PageRenderTime 22ms CodeModel.GetById 16ms RepoModel.GetById 1ms app.codeStats 0ms

/simpus/vendor/ezyang/htmlpurifier/plugins/phorum/htmlpurifier.php

https://gitlab.com/isdzulqor/Slis-Dev
PHP | 316 lines | 196 code | 33 blank | 87 comment | 38 complexity | 20f33002f85588c3622535a3406aea9e MD5 | raw file
    

  1. <?php

    2. 

  2. 

    3. 

  3. /**

    4. 

  4.  * HTML Purifier Phorum Mod. Filter your HTML the Standards-Compliant Way!

    5. 

  5.  *

    6. 

  6.  * This Phorum mod enables users to post raw HTML into Phorum.  But never

    7. 

  7.  * fear: with the help of HTML Purifier, this HTML will be beat into

    8. 

  8.  * de-XSSed and standards-compliant form, safe for general consumption.

    9. 

  9.  * It is not recommended, but possible to run this mod in parallel

    10. 

  10.  * with other formatters (in short, please DISABLE the BBcode mod).

    11. 

  11.  *

    12. 

  12.  * For help migrating from your previous markup language to pure HTML

    13. 

  13.  * please check the migrate.bbcode.php file.

    14. 

  14.  *

    15. 

  15.  * If you'd like to use this with a WYSIWYG editor, make sure that

    16. 

  16.  * editor sets $PHORUM['mod_htmlpurifier']['wysiwyg'] to true. Otherwise,

    17. 

  17.  * administrators who need to edit other people's comments may be at

    18. 

  18.  * risk for some nasty attacks.

    19. 

  19.  *

    20. 

  20.  * Tested with Phorum 5.2.11.

    21. 

  21.  */

    22. 

  22. 

    23. 

  23. // Note: Cache data is base64 encoded because Phorum insists on flinging

    24. 

  24. // to the user and expecting it to come back unharmed, newlines and

    25. 

  25. // all, which ain't happening. It's slower, it takes up more space, but

    26. 

  26. // at least it won't get mutilated

    27. 

  27. 

    28. 

  28. /**

    29. 

  29.  * Purifies a data array

    30. 

  30.  */

    31. 

  31. function phorum_htmlpurifier_format($data)

    32. 

  32. {

    33. 

  33.     $PHORUM = $GLOBALS["PHORUM"];

    34. 

  34. 

    35. 

  35.     $purifier =& HTMLPurifier::getInstance();

    36. 

  36.     $cache_serial = $PHORUM['mod_htmlpurifier']['body_cache_serial'];

    37. 

  37. 

    38. 

  38.     foreach($data as $message_id => $message){

    39. 

  39.         if(isset($message['body'])) {

    40. 

  40. 

    41. 

  41.             if ($message_id) {

    42. 

  42.                 // we're dealing with a real message, not a fake, so

    43. 

  43.                 // there a number of shortcuts that can be taken

    44. 

  44. 

    45. 

  45.                 if (isset($message['meta']['htmlpurifier_light'])) {

    46. 

  46.                     // format hook was called outside of Phorum's normal

    47. 

  47.                     // functions, do the abridged purification

    48. 

  48.                     $data[$message_id]['body'] = $purifier->purify($message['body']);

    49. 

  49.                     continue;

    50. 

  50.                 }

    51. 

  51. 

    52. 

  52.                 if (!empty($PHORUM['args']['purge'])) {

    53. 

  53.                     // purge the cache, must be below the following if

    54. 

  54.                     unset($message['meta']['body_cache']);

    55. 

  55.                 }

    56. 

  56. 

    57. 

  57.                 if (

    58. 

  58.                     isset($message['meta']['body_cache']) &&

    59. 

  59.                     isset($message['meta']['body_cache_serial']) &&

    60. 

  60.                     $message['meta']['body_cache_serial'] == $cache_serial

    61. 

  61.                 ) {

    62. 

  62.                     // cached version is present, bail out early

    63. 

  63.                     $data[$message_id]['body'] = base64_decode($message['meta']['body_cache']);

    64. 

  64.                     continue;

    65. 

  65.                 }

    66. 

  66.             }

    67. 

  67. 

    68. 

  68.             // migration might edit this array, that's why it's defined

    69. 

  69.             // so early

    70. 

  70.             $updated_message = array();

    71. 

  71. 

    72. 

  72.             // create the $body variable

    73. 

  73.             if (

    74. 

  74.                 $message_id && // message must be real to migrate

    75. 

  75.                 !isset($message['meta']['body_cache_serial'])

    76. 

  76.             ) {

    77. 

  77.                 // perform migration

    78. 

  78.                 $fake_data = array();

    79. 

  79.                 list($signature, $edit_message) = phorum_htmlpurifier_remove_sig_and_editmessage($message);

    80. 

  80.                 $fake_data[$message_id] = $message;

    81. 

  81.                 $fake_data = phorum_htmlpurifier_migrate($fake_data);

    82. 

  82.                 $body = $fake_data[$message_id]['body'];

    83. 

  83.                 $body = str_replace("<phorum break>\n", "\n", $body);

    84. 

  84.                 $updated_message['body'] = $body; // save it in

    85. 

  85.                 $body .= $signature . $edit_message; // add it back in

    86. 

  86.             } else {

    87. 

  87.                 // reverse Phorum's pre-processing

    88. 

  88.                 $body = $message['body'];

    89. 

  89.                 // order is important

    90. 

  90.                 $body = str_replace("<phorum break>\n", "\n", $body);

    91. 

  91.                 $body = str_replace(array('&lt;','&gt;','&amp;', '&quot;'), array('<','>','&','"'), $body);

    92. 

  92.                 if (!$message_id && defined('PHORUM_CONTROL_CENTER')) {

    93. 

  93.                     // we're in control.php, so it was double-escaped

    94. 

  94.                     $body = str_replace(array('&lt;','&gt;','&amp;', '&quot;'), array('<','>','&','"'), $body);

    95. 

  95.                 }

    96. 

  96.             }

    97. 

  97. 

    98. 

  98.             $body = $purifier->purify($body);

    99. 

  99. 

    100. 

  100.             // dynamically update the cache (MUST BE DONE HERE!)

    101. 

  101.             // this is inefficient because it's one db call per

    102. 

  102.             // cache miss, but once the cache is in place things are

    103. 

  103.             // a lot zippier.

    104. 

  104. 

    105. 

  105.             if ($message_id) { // make sure it's not a fake id

    106. 

  106.                 $updated_message['meta'] = $message['meta'];

    107. 

  107.                 $updated_message['meta']['body_cache'] = base64_encode($body);

    108. 

  108.                 $updated_message['meta']['body_cache_serial'] = $cache_serial;

    109. 

  109.                 phorum_db_update_message($message_id, $updated_message);

    110. 

  110.             }

    111. 

  111. 

    112. 

  112.             // must not get overloaded until after we cache it, otherwise

    113. 

  113.             // we'll inadvertently change the original text

    114. 

  114.             $data[$message_id]['body'] = $body;

    115. 

  115. 

    116. 

  116.         }

    117. 

  117.     }

    118. 

  118. 

    119. 

  119.     return $data;

    120. 

  120. }

    121. 

  121. 

    122. 

  122. // -----------------------------------------------------------------------

    123. 

  123. // This is fragile code, copied from read.php:596 (Phorum 5.2.6). Please

    124. 

  124. // keep this code in-sync with Phorum

    125. 

  125. 

    126. 

  126. /**

    127. 

  127.  * Generates a signature based on a message array

    128. 

  128.  */

    129. 

  129. function phorum_htmlpurifier_generate_sig($row)

    130. 

  130. {

    131. 

  131.     $phorum_sig = '';

    132. 

  132.     if(isset($row["user"]["signature"])

    133. 

  133.        && isset($row['meta']['show_signature']) && $row['meta']['show_signature']==1){

    134. 

  134.            $phorum_sig=trim($row["user"]["signature"]);

    135. 

  135.            if(!empty($phorum_sig)){

    136. 

  136.                $phorum_sig="\n\n$phorum_sig";

    137. 

  137.            }

    138. 

  138.     }

    139. 

  139.     return $phorum_sig;

    140. 

  140. }

    141. 

  141. 

    142. 

  142. /**

    143. 

  143.  * Generates an edit message based on a message array

    144. 

  144.  */

    145. 

  145. function phorum_htmlpurifier_generate_editmessage($row)

    146. 

  146. {

    147. 

  147.     $PHORUM = $GLOBALS['PHORUM'];

    148. 

  148.     $editmessage = '';

    149. 

  149.     if(isset($row['meta']['edit_count']) && $row['meta']['edit_count'] > 0) {

    150. 

  150.         $editmessage = str_replace ("%count%", $row['meta']['edit_count'], $PHORUM["DATA"]["LANG"]["EditedMessage"]);

    151. 

  151.         $editmessage = str_replace ("%lastedit%", phorum_date($PHORUM["short_date_time"],$row['meta']['edit_date']),  $editmessage);

    152. 

  152.         $editmessage = str_replace ("%lastuser%", $row['meta']['edit_username'],  $editmessage);

    153. 

  153.         $editmessage = "\n\n\n\n$editmessage";

    154. 

  154.     }

    155. 

  155.     return $editmessage;

    156. 

  156. }

    157. 

  157. 

    158. 

  158. // End fragile code

    159. 

  159. // -----------------------------------------------------------------------

    160. 

  160. 

    161. 

  161. /**

    162. 

  162.  * Removes the signature and edit message from a message

    163. 

  163.  * @param $row Message passed by reference

    164. 

  164.  */

    165. 

  165. function phorum_htmlpurifier_remove_sig_and_editmessage(&$row)

    166. 

  166. {

    167. 

  167.     $signature = phorum_htmlpurifier_generate_sig($row);

    168. 

  168.     $editmessage = phorum_htmlpurifier_generate_editmessage($row);

    169. 

  169.     $replacements = array();

    170. 

  170.     // we need to remove add <phorum break> as that is the form these

    171. 

  171.     // extra bits are in.

    172. 

  172.     if ($signature) $replacements[str_replace("\n", "<phorum break>\n", $signature)] = '';

    173. 

  173.     if ($editmessage) $replacements[str_replace("\n", "<phorum break>\n", $editmessage)] = '';

    174. 

  174.     $row['body'] = strtr($row['body'], $replacements);

    175. 

  175.     return array($signature, $editmessage);

    176. 

  176. }

    177. 

  177. 

    178. 

  178. /**

    179. 

  179.  * Indicate that data is fully HTML and not from migration, invalidate

    180. 

  180.  * previous caches

    181. 

  181.  * @note This function could generate the actual cache entries, but

    182. 

  182.  *       since there's data missing that must be deferred to the first read

    183. 

  183.  */

    184. 

  184. function phorum_htmlpurifier_posting($message)

    185. 

  185. {

    186. 

  186.     $PHORUM = $GLOBALS["PHORUM"];

    187. 

  187.     unset($message['meta']['body_cache']); // invalidate the cache

    188. 

  188.     $message['meta']['body_cache_serial'] = $PHORUM['mod_htmlpurifier']['body_cache_serial'];

    189. 

  189.     return $message;

    190. 

  190. }

    191. 

  191. 

    192. 

  192. /**

    193. 

  193.  * Overload quoting mechanism to prevent default, mail-style quote from happening

    194. 

  194.  */

    195. 

  195. function phorum_htmlpurifier_quote($array)

    196. 

  196. {

    197. 

  197.     $PHORUM = $GLOBALS["PHORUM"];

    198. 

  198.     $purifier =& HTMLPurifier::getInstance();

    199. 

  199.     $text = $purifier->purify($array[1]);

    200. 

  200.     $source = htmlspecialchars($array[0]);

    201. 

  201.     return "<blockquote cite=\"$source\">\n$text\n</blockquote>";

    202. 

  202. }

    203. 

  203. 

    204. 

  204. /**

    205. 

  205.  * Ensure that our format hook is processed last. Also, loads the library.

    206. 

  206.  * @credits <http://secretsauce.phorum.org/snippets/make_bbcode_last_formatter.php.txt>

    207. 

  207.  */

    208. 

  208. function phorum_htmlpurifier_common()

    209. 

  209. {

    210. 

  210.     require_once(dirname(__FILE__).'/htmlpurifier/HTMLPurifier.auto.php');

    211. 

  211.     require(dirname(__FILE__).'/init-config.php');

    212. 

  212. 

    213. 

  213.     $config = phorum_htmlpurifier_get_config();

    214. 

  214.     HTMLPurifier::getInstance($config);

    215. 

  215. 

    216. 

  216.     // increment revision.txt if you want to invalidate the cache

    217. 

  217.     $GLOBALS['PHORUM']['mod_htmlpurifier']['body_cache_serial'] = $config->getSerial();

    218. 

  218. 

    219. 

  219.     // load migration

    220. 

  220.     if (file_exists(dirname(__FILE__) . '/migrate.php')) {

    221. 

  221.         include(dirname(__FILE__) . '/migrate.php');

    222. 

  222.     } else {

    223. 

  223.         echo '<strong>Error:</strong> No migration path specified for HTML Purifier, please check

    224. 

  224.         <tt>modes/htmlpurifier/migrate.bbcode.php</tt> for instructions on

    225. 

  225.         how to migrate from your previous markup language.';

    226. 

  226.         exit;

    227. 

  227.     }

    228. 

  228. 

    229. 

  229.     if (!function_exists('phorum_htmlpurifier_migrate')) {

    230. 

  230.         // Dummy function

    231. 

  231.         function phorum_htmlpurifier_migrate($data) {return $data;}

    232. 

  232.     }

    233. 

  233. 

    234. 

  234. }

    235. 

  235. 

    236. 

  236. /**

    237. 

  237.  * Pre-emptively performs purification if it looks like a WYSIWYG editor

    238. 

  238.  * is being used

    239. 

  239.  */

    240. 

  240. function phorum_htmlpurifier_before_editor($message)

    241. 

  241. {

    242. 

  242.     if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'])) {

    243. 

  243.         if (!empty($message['body'])) {

    244. 

  244.             $body = $message['body'];

    245. 

  245.             // de-entity-ize contents

    246. 

  246.             $body = str_replace(array('&lt;','&gt;','&amp;'), array('<','>','&'), $body);

    247. 

  247.             $purifier =& HTMLPurifier::getInstance();

    248. 

  248.             $body = $purifier->purify($body);

    249. 

  249.             // re-entity-ize contents

    250. 

  250.             $body = htmlspecialchars($body, ENT_QUOTES, $GLOBALS['PHORUM']['DATA']['CHARSET']);

    251. 

  251.             $message['body'] = $body;

    252. 

  252.         }

    253. 

  253.     }

    254. 

  254.     return $message;

    255. 

  255. }

    256. 

  256. 

    257. 

  257. function phorum_htmlpurifier_editor_after_subject()

    258. 

  258. {

    259. 

  259.     // don't show this message if it's a WYSIWYG editor, since it will

    260. 

  260.     // then be handled automatically

    261. 

  261.     if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'])) {

    262. 

  262.         $i = $GLOBALS['PHORUM']['DATA']['MODE'];

    263. 

  263.         if ($i == 'quote' || $i == 'edit' || $i == 'moderation') {

    264. 

  264.           ?>

    265. 

  265.           <div>

    266. 

  266.             <p>

    267. 

  267.               <strong>Notice:</strong> HTML has been scrubbed for your safety.

    268. 

  268.               If you would like to see the original, turn off WYSIWYG mode

    269. 

  269.               (consult your administrator for details.)

    270. 

  270.             </p>

    271. 

  271.           </div>

    272. 

  272.           <?php

    273. 

  273.         }

    274. 

  274.         return;

    275. 

  275.     }

    276. 

  276.     if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['suppress_message'])) return;

    277. 

  277.     ?><div class="htmlpurifier-help">

    278. 

  278.     <p>

    279. 

  279.         <strong>HTML input</strong> is enabled. Make sure you escape all HTML and

    280. 

  280.         angled brackets with <code>&amp;lt;</code> and <code>&amp;gt;</code>.

    281. 

  281.     </p><?php

    282. 

  282.             $purifier =& HTMLPurifier::getInstance();

    283. 

  283.             $config = $purifier->config;

    284. 

  284.             if ($config->get('AutoFormat.AutoParagraph')) {

    285. 

  285.                 ?><p>

    286. 

  286.                     <strong>Auto-paragraphing</strong> is enabled. Double

    287. 

  287.                     newlines will be converted to paragraphs; for single

    288. 

  288.                     newlines, use the <code>pre</code> tag.

    289. 

  289.                 </p><?php

    290. 

  290.             }

    291. 

  291.             $html_definition = $config->getDefinition('HTML');

    292. 

  292.             $allowed = array();

    293. 

  293.             foreach ($html_definition->info as $name => $x) $allowed[] = "<code>$name</code>";

    294. 

  294.             sort($allowed);

    295. 

  295.             $allowed_text = implode(', ', $allowed);

    296. 

  296.             ?><p><strong>Allowed tags:</strong> <?php

    297. 

  297.             echo $allowed_text;

    298. 

  298.             ?>.</p><?php

    299. 

  299.         ?>

    300. 

  300.     </p>

    301. 

  301.     <p>

    302. 

  302.         For inputting literal code such as HTML and PHP for display, use

    303. 

  303.         CDATA tags to auto-escape your angled brackets, and <code>pre</code>

    304. 

  304.         to preserve newlines:

    305. 

  305.     </p>

    306. 

  306.     <pre>&lt;pre&gt;&lt;![CDATA[

    307. 

  307. <em>Place code here</em>

    308. 

  308. ]]&gt;&lt;/pre&gt;</pre>

    309. 

  309.     <p>

    310. 

  310.         Power users, you can hide this notice with:

    311. 

  311.         <pre>.htmlpurifier-help {display:none;}</pre>

    312. 

  312.     </p>

    313. 

  313.     </div><?php

    314. 

  314. }

    315. 

  315. 

    316. 

  316. // vim: et sw=4 sts=4

    317. 

  317.