mirror of
https://github.com/moodle/moodle.git
synced 2025-08-04 16:36:37 +02:00
MDL-9151 HTML Purifier cleaning support - enable switch is in experimental section
MDL-9435 Reviewved url cleaning in redirect()
This commit is contained in:
skodak
parent
c85607f0be
commit
e0ac8448c7
129 changed files with 10389 additions and 20 deletions
|
|
@ -1658,7 +1658,9 @@ function trusttext_prepare_edit(&$text, &$format, $usehtmleditor, $context) {
|
|||
*/
|
||||
function clean_text($text, $format=FORMAT_MOODLE) {
|
||||
|
||||
global $ALLOWED_TAGS;
|
||||
if (empty($text) or is_numeric($text)) {
|
||||
return (string)$text;
|
||||
}
|
||||
|
||||
switch ($format) {
|
||||
case FORMAT_PLAIN:
|
||||
|
|
@ -1667,17 +1669,21 @@ function clean_text($text, $format=FORMAT_MOODLE) {
|
|||
|
||||
default:
|
||||
|
||||
/// Fix non standard entity notations
|
||||
$text = preg_replace('/(&#[0-9]+)(;?)/', "\\1;", $text);
|
||||
$text = preg_replace('/(&#x[0-9a-fA-F]+)(;?)/', "\\1;", $text);
|
||||
if (!empty($CFG->enablehtmlpurifier)) {
|
||||
$text = purify_html($text);
|
||||
} else {
|
||||
/// Fix non standard entity notations
|
||||
$text = preg_replace('/(&#[0-9]+)(;?)/', "\\1;", $text);
|
||||
$text = preg_replace('/(&#x[0-9a-fA-F]+)(;?)/', "\\1;", $text);
|
||||
|
||||
/// Remove tags that are not allowed
|
||||
$text = strip_tags($text, $ALLOWED_TAGS);
|
||||
|
||||
/// Clean up embedded scripts and , using kses
|
||||
$text = cleanAttributes($text);
|
||||
}
|
||||
|
||||
/// Remove tags that are not allowed
|
||||
$text = strip_tags($text, $ALLOWED_TAGS);
|
||||
|
||||
/// Clean up embedded scripts and , using kses
|
||||
$text = cleanAttributes($text);
|
||||
|
||||
/// Remove script events
|
||||
/// Remove potential script events - some extra protection for undiscovered bugs in our code
|
||||
$text = eregi_replace("([^a-z])language([[:space:]]*)=", "\\1Xlanguage=", $text);
|
||||
$text = eregi_replace("([^a-z])on([a-z]+)([[:space:]]*)=", "\\1Xon\\2=", $text);
|
||||
|
||||
|
|
@ -1685,6 +1691,24 @@ function clean_text($text, $format=FORMAT_MOODLE) {
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* KSES replacement cleaning function - uses HTML Purifier.
|
||||
*/
|
||||
function purify_html($text) {
|
||||
global $CFG;
|
||||
|
||||
static $purifier = false;
|
||||
if (!$purifier) {
|
||||
require_once $CFG->libdir.'/htmlpurifier/HTMLPurifier.auto.php';
|
||||
$config = HTMLPurifier_Config::createDefault();
|
||||
$config->set('Core', 'AcceptFullDocuments', false);
|
||||
//$config->set('HTML', 'Strict', true);
|
||||
$config->set('URI', 'AllowedSchemes', array('http'=>1, 'https'=>1, 'ftp'=>1, 'irc'=>1, 'nntp'=>1, 'news'=>1, 'rtsp'=>1, 'teamspeak'=>1, 'gopher'=>1, 'mms'=>1));
|
||||
$purifier = new HTMLPurifier($config);
|
||||
}
|
||||
return $purifier->purify($text);
|
||||
}
|
||||
|
||||
/**
|
||||
* This function takes a string and examines it for HTML tags.
|
||||
* If tags are detected it passes the string to a helper function {@link cleanAttributes2()}
|
||||
|
|
@ -5032,13 +5056,9 @@ function redirect($url, $message='', $delay=-1, $adminroot = '') {
|
|||
|
||||
$message = clean_text($message);
|
||||
|
||||
$url = html_entity_decode($url);
|
||||
$url = str_replace(array("\n", "\r"), '', $url); // some more cleaning
|
||||
$encodedurl = htmlentities($url);
|
||||
$tmpstr = clean_text('<a href="'.$encodedurl.'" />'); //clean encoded URL
|
||||
$encodedurl = substr($tmpstr, 9, strlen($tmpstr)-13);
|
||||
$url = html_entity_decode($encodedurl);
|
||||
$surl = addslashes($url);
|
||||
$encodedurl = preg_replace("/\&(?![a-zA-Z0-9#]{1,8};)/", "&", $url);
|
||||
$encodedurl = preg_replace('/^.*href="([^"]*)".*$/', "\\1", clean_text('<a href="'.$encodedurl.'" />'));
|
||||
$url = str_replace('&', '&', $encodedurl);
|
||||
|
||||
/// At developer debug level. Don't redirect if errors have been printed on screen.
|
||||
/// Currenly only works in PHP 5.2+
|
||||
|
|
@ -5081,7 +5101,7 @@ function redirect($url, $message='', $delay=-1, $adminroot = '') {
|
|||
@header('Location: '.$url);
|
||||
//another way for older browsers and already sent headers (eg trailing whitespace in config.php)
|
||||
echo '<meta http-equiv="refresh" content="'. $delay .'; url='. $encodedurl .'" />';
|
||||
echo '<script type="text/javascript">'. "\n" .'//<![CDATA['. "\n". "location.replace('$surl');". "\n". '//]]>'. "\n". '</script>'; // To cope with Mozilla bug
|
||||
echo '<script type="text/javascript">'. "\n" .'//<![CDATA['. "\n". "location.replace('".addslashes_js($url)."');". "\n". '//]]>'. "\n". '</script>'; // To cope with Mozilla bug
|
||||
die;
|
||||
}
|
||||
|
||||
|
|
@ -5104,7 +5124,7 @@ function redirect($url, $message='', $delay=-1, $adminroot = '') {
|
|||
//<![CDATA[
|
||||
|
||||
function redirect() {
|
||||
document.location.replace('<?php echo $surl ?>');
|
||||
document.location.replace('<?php echo addslashes_js($url) ?>');
|
||||
}
|
||||
setTimeout("redirect()", <?php echo ($delay * 1000) ?>);
|
||||
//]]>
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue