", $filter["weight"], $module);
}
}
......@@ -114,7 +121,7 @@ function filter_refresh() {
if (module_hook($module, "filter")) {
$weight = $filters[$module]["weight"];
db_query("INSERT INTO {filters} (module, weight) VALUES ('%s','%d')", $module, $weight);
db_query("INSERT INTO {filters} (module, weight) VALUES ('%s', %d)", $module, $weight);
}
}
......@@ -143,9 +150,12 @@ function check_output($text) {
// Filter content on output:
$filters = filter_list();
// Give filters the chance to escape HTML-like data before being passed to the HTML stripper
foreach ($filters as $module => $filter) {
$text = module_invoke($module, "filter", "prepare", $text);
// Give filters the chance to escape HTML-like data such as code or formulas
// (from this point on, the input can be treated as HTML)
if (variable_get("filter_html", FILTER_HTML_DONOTHING) != FILTER_HTML_ESCAPE) {
foreach ($filters as $module => $filter) {
$text = module_invoke($module, "filter", "prepare", $text);
}
}
// HTML handling is done before all regular filtering activities
......@@ -172,16 +182,16 @@ function check_output($text) {
}
function filter_default($text) {
if (variable_get("filter_html", 0) == 1) {
if (variable_get("filter_html", FILTER_HTML_DONOTHING) == FILTER_HTML_STRIP) {
// Allow users to enter HTML, but filter it
$text = strip_tags($text, variable_get("allowed_html", ""));
if (variable_get("filter_style", 1)) {
if (variable_get("filter_style", FILTER_STYLE_STRIP)) {
$text = preg_replace("/\Wstyle\s*=[^>]+?>/i", ">", $text);
}
$text = preg_replace("/\Won[a-z]+\s*=[^>]+?>/i", ">", $text);
}
if (variable_get("filter_html", 0) == 2) {
if (variable_get("filter_html", FILTER_HTML_DONOTHING) == FILTER_HTML_ESCAPE) {
// Escape HTML
$text = htmlspecialchars($text);
}
......@@ -190,9 +200,9 @@ function filter_default($text) {
}
function filter_default_settings() {
$group = form_radios(t("Filter HTML tags"), "filter_html", variable_get("filter_html", 0), array(0 => t("Do not filter"), 1 => t("Strip tags"), 2 => t("Escape tags")), t("How to deal with HTML and PHP tags in user-contributed content. If set to \"Strip tags\", dangerous tags are removed (see below). If set to \"Escape tags\", all HTML is escaped and presented as it was typed."));
$group = form_radios(t("Filter HTML tags"), "filter_html", variable_get("filter_html", FILTER_HTML_DONOTHING), array(FILTER_HTML_DONOTHING => t("Do not filter"), FILTER_HTML_STRIP => t("Strip tags"), FILTER_HTML_ESCAPE => t("Escape tags")), t("How to deal with HTML and PHP tags in user-contributed content. If set to \"Strip tags\", dangerous tags are removed (see below). If set to \"Escape tags\", all HTML is escaped and presented as it was typed."));
$group .= form_textfield(t("Allowed HTML tags"), "allowed_html", variable_get("allowed_html", "<a> <b> <dd> <dl> <dt> <i> <li> <ol> <u> <ul>"), 64, 255, t("If \"Strip tags\" is selected, optionally specify tags which should not be stripped. 'ON*' attributes and unclosed tags are always stripped."));
$group .= form_radios(t("HTML style attributes"), "filter_style", variable_get("filter_style", 1), array(t("Allowed"), t("Removed")), t("If \"Strip tags\" is selected, you can choose whether 'STYLE' attributes are allowed or removed from input."));
$group .= form_radios(t("HTML style attributes"), "filter_style", variable_get("filter_style", FILTER_STYLE_STRIP), array(FILTER_STYLE_ALLOW => t("Allowed"), FILTER_STYLE_STRIP => t("Removed")), t("If \"Strip tags\" is selected, you can choose whether 'STYLE' attributes are allowed or removed from input."));
$output .= form_group(t("HTML filtering"), $group);
return $output;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment