Commit ffe4dc84 authored by Dries's avatar Dries
Browse files

- Patch #46941 by Zen and Ber: move PHP input filter to dedicated module.

parent df1bea8b
......@@ -19,6 +19,7 @@ Drupal 6.0, xxxx-xx-xx (development version)
* Support for right to left scripts.
* Language detection based on parts of the URL.
* Browser based language detection.
- Moved "PHP input filter" to a stand-alone module so it can be deleted for security reasons.
- Language dependent path aliases.
- Added .info files to themes and made it easier to specify regions and features.
......
......@@ -73,7 +73,7 @@ function filter_theme() {
function filter_menu() {
$items['admin/settings/filters'] = array(
'title' => t('Input formats'),
'description' => t('Configure how content input by users is filtered, including allowed HTML tags, PHP code tags. Also allows enabling of module-provided filters.'),
'description' => t('Configure how content input by users is filtered, including allowed HTML tags. Also allows enabling of module-provided filters.'),
'page callback' => 'drupal_get_form',
'page arguments' => array('filter_admin_overview'),
'access arguments' => array('administer filters'),
......@@ -255,42 +255,14 @@ function filter_filter_tips($delta, $format, $long = FALSE) {
break;
case 1:
switch ($long) {
case 0:
return t('You may post PHP code. You should include <?php ?> tags.');
case 1:
return t('
<h4>Using custom PHP code</h4>
<p>If you know how to script in PHP, Drupal gives you the power to embed any script you like. It will be executed when the page is viewed and dynamically embedded into the page. This gives you amazing flexibility and power, but of course with that comes danger and insecurity if you do not write good code. If you are not familiar with PHP, SQL or with the site engine, avoid experimenting with PHP because you can corrupt your database or render your site insecure or even unusable! If you do not plan to do fancy stuff with your content then you are probably better off with straight HTML.</p>
<p>Remember that the code within each PHP item must be valid PHP code - including things like correctly terminating statements with a semicolon. It is highly recommended that you develop your code separately using a simple test script on top of a test database before migrating to your production environment.</p>
<p>Notes:</p><ul><li>You can use global variables, such as configuration parameters, within the scope of your PHP code but remember that global variables which have been given values in your code will retain these values in the engine afterwards.</li><li>register_globals is now set to <strong>off</strong> by default. If you need form information you need to get it from the "superglobals" $_POST, $_GET, etc.</li><li>You can either use the <code>print</code> or <code>return</code> statement to output the actual content for your item.</li></ul>
<p>A basic example:</p>
<blockquote><p>You want to have a box with the title "Welcome" that you use to greet your visitors. The content for this box could be created by going:</p>
<pre>
print t("Welcome visitor, ... welcome message goes here ...");
</pre>
<p>If we are however dealing with a registered user, we can customize the message by using:</p>
<pre>
global $user;
if ($user->uid) {
print t("Welcome $user->name, ... welcome message goes here ...");
}
else {
print t("Welcome visitor, ... welcome message goes here ...");
}
</pre></blockquote>
<p>For more in-depth examples, we recommend that you check the existing Drupal code and use it as a starting point, especially for sidebar boxes.</p>');
}
case 2:
switch ($long) {
case 0:
return t('Lines and paragraphs break automatically.');
case 1:
return t('Lines and paragraphs are automatically recognized. The &lt;br /&gt; line break, &lt;p&gt; paragraph and &lt;/p&gt; close paragraph tags are inserted automatically. If paragraphs are not recognized simply add a couple blank lines.');
}
case 3:
break;
case 2:
return t('Web page addresses and e-mail addresses turn into links automatically.');
}
}
......@@ -973,28 +945,23 @@ function theme_filter_tips_more_info() {
* Implementation of hook_filter(). Contains a basic set of essential filters.
* - HTML filter:
* Validates user-supplied HTML, transforming it as necessary.
* - PHP evaluator:
* Executes PHP code.
* - Line break converter:
* Converts newlines into paragraph and break tags.
* - URL and e-mail address filter:
* Converts newlines into paragraph and break tags.
*/
function filter_filter($op, $delta = 0, $format = -1, $text = '') {
switch ($op) {
case 'list':
return array(0 => t('HTML filter'), 1 => t('PHP evaluator'), 2 => t('Line break converter'), 3 => t('URL filter'));
case 'no cache':
return $delta == 1; // No caching for the PHP evaluator.
return array(0 => t('HTML filter'), 1 => t('Line break converter'), 2 => t('URL filter'));
case 'description':
switch ($delta) {
case 0:
return t('Allows you to restrict if users can post HTML and which tags to filter out.');
case 1:
return t('Runs a piece of PHP code. The usage of this filter should be restricted to administrators only!');
case 2:
return t('Converts line breaks into HTML (i.e. &lt;br&gt; and &lt;p&gt; tags).');
case 3:
case 2:
return t('Turns web and e-mail addresses into clickable links.');
default:
return;
......@@ -1005,10 +972,8 @@ function filter_filter($op, $delta = 0, $format = -1, $text = '') {
case 0:
return _filter_html($text, $format);
case 1:
return drupal_eval($text);
case 2:
return _filter_autop($text);
case 3:
case 2:
return _filter_url($text, $format);
default:
return $text;
......@@ -1018,7 +983,7 @@ function filter_filter($op, $delta = 0, $format = -1, $text = '') {
switch ($delta) {
case 0:
return _filter_html_settings($format);
case 3:
case 2:
return _filter_url_settings($format);
default:
return;
......
; $Id$
name = PHP filter
description = Allows embedded PHP code/snippets to be evaluated.
package = Core - optional
version = VERSION
<?php
// $Id$
/**
* Implementation of hook_install().
*/
function php_install() {
$format_exists = db_result(db_query("SELECT COUNT(*) FROM {filter_formats} WHERE name = 'PHP code'"));
// Add a PHP code input format, if it does not exist. Do this only for the
// first install (or if the format has been manually deleted) as there is no
// reliable method to identify the format in an uninstall hook or in
// subsequent clean installs.
if (!$format_exists) {
db_query("INSERT INTO {filter_formats} (name, roles, cache) VALUES ('PHP code', '', 0)");
$format = db_result(db_query("SELECT MAX(format) FROM {filter_formats}"));
// Enable the PHP evaluator filter.
db_query("INSERT INTO {filters} (format, module, delta, weight) VALUES (%d, 'php', 0, 0)", $format);
drupal_set_message(t('A !php-code input format has been created.', array('!php-code' => l('PHP code', 'admin/settings/filters/'. $format))));
}
}
/**
* Implementation of hook_disable().
*/
function php_disable() {
drupal_set_message(t('The PHP module has been disabled. Please note that any existing content that was using the PHP filter will now be visible in plain text. This might pose a security risk by exposing sensitive information, if any, used in the PHP code.'));
}
<?php
// $Id$
/**
* @file
* Additional filter for PHP input.
*/
/**
* Implementation of hook_help().
*/
function php_help($section) {
switch ($section) {
case 'admin/help#php':
return t('Adds a filter option to include PHP in content.');
}
}
/**
* Implementation of hook_filter_tips().
*/
function php_filter_tips($delta, $format, $long = false) {
global $base_url;
if ($delta == 0) {
switch ($long) {
case 0:
return t('You may post PHP code. You should include &lt;?php ?&gt; tags.');
case 1:
return t('
<h4>Using custom PHP code</h4>
<p>If you know how to script in PHP, Drupal gives you the power to embed any script you like. It will be executed when the page is viewed and dynamically embedded into the page. This gives you amazing flexibility and power, but of course with that comes danger and insecurity if you don\'t write good code. If you are not familiar with PHP, SQL or with the site engine, avoid experimenting with PHP because you can corrupt your database or render your site insecure or even unusable! If you don\'t plan to do fancy stuff with your content then you\'re probably better off with straight HTML.</p>
<p>Remember that the code within each PHP item must be valid PHP code - including things like correctly terminating statements with a semicolon. It is highly recommended that you develop your code separately using a simple test script on top of a test database before migrating to your production environment.</p>
<p>Notes:</p><ul><li>You can use global variables, such as configuration parameters, within the scope of your PHP code but remember that global variables which have been given values in your code will retain these values in the engine afterwards.</li><li>register_globals is now set to <strong>off</strong> by default. If you need form information you need to get it from the "superglobals" $_POST, $_GET, etc.</li><li>You can either use the <code>print</code> or <code>return</code> statement to output the actual content for your item.</li></ul>
<p>A basic example:</p>
<blockquote><p>You want to have a box with the title "Welcome" that you use to greet your visitors. The content for this box could be created by going:</p>
<pre>
print t("Welcome visitor, ... welcome message goes here ...");
</pre>
<p>If we are however dealing with a registered user, we can customize the message by using:</p>
<pre>
global $user;
if ($user->uid) {
print t("Welcome $user->name, ... welcome message goes here ...");
}
else {
print t("Welcome visitor, ... welcome message goes here ...");
}
</pre></blockquote>
<p>For more in-depth examples, we recommend that you check the existing Drupal code and use it as a starting point, especially for sidebar boxes.</p>');
}
}
}
/**
* Implementation of hook_filter(). Contains a basic PHP evaluator.
*
* Executes PHP code. Use with care.
*/
function php_filter($op, $delta = 0, $format = -1, $text = '') {
switch ($op) {
case 'list':
return array(0 => t('PHP evaluator'));
case 'no cache':
// No caching for the PHP evaluator.
return $delta == 0;
case 'description':
return t('Executes a piece of PHP code. The usage of this filter should be restricted to administrators only!');
case 'process':
return drupal_eval($text);
default:
return $text;
}
}
......@@ -1101,18 +1101,25 @@ function system_install() {
db_query("INSERT INTO {node_access} VALUES (0, 0, 'all', 1, 0, 0)");
db_query("INSERT INTO {filter_formats} (name, roles, cache) VALUES ('Filtered HTML',',1,2,',1)");
db_query("INSERT INTO {filter_formats} (name, roles, cache) VALUES ('PHP code','',0)");
db_query("INSERT INTO {filter_formats} (name, roles, cache) VALUES ('Full HTML','',1)");
db_query("INSERT INTO {filters} VALUES (1,'filter',3,0)");
db_query("INSERT INTO {filters} VALUES (1,'filter',0,1)");
db_query("INSERT INTO {filters} VALUES (1,'filter',2,2)");
db_query("INSERT INTO {filters} VALUES (2,'filter',1,0)");
db_query("INSERT INTO {filters} VALUES (3,'filter',3,0)");
db_query("INSERT INTO {filters} VALUES (3,'filter',2,1)");
// Add input formats.
db_query("INSERT INTO {filter_formats} (name, roles, cache) VALUES ('Filtered HTML', ',1,2,', 1)");
db_query("INSERT INTO {filter_formats} (name, roles, cache) VALUES ('Full HTML', '', 1)");
// Enable filters for each input format.
// Filtered HTML:
// URL filter.
db_query("INSERT INTO {filters} (format, module, delta, weight) VALUES (1, 'filter', 2, 0)");
// HTML filter.
db_query("INSERT INTO {filters} (format, module, delta, weight) VALUES (1, 'filter', 0, 1)");
// Line break filter.
db_query("INSERT INTO {filters} (format, module, delta, weight) VALUES (1, 'filter', 1, 2)");
// Full HTML:
// URL filter.
db_query("INSERT INTO {filters} (format, module, delta, weight) VALUES (2, 'filter', 2, 0)");
// Line break filter.
db_query("INSERT INTO {filters} (format, module, delta, weight) VALUES (2, 'filter', 1, 1)");
db_query("INSERT INTO {variable} (name,value) VALUES ('filter_html_1','i:1;')");
......@@ -3736,6 +3743,40 @@ function system_update_6008() {
return $ret;
}
/**
* The PHP filter is now a separate module.
*/
function system_update_6009() {
$ret = array();
// Delete existing PHP filter and input format.
$ret[] = update_sql("DELETE FROM {filter_formats} WHERE format = 2");
$ret[] = update_sql("DELETE FROM {filters} WHERE format = 2");
// Enable the PHP filter module.
$ret[] = update_sql("UPDATE {system} SET status = 1 WHERE name = 'php' AND type = 'module'");
// Add the PHP Code input format.
$ret[] = update_sql("INSERT INTO {filter_formats} (name, roles, cache) VALUES ('PHP code', '', 0)");
$format = db_result(db_query("SELECT MAX(format) FROM {filter_formats}"));
// Enable the PHP evaluator filter.
db_query("INSERT INTO {filters} (format, module, delta, weight) VALUES (%d, 'php', 0, 0)", $format);
// If any other input formats use the PHP evaluator, update them accordingly.
$ret[] = update_sql("UPDATE {filters} SET delta = 0, module = 'php' WHERE module = 'filter' AND delta = 1");
// With the removal of the PHP evaluator filter, the deltas of the line break
// and URL filter have changed.
$ret[] = update_sql("UPDATE {filters} SET delta = 1 WHERE module = 'filter' AND delta = 2");
$ret[] = update_sql("UPDATE {filters} SET delta = 2 WHERE module = 'filter' AND delta = 3");
// Update any nodes associated with the PHP input format.
db_query("UPDATE {node_revisions} SET format = %d WHERE format = 2", $format);
return $ret;
}
/**
* @} End of "defgroup updates-5.x-to-6.x"
* The next series of updates should start at 7000.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment