diff options
author | Andrew Dolgov <[email protected]> | 2012-06-05 21:52:21 +0400 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2012-06-05 21:52:21 +0400 |
commit | 010efc9b814b433bc60353caec185d905688a32b (patch) | |
tree | b2b4f62cbc2d10cf75386e992434be1f4013dc13 /include | |
parent | 705b97b7fca9ea70820af5fcd926f88903eaa430 (diff) |
Revert "remove htmlpurifier"
This reverts commit c21a462d52bd32737c32c29b060da03b38f1c2e6.
Diffstat (limited to 'include')
-rw-r--r-- | include/functions.php | 29 | ||||
-rw-r--r-- | include/sanity_check.php | 6 |
2 files changed, 31 insertions, 4 deletions
diff --git a/include/functions.php b/include/functions.php index 918192cd3..5eb5b97af 100644 --- a/include/functions.php +++ b/include/functions.php @@ -100,6 +100,8 @@ require_once 'lib/pubsubhubbub/publisher.php'; + $purifier = false; + $tz_offset = -1; $utc_tz = new DateTimeZone('UTC'); $schema_version = false; @@ -2632,17 +2634,36 @@ } function sanitize($link, $str, $force_strip_tags = false, $owner = false, $site_url = false) { + global $purifier; + if (!$owner) $owner = $_SESSION["uid"]; $res = trim($str); if (!$res) return ''; - // TODO implement better HTML tag stripping and XSS protection + // create global Purifier object if needed + if (!$purifier) { + require_once 'lib/htmlpurifier/library/HTMLPurifier.auto.php'; + + $config = HTMLPurifier_Config::createDefault(); + + $allowed = "p,a[href],i,em,b,strong,code,pre,blockquote,br,img[src|alt|title|align|hspace],ul,ol,li,h1,h2,h3,h4,s,object[classid|type|id|name|width|height|codebase],param[name|value],table,tr,td,span[class]"; + + $config->set('HTML.SafeObject', true); + @$config->set('HTML', 'Allowed', $allowed); + $config->set('Output.FlashCompat', true); + $config->set('Attr.EnableID', true); + if (!defined('MOBILE_VERSION')) { + @$config->set('Cache', 'SerializerPath', CACHE_DIR . "/htmlpurifier"); + } else { + @$config->set('Cache', 'SerializerPath', "../" . CACHE_DIR . "/htmlpurifier"); + } + + $config->set('Filter.YouTube', true); - if (function_exists('filter_var')) { - $res = filter_var($res, FILTER_SANITIZE_STRING); + $purifier = new HTMLPurifier($config); } - $res = strip_tags($str, "<p><a><i><em><b><strong><code><pre><blockquote><br><img><ul><ol><li><h1><h2><h3><h4><s><object><param><table><tr><td><span>"); + $res = $purifier->purify($res); if (get_pref($link, "STRIP_IMAGES", $owner)) { $res = preg_replace('/<img[^>]+>/is', '', $res); diff --git a/include/sanity_check.php b/include/sanity_check.php index 2195945be..11da85921 100644 --- a/include/sanity_check.php +++ b/include/sanity_check.php @@ -23,6 +23,12 @@ $array_push($errors, "Configuration file (config.php) has incorrect version. Update it with new options from config.php-dist and set CONFIG_VERSION to the correct value."); } + $purifier_cache_dir = CACHE_DIR . "/htmlpurifier"; + + if (!is_writable($purifier_cache_dir)) { + array_push($errors, "HTMLPurifier cache directory should be writable by anyone (chmod -R 777 $purifier_cache_dir)"); + } + if (!is_writable(CACHE_DIR . "/images")) { array_push($errors, "Image cache is not writable (chmod -R 777 ".CACHE_DIR."/images)"); } |