From 010efc9b814b433bc60353caec185d905688a32b Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@madoka.volgo-balt.ru>
Date: Tue, 5 Jun 2012 21:52:21 +0400
Subject: Revert "remove htmlpurifier"

This reverts commit c21a462d52bd32737c32c29b060da03b38f1c2e6.
---
 include/functions.php | 29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

(limited to 'include/functions.php')

diff --git a/include/functions.php b/include/functions.php
index 918192cd3..5eb5b97af 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -100,6 +100,8 @@
 
 	require_once 'lib/pubsubhubbub/publisher.php';
 
+	$purifier = false;
+
 	$tz_offset = -1;
 	$utc_tz = new DateTimeZone('UTC');
 	$schema_version = false;
@@ -2632,17 +2634,36 @@
 	}
 
 	function sanitize($link, $str, $force_strip_tags = false, $owner = false, $site_url = false) {
+		global $purifier;
+
 		if (!$owner) $owner = $_SESSION["uid"];
 
 		$res = trim($str); if (!$res) return '';
 
-		// TODO implement better HTML tag stripping and XSS protection
+		// create global Purifier object if needed
+		if (!$purifier) {
+			require_once 'lib/htmlpurifier/library/HTMLPurifier.auto.php';
+
+			$config = HTMLPurifier_Config::createDefault();
+
+			$allowed = "p,a[href],i,em,b,strong,code,pre,blockquote,br,img[src|alt|title|align|hspace],ul,ol,li,h1,h2,h3,h4,s,object[classid|type|id|name|width|height|codebase],param[name|value],table,tr,td,span[class]";
+
+			$config->set('HTML.SafeObject', true);
+			@$config->set('HTML', 'Allowed', $allowed);
+			$config->set('Output.FlashCompat', true);
+			$config->set('Attr.EnableID', true);
+			if (!defined('MOBILE_VERSION')) {
+				@$config->set('Cache', 'SerializerPath', CACHE_DIR . "/htmlpurifier");
+			} else {
+				@$config->set('Cache', 'SerializerPath', "../" . CACHE_DIR . "/htmlpurifier");
+			}
+
+			$config->set('Filter.YouTube', true);
 
-		if (function_exists('filter_var')) {
-			$res = filter_var($res, FILTER_SANITIZE_STRING);
+			$purifier = new HTMLPurifier($config);
 		}
 
-		$res = strip_tags($str, "<p><a><i><em><b><strong><code><pre><blockquote><br><img><ul><ol><li><h1><h2><h3><h4><s><object><param><table><tr><td><span>");
+		$res = $purifier->purify($res);
 
 		if (get_pref($link, "STRIP_IMAGES", $owner)) {
 			$res = preg_replace('/<img[^>]+>/is', '', $res);
-- 
cgit v1.2.3