summaryrefslogtreecommitdiff
path: root/LibertySystem.php
diff options
context:
space:
mode:
authorNick Palmer <nick@sluggardy.net>2007-05-17 14:14:31 +0000
committerNick Palmer <nick@sluggardy.net>2007-05-17 14:14:31 +0000
commit43ca21cfbdb6a9419b6fc1ade9523f4c81bc58e8 (patch)
tree7d651afa18a29e871010453f8ff8c3661b06e257 /LibertySystem.php
parent0b3f88362e221a1613e6bca8596f013b0942abbd (diff)
downloadliberty-43ca21cfbdb6a9419b6fc1ade9523f4c81bc58e8.tar.gz
liberty-43ca21cfbdb6a9419b6fc1ade9523f4c81bc58e8.tar.bz2
liberty-43ca21cfbdb6a9419b6fc1ade9523f4c81bc58e8.zip
Integrate HTMLPurifier into liberty.
Diffstat (limited to 'LibertySystem.php')
-rwxr-xr-xLibertySystem.php143
1 files changed, 142 insertions, 1 deletions
diff --git a/LibertySystem.php b/LibertySystem.php
index 13ea58c..0faade0 100755
--- a/LibertySystem.php
+++ b/LibertySystem.php
@@ -3,7 +3,7 @@
* System class for handling the liberty package
*
* @package liberty
-* @version $Header: /cvsroot/bitweaver/_bit_liberty/LibertySystem.php,v 1.68 2007/04/07 18:42:22 wjames5 Exp $
+* @version $Header: /cvsroot/bitweaver/_bit_liberty/LibertySystem.php,v 1.69 2007/05/17 14:14:29 nickpalmer Exp $
* @author spider <spider@steelsun.com>
*/
@@ -106,6 +106,147 @@ class LibertySystem extends LibertyBase {
}
}
+ /**
+ * Return the types of purification supported by purifyHtml
+ * @returns an array of strings with the types
+ */
+ function purifyHtmlMethods() {
+ return array('htmlpurifier' => "HTML Purifier",
+ 'simple' => "Simple Purifier");
+ }
+
+ /**
+ * Purify HTML from a string.
+ *
+ * @param string The string to be cleaned.
+ * @returns string The sanitized string
+ */
+ function purifyHtml($pString) {
+ global $gBitSystem;
+ switch($gBitSystem->getConfig('liberty_html_purifier', 'simple')) {
+ case 'htmlpurifier':
+ $pString = $this->advancedPurifyHtml($pString);
+ break;
+
+ case 'simple':
+ default:
+ $pString = $this->simplePurifyHtml($pString);
+ break;
+ }
+
+ return $pString;
+ }
+
+ function advancedPurifyHtml($pString) {
+ global $gHtmlPurifier, $gBitSystem;
+ if (!isset($gHtmlPurifier)) {
+ $blacklistedTags = $gBitSystem->
+ getConfig('blacklisted_html_tags', '');
+ require_once(UTIL_PKG_PATH . 'htmlpurifier/HTMLPurifier.auto.php');
+ $config = HTMLPurifier_Config::createDefault();
+
+ if ($gBitSystem->getConfig('liberty_html_pure_escape_bad', 'y') == 'y') {
+ $config->set('Core', 'EscapeInvalidTags', true);
+ $config->set('Core', 'EscapeInvalidChildren', true);
+ }
+ if ($gBitSystem->getConfig('liberty_html_pure_disable_extern') == 'y') {
+ $config->set('URI', 'DisableExternal', true);
+ }
+ if ($gBitSystem->getConfig('liberty_html_pure_disable_extern_res', 'y') == 'y') {
+ $config->set('URI', 'DisableExternalResources', true);
+ }
+ if ($gBitSystem->getConfig('liberty_html_pure_disable_res') == 'y') {
+ $config->set('URI', 'DisableResources', true);
+ }
+ if ($gBitSystem->getConfig('liberty_html_pure_disable_uri') == 'y') {
+ $config->set('URI', 'Disable', true);
+ }
+ if ($gBitSystem->getConfig('liberty_html_pure_use_redirect') == 'y') {
+ $config->set('URI', 'Munge', LIBERTY_PKG_URL.'redirect.php?q=%s');
+ }
+ if ($gBitSystem->getConfig('liberty_html_pure_strict_html', 'y') == 'y') {
+ $config->set('HTML', 'Strict', true);
+ }
+ if ($gBitSystem->getConfig('liberty_html_pure_xhtml', 'n') == 'n') {
+ $config->set('Core', 'XHTML', true);
+ }
+
+ $def =& $config->getHTMLDefinition();
+ // HTMLPurifier doesn't have a blacklist feature. Duh guys!
+ // Note that this has to come last since the other configs
+ // may tweak the def.
+ foreach (explode(',',$blacklistedTags) as $tag) {
+ unset($def->info[$tag]);
+ }
+
+ $gHtmlPurifier = new HTMLPurifier($config);
+ }
+ $pString = $gHtmlPurifier->purify($pString);
+
+ /* There isn't an easy way to disable an attribute in HTMLPurifier */
+ $pString = $this->purifyStyle($pString);
+
+ return $pString;
+ }
+
+ /**
+ * Removes all style both inline and attributes unless the user
+ * has permission to edit styles.
+ */
+ function purifyStyle( $pText ) {
+ global $gBitUser;
+
+ $text = $pText;
+ // Yank style - both tag and inline attributes
+ // strip_tags has doesn't recognize that css within the style tags are not document text. To fix this do something similar to the following:
+ if( !$gBitUser->hasPermission( 'p_liberty_edit_html_style' ) ) {
+ $text = preg_replace( "/<style[^>]*>.*<\/style>/siU", '', $text );
+ }
+ $text = stripslashes($text);
+ if( !$gBitUser->hasPermission( 'p_liberty_edit_html_style' ) ) {
+ $text = preg_replace( "/ (style|class)=[\"]?([^\"]*)[\"]?/i", '', $text);
+ }
+
+ return $text;
+ }
+
+ // This function is a menagerie of the techniques of the comments listed at
+ // http://www.php.net/manual/en/function.strip-tags.php - spiderr
+ function simplePurifyHtml( $pText ) {
+ global $gBitSystem, $gBitUser;
+
+ // convert all HTML entites to catch people trying to sneak stuff by with things like &#123; etc..
+ if( function_exists( 'html_entity_decode' ) ) {
+ // quieten this down since it causes an error in PHP4
+ // http://bugs.php.net/bug.php?id=25670
+ $text = @html_entity_decode( $pText, ENT_COMPAT, 'UTF-8' );
+ } else {
+ $trans_tbl = get_html_translation_table(HTML_ENTITIES);
+ $trans_tbl = array_flip($trans_tbl);
+ $text = strtr($pText, $trans_tbl);
+ }
+
+ // strip_tags() appears to become nauseated at the site of a <!DOCTYPE> declaration
+ $text = str_replace( '<!DOCTYPE', '<DOCTYPE', $text );
+
+ $text = $this->purifyStyle($text);
+
+ // Strip all evil tags that remain
+ // this comes out of gBitSystem->getConfig() set in Liberty Admin
+ $acceptableTags = $gBitSystem->getConfig( 'approved_html_tags', DEFAULT_ACCEPTABLE_TAGS );
+
+ // Destroy all script code "manually" - strip_tags will leave code inline as plain text
+ if( !preg_match( '/\<script\>/', $acceptableTags ) ) {
+ $text = preg_replace( "/(\<script)(.*?)(script\>)/si", '', $text );
+ }
+
+ $text = strip_tags( $text, $acceptableTags );
+ $text = str_replace("<!--", "&lt;!--", $text);
+ $text = preg_replace("/(\<)(.*?)(--\>)/mi", "".nl2br("\\2")."", $text);
+
+ return( $text );
+ }
+
// ****************************** Plugin Functions
/**
* Load only active plugins from disk