diff options
Diffstat (limited to 'LibertySystem.php')
| -rwxr-xr-x | LibertySystem.php | 143 |
1 files changed, 142 insertions, 1 deletions
diff --git a/LibertySystem.php b/LibertySystem.php index 13ea58c..0faade0 100755 --- a/LibertySystem.php +++ b/LibertySystem.php @@ -3,7 +3,7 @@ * System class for handling the liberty package * * @package liberty -* @version $Header: /cvsroot/bitweaver/_bit_liberty/LibertySystem.php,v 1.68 2007/04/07 18:42:22 wjames5 Exp $ +* @version $Header: /cvsroot/bitweaver/_bit_liberty/LibertySystem.php,v 1.69 2007/05/17 14:14:29 nickpalmer Exp $ * @author spider <spider@steelsun.com> */ @@ -106,6 +106,147 @@ class LibertySystem extends LibertyBase { } } + /** + * Return the types of purification supported by purifyHtml + * @returns an array of strings with the types + */ + function purifyHtmlMethods() { + return array('htmlpurifier' => "HTML Purifier", + 'simple' => "Simple Purifier"); + } + + /** + * Purify HTML from a string. + * + * @param string The string to be cleaned. + * @returns string The sanitized string + */ + function purifyHtml($pString) { + global $gBitSystem; + switch($gBitSystem->getConfig('liberty_html_purifier', 'simple')) { + case 'htmlpurifier': + $pString = $this->advancedPurifyHtml($pString); + break; + + case 'simple': + default: + $pString = $this->simplePurifyHtml($pString); + break; + } + + return $pString; + } + + function advancedPurifyHtml($pString) { + global $gHtmlPurifier, $gBitSystem; + if (!isset($gHtmlPurifier)) { + $blacklistedTags = $gBitSystem-> + getConfig('blacklisted_html_tags', ''); + require_once(UTIL_PKG_PATH . 'htmlpurifier/HTMLPurifier.auto.php'); + $config = HTMLPurifier_Config::createDefault(); + + if ($gBitSystem->getConfig('liberty_html_pure_escape_bad', 'y') == 'y') { + $config->set('Core', 'EscapeInvalidTags', true); + $config->set('Core', 'EscapeInvalidChildren', true); + } + if ($gBitSystem->getConfig('liberty_html_pure_disable_extern') == 'y') { + $config->set('URI', 'DisableExternal', true); + } + if ($gBitSystem->getConfig('liberty_html_pure_disable_extern_res', 'y') == 'y') { + $config->set('URI', 'DisableExternalResources', true); + } + if ($gBitSystem->getConfig('liberty_html_pure_disable_res') == 'y') { + $config->set('URI', 'DisableResources', true); + } + if ($gBitSystem->getConfig('liberty_html_pure_disable_uri') == 'y') { + $config->set('URI', 'Disable', true); + } + if ($gBitSystem->getConfig('liberty_html_pure_use_redirect') == 'y') { + $config->set('URI', 'Munge', LIBERTY_PKG_URL.'redirect.php?q=%s'); + } + if ($gBitSystem->getConfig('liberty_html_pure_strict_html', 'y') == 'y') { + $config->set('HTML', 'Strict', true); + } + if ($gBitSystem->getConfig('liberty_html_pure_xhtml', 'n') == 'n') { + $config->set('Core', 'XHTML', true); + } + + $def =& $config->getHTMLDefinition(); + // HTMLPurifier doesn't have a blacklist feature. Duh guys! + // Note that this has to come last since the other configs + // may tweak the def. + foreach (explode(',',$blacklistedTags) as $tag) { + unset($def->info[$tag]); + } + + $gHtmlPurifier = new HTMLPurifier($config); + } + $pString = $gHtmlPurifier->purify($pString); + + /* There isn't an easy way to disable an attribute in HTMLPurifier */ + $pString = $this->purifyStyle($pString); + + return $pString; + } + + /** + * Removes all style both inline and attributes unless the user + * has permission to edit styles. + */ + function purifyStyle( $pText ) { + global $gBitUser; + + $text = $pText; + // Yank style - both tag and inline attributes + // strip_tags has doesn't recognize that css within the style tags are not document text. To fix this do something similar to the following: + if( !$gBitUser->hasPermission( 'p_liberty_edit_html_style' ) ) { + $text = preg_replace( "/<style[^>]*>.*<\/style>/siU", '', $text ); + } + $text = stripslashes($text); + if( !$gBitUser->hasPermission( 'p_liberty_edit_html_style' ) ) { + $text = preg_replace( "/ (style|class)=[\"]?([^\"]*)[\"]?/i", '', $text); + } + + return $text; + } + + // This function is a menagerie of the techniques of the comments listed at + // http://www.php.net/manual/en/function.strip-tags.php - spiderr + function simplePurifyHtml( $pText ) { + global $gBitSystem, $gBitUser; + + // convert all HTML entites to catch people trying to sneak stuff by with things like { etc.. + if( function_exists( 'html_entity_decode' ) ) { + // quieten this down since it causes an error in PHP4 + // http://bugs.php.net/bug.php?id=25670 + $text = @html_entity_decode( $pText, ENT_COMPAT, 'UTF-8' ); + } else { + $trans_tbl = get_html_translation_table(HTML_ENTITIES); + $trans_tbl = array_flip($trans_tbl); + $text = strtr($pText, $trans_tbl); + } + + // strip_tags() appears to become nauseated at the site of a <!DOCTYPE> declaration + $text = str_replace( '<!DOCTYPE', '<DOCTYPE', $text ); + + $text = $this->purifyStyle($text); + + // Strip all evil tags that remain + // this comes out of gBitSystem->getConfig() set in Liberty Admin + $acceptableTags = $gBitSystem->getConfig( 'approved_html_tags', DEFAULT_ACCEPTABLE_TAGS ); + + // Destroy all script code "manually" - strip_tags will leave code inline as plain text + if( !preg_match( '/\<script\>/', $acceptableTags ) ) { + $text = preg_replace( "/(\<script)(.*?)(script\>)/si", '', $text ); + } + + $text = strip_tags( $text, $acceptableTags ); + $text = str_replace("<!--", "<!--", $text); + $text = preg_replace("/(\<)(.*?)(--\>)/mi", "".nl2br("\\2")."", $text); + + return( $text ); + } + // ****************************** Plugin Functions /** * Load only active plugins from disk |
