Commit 51208885 authored by Steven Wittens's avatar Steven Wittens

General filtering improvements

- Re-added STYLE/ON*= filtering (this got lost a while ago due to reorganisation)
- Added form_group's to node.module's filter options
- Fixed incorrect filter usage in poll.module
parent e8c7d2e0
......@@ -507,10 +507,14 @@ function node_settings() {
}
function node_conf_filters() {
$output .= form_radios(t("Filter HTML tags"), "filter_html", variable_get("filter_html", 0), array(0 => t("Do not filter"), 1 => t("Strip tags"), 2 => t("Escape tags")), t("How to deal with HTML and PHP tags in user-contributed content. If set to \"Strip tags\", dangerous tags are removed. If set to \"Escape tags\", all HTML is escaped and presented as it was typed."));
$output .= form_textfield(t("Allowed HTML tags"), "allowed_html", variable_get("allowed_html", "<a> <b> <dd> <dl> <dt> <i> <li> <ol> <u> <ul>"), 64, 255, t("If \"Strip tags\" is selected, optionally specify tags which should not be stripped. 'STYLE' attributes, 'ON*' attributes and unclosed tags are always stripped."));
$output .= form_radios(t("Rewrite old URLs"), "rewrite_old_urls", variable_get("rewrite_old_urls", 0), array(t("Disabled"), t("Enabled")), t("The introduction of 'clean URLs' in Drupal 4.2.0 breaks internal URLs that date back from Drupal 4.1.0 and before. If enabled, this filter will attempt to rewrite the old style URLs to avoid broken links. If <code>mod_rewrite</code> is available on your system, use the rewrite rules in Drupal's <code>.htaccess</code> file instead as these will also correct external referrers."));
$output .= "<hr />";
$group1 .= form_radios(t("Filter HTML tags"), "filter_html", variable_get("filter_html", 0), array(0 => t("Do not filter"), 1 => t("Strip tags"), 2 => t("Escape tags")), t("How to deal with HTML and PHP tags in user-contributed content. If set to \"Strip tags\", dangerous tags are removed (see below). If set to \"Escape tags\", all HTML is escaped and presented as it was typed."));
$group1 .= form_textfield(t("Allowed HTML tags"), "allowed_html", variable_get("allowed_html", "<a> <b> <dd> <dl> <dt> <i> <li> <ol> <u> <ul>"), 64, 255, t("If \"Strip tags\" is selected, optionally specify tags which should not be stripped. 'ON*' attributes and unclosed tags are always stripped."));
$group1 .= form_radios(t("HTML style attributes"), "filter_style", variable_get("filter_style", 1), array(t("Allowed"), t("Removed")), t("If \"Strip tags\" is selected, you can choose whether 'STYLE' attributes are allowed or removed from input."));
$output .= form_group("HTML filtering", $group1);
$group2 .= form_radios(t("Rewrite old URLs"), "rewrite_old_urls", variable_get("rewrite_old_urls", 0), array(t("Disabled"), t("Enabled")), t("The introduction of 'clean URLs' in Drupal 4.2.0 breaks internal URLs that date back from Drupal 4.1.0 and before. If enabled, this filter will attempt to rewrite the old style URLs to avoid broken links. If <code>mod_rewrite</code> is available on your system, use the rewrite rules in Drupal's <code>.htaccess</code> file instead as these will also correct external referrers."));
$output .= form_group("Legacy filtering", $group2);
return $output;
}
......@@ -520,6 +524,13 @@ function node_escape_html($text) {
function node_filter_html($text) {
$text = strip_tags($text, variable_get("allowed_html", ""));
if (variable_get("filter_style", 1)) {
$text = preg_replace("/\Wstyle\s*=[^>]+?>/i", ">", $text);
}
$text = preg_replace("/\Won[a-z]+\s*=[^>]+?>/i", ">", $text);
return $text;
}
......
......@@ -507,10 +507,14 @@ function node_settings() {
}
function node_conf_filters() {
$output .= form_radios(t("Filter HTML tags"), "filter_html", variable_get("filter_html", 0), array(0 => t("Do not filter"), 1 => t("Strip tags"), 2 => t("Escape tags")), t("How to deal with HTML and PHP tags in user-contributed content. If set to \"Strip tags\", dangerous tags are removed. If set to \"Escape tags\", all HTML is escaped and presented as it was typed."));
$output .= form_textfield(t("Allowed HTML tags"), "allowed_html", variable_get("allowed_html", "<a> <b> <dd> <dl> <dt> <i> <li> <ol> <u> <ul>"), 64, 255, t("If \"Strip tags\" is selected, optionally specify tags which should not be stripped. 'STYLE' attributes, 'ON*' attributes and unclosed tags are always stripped."));
$output .= form_radios(t("Rewrite old URLs"), "rewrite_old_urls", variable_get("rewrite_old_urls", 0), array(t("Disabled"), t("Enabled")), t("The introduction of 'clean URLs' in Drupal 4.2.0 breaks internal URLs that date back from Drupal 4.1.0 and before. If enabled, this filter will attempt to rewrite the old style URLs to avoid broken links. If <code>mod_rewrite</code> is available on your system, use the rewrite rules in Drupal's <code>.htaccess</code> file instead as these will also correct external referrers."));
$output .= "<hr />";
$group1 .= form_radios(t("Filter HTML tags"), "filter_html", variable_get("filter_html", 0), array(0 => t("Do not filter"), 1 => t("Strip tags"), 2 => t("Escape tags")), t("How to deal with HTML and PHP tags in user-contributed content. If set to \"Strip tags\", dangerous tags are removed (see below). If set to \"Escape tags\", all HTML is escaped and presented as it was typed."));
$group1 .= form_textfield(t("Allowed HTML tags"), "allowed_html", variable_get("allowed_html", "<a> <b> <dd> <dl> <dt> <i> <li> <ol> <u> <ul>"), 64, 255, t("If \"Strip tags\" is selected, optionally specify tags which should not be stripped. 'ON*' attributes and unclosed tags are always stripped."));
$group1 .= form_radios(t("HTML style attributes"), "filter_style", variable_get("filter_style", 1), array(t("Allowed"), t("Removed")), t("If \"Strip tags\" is selected, you can choose whether 'STYLE' attributes are allowed or removed from input."));
$output .= form_group("HTML filtering", $group1);
$group2 .= form_radios(t("Rewrite old URLs"), "rewrite_old_urls", variable_get("rewrite_old_urls", 0), array(t("Disabled"), t("Enabled")), t("The introduction of 'clean URLs' in Drupal 4.2.0 breaks internal URLs that date back from Drupal 4.1.0 and before. If enabled, this filter will attempt to rewrite the old style URLs to avoid broken links. If <code>mod_rewrite</code> is available on your system, use the rewrite rules in Drupal's <code>.htaccess</code> file instead as these will also correct external referrers."));
$output .= form_group("Legacy filtering", $group2);
return $output;
}
......@@ -520,6 +524,13 @@ function node_escape_html($text) {
function node_filter_html($text) {
$text = strip_tags($text, variable_get("allowed_html", ""));
if (variable_get("filter_style", 1)) {
$text = preg_replace("/\Wstyle\s*=[^>]+?>/i", ">", $text);
}
$text = preg_replace("/\Won[a-z]+\s*=[^>]+?>/i", ">", $text);
return $text;
}
......
......@@ -286,7 +286,7 @@ function poll_view_voting(&$node, $main, $block, $links) {
if ($node->choice) {
foreach ($node->choice as $key => $value) {
if ($value != "") {
$output .= "<div><input type=\"radio\" name=\"pollvote[$node->nid]\" value=\"$key\" />". filter($value) ."</div>";
$output .= "<div><input type=\"radio\" name=\"pollvote[$node->nid]\" value=\"$key\" />". check_output($value) ."</div>";
}
}
}
......@@ -317,7 +317,7 @@ function poll_view_results(&$node, $main, $block, $links) {
if ($value != "") {
$width = round($node->chvotes[$key] * 100 / max($votestotal, 1));
$percentage = round($node->chvotes[$key] * 100 / max($votestotal, 1));
$output .= "<div class=\"text\">". filter($value) ."</div>";
$output .= "<div class=\"text\">". check_output($value) ."</div>";
$output .= "<div class=\"bar\">";
$output .= "<div style=\"width: ". $width ."%;\" class=\"foreground\"></div>";
$output .= "<div style=\"width: ". (100 - $width) ."%;\" class=\"background\"></div>";
......
......@@ -286,7 +286,7 @@ function poll_view_voting(&$node, $main, $block, $links) {
if ($node->choice) {
foreach ($node->choice as $key => $value) {
if ($value != "") {
$output .= "<div><input type=\"radio\" name=\"pollvote[$node->nid]\" value=\"$key\" />". filter($value) ."</div>";
$output .= "<div><input type=\"radio\" name=\"pollvote[$node->nid]\" value=\"$key\" />". check_output($value) ."</div>";
}
}
}
......@@ -317,7 +317,7 @@ function poll_view_results(&$node, $main, $block, $links) {
if ($value != "") {
$width = round($node->chvotes[$key] * 100 / max($votestotal, 1));
$percentage = round($node->chvotes[$key] * 100 / max($votestotal, 1));
$output .= "<div class=\"text\">". filter($value) ."</div>";
$output .= "<div class=\"text\">". check_output($value) ."</div>";
$output .= "<div class=\"bar\">";
$output .= "<div style=\"width: ". $width ."%;\" class=\"foreground\"></div>";
$output .= "<div style=\"width: ". (100 - $width) ."%;\" class=\"background\"></div>";
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment