ILIAS  release_5-2 Revision v5.2.25-18-g3f80b828510
htmlpurifier.php File Reference

Go to the source code of this file.

Functions

 phorum_htmlpurifier_format ($data)
 HTML Purifier Phorum Mod. More...
 
 phorum_htmlpurifier_generate_sig ($row)
 Generates a signature based on a message array. More...
 
 phorum_htmlpurifier_generate_editmessage ($row)
 Generates an edit message based on a message array. More...
 
 phorum_htmlpurifier_remove_sig_and_editmessage (&$row)
 Removes the signature and edit message from a message. More...
 
 phorum_htmlpurifier_posting ($message)
 Indicate that data is fully HTML and not from migration, invalidate previous caches. More...
 
 phorum_htmlpurifier_quote ($array)
 Overload quoting mechanism to prevent default, mail-style quote from happening. More...
 
 phorum_htmlpurifier_common ()
 Ensure that our format hook is processed last. More...
 
 phorum_htmlpurifier_before_editor ($message)
 Pre-emptively performs purification if it looks like a WYSIWYG editor is being used. More...
 
 phorum_htmlpurifier_editor_after_subject ()
 

Function Documentation

◆ phorum_htmlpurifier_before_editor()

phorum_htmlpurifier_before_editor (   $message)

Pre-emptively performs purification if it looks like a WYSIWYG editor is being used.

Definition at line 240 of file htmlpurifier.php.

241{
242 if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'])) {
243 if (!empty($message['body'])) {
244 $body = $message['body'];
245 // de-entity-ize contents
246 $body = str_replace(array('&lt;','&gt;','&amp;'), array('<','>','&'), $body);
247 $purifier =& HTMLPurifier::getInstance();
248 $body = $purifier->purify($body);
249 // re-entity-ize contents
250 $body = htmlspecialchars($body, ENT_QUOTES, $GLOBALS['PHORUM']['DATA']['CHARSET']);
251 $message['body'] = $body;
252 }
253 }
254 return $message;
255}
static getInstance($prototype=null)
Singleton for enforcing just one HTML Purifier in your system.
$GLOBALS['loaded']
Global hash that tracks already loaded includes.

References $GLOBALS, and HTMLPurifier\getInstance().

+ Here is the call graph for this function:

◆ phorum_htmlpurifier_common()

phorum_htmlpurifier_common ( )

Ensure that our format hook is processed last.

Also, loads the library. @credits http://secretsauce.phorum.org/snippets/make_bbcode_last_formatter.php.txt

Definition at line 208 of file htmlpurifier.php.

209{
210 require_once(dirname(__FILE__).'/htmlpurifier/HTMLPurifier.auto.php');
211 require(dirname(__FILE__).'/init-config.php');
212
215
216 // increment revision.txt if you want to invalidate the cache
217 $GLOBALS['PHORUM']['mod_htmlpurifier']['body_cache_serial'] = $config->getSerial();
218
219 // load migration
220 if (file_exists(dirname(__FILE__) . '/migrate.php')) {
221 include(dirname(__FILE__) . '/migrate.php');
222 } else {
223 echo '<strong>Error:</strong> No migration path specified for HTML Purifier, please check
224 <tt>modes/htmlpurifier/migrate.bbcode.php</tt> for instructions on
225 how to migrate from your previous markup language.';
226 exit;
227 }
228
229 if (!function_exists('phorum_htmlpurifier_migrate')) {
230 // Dummy function
231 function phorum_htmlpurifier_migrate($data) {return $data;}
232 }
233
234}
phorum_htmlpurifier_get_config($default=false)
Initializes the appropriate configuration from either a PHP file or a module configuration value.
Definition: init-config.php:8
phorum_htmlpurifier_migrate($data)
'format' hook style function that will be called to convert legacy markup into HTML.

References $config, $data, $GLOBALS, exit, HTMLPurifier\getInstance(), phorum_htmlpurifier_get_config(), and phorum_htmlpurifier_migrate().

+ Here is the call graph for this function:

◆ phorum_htmlpurifier_editor_after_subject()

phorum_htmlpurifier_editor_after_subject ( )

Definition at line 257 of file htmlpurifier.php.

258{
259 // don't show this message if it's a WYSIWYG editor, since it will
260 // then be handled automatically
261 if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'])) {
262 $i = $GLOBALS['PHORUM']['DATA']['MODE'];
263 if ($i == 'quote' || $i == 'edit' || $i == 'moderation') {
264 ?>
265 <div>
266 <p>
267 <strong>Notice:</strong> HTML has been scrubbed for your safety.
268 If you would like to see the original, turn off WYSIWYG mode
269 (consult your administrator for details.)
270 </p>
271 </div>
272 <?php
273 }
274 return;
275 }
276 if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['suppress_message'])) return;
277 ?><div class="htmlpurifier-help">
278 <p>
279 <strong>HTML input</strong> is enabled. Make sure you escape all HTML and
280 angled brackets with <code>&amp;lt;</code> and <code>&amp;gt;</code>.
281 </p><?php
282 $purifier =& HTMLPurifier::getInstance();
283 $config = $purifier->config;
284 if ($config->get('AutoFormat.AutoParagraph')) {
285 ?><p>
286 <strong>Auto-paragraphing</strong> is enabled. Double
287 newlines will be converted to paragraphs; for single
288 newlines, use the <code>pre</code> tag.
289 </p><?php
290 }
291 $html_definition = $config->getDefinition('HTML');
292 $allowed = array();
293 foreach ($html_definition->info as $name => $x) $allowed[] = "<code>$name</code>";
294 sort($allowed);
295 $allowed_text = implode(', ', $allowed);
296 ?><p><strong>Allowed tags:</strong> <?php
297 echo $allowed_text;
298 ?>.</p><?php
299 ?>
300 </p>
301 <p>
302 For inputting literal code such as HTML and PHP for display, use
303 CDATA tags to auto-escape your angled brackets, and <code>pre</code>
304 to preserve newlines:
305 </p>
306 <pre>&lt;pre&gt;&lt;![CDATA[
307<em>Place code here</em>
308]]&gt;&lt;/pre&gt;</pre>
309 <p>
310 Power users, you can hide this notice with:
311 <pre>.htmlpurifier-help {display:none;}</pre>
312 </p>
313 </div><?php
314}
An exception for terminatinating execution or to throw for unit testing.
$x
Definition: example_009.php:98
input
Definition: langcheck.php:166
p
Definition: langcheck.php:169

References $config, $GLOBALS, $x, HTMLPurifier\getInstance(), input, and p.

+ Here is the call graph for this function:

◆ phorum_htmlpurifier_format()

phorum_htmlpurifier_format (   $data)

HTML Purifier Phorum Mod.

Filter your HTML the Standards-Compliant Way!

This Phorum mod enables users to post raw HTML into Phorum. But never fear: with the help of HTML Purifier, this HTML will be beat into de-XSSed and standards-compliant form, safe for general consumption. It is not recommended, but possible to run this mod in parallel with other formatters (in short, please DISABLE the BBcode mod).

For help migrating from your previous markup language to pure HTML please check the migrate.bbcode.php file.

If you'd like to use this with a WYSIWYG editor, make sure that editor sets $PHORUM['mod_htmlpurifier']['wysiwyg'] to true. Otherwise, administrators who need to edit other people's comments may be at risk for some nasty attacks.

Tested with Phorum 5.2.11. Purifies a data array

Definition at line 31 of file htmlpurifier.php.

32{
33 $PHORUM = $GLOBALS["PHORUM"];
34
35 $purifier =& HTMLPurifier::getInstance();
36 $cache_serial = $PHORUM['mod_htmlpurifier']['body_cache_serial'];
37
38 foreach($data as $message_id => $message){
39 if(isset($message['body'])) {
40
41 if ($message_id) {
42 // we're dealing with a real message, not a fake, so
43 // there a number of shortcuts that can be taken
44
45 if (isset($message['meta']['htmlpurifier_light'])) {
46 // format hook was called outside of Phorum's normal
47 // functions, do the abridged purification
48 $data[$message_id]['body'] = $purifier->purify($message['body']);
49 continue;
50 }
51
52 if (!empty($PHORUM['args']['purge'])) {
53 // purge the cache, must be below the following if
54 unset($message['meta']['body_cache']);
55 }
56
57 if (
58 isset($message['meta']['body_cache']) &&
59 isset($message['meta']['body_cache_serial']) &&
60 $message['meta']['body_cache_serial'] == $cache_serial
61 ) {
62 // cached version is present, bail out early
63 $data[$message_id]['body'] = base64_decode($message['meta']['body_cache']);
64 continue;
65 }
66 }
67
68 // migration might edit this array, that's why it's defined
69 // so early
70 $updated_message = array();
71
72 // create the $body variable
73 if (
74 $message_id && // message must be real to migrate
75 !isset($message['meta']['body_cache_serial'])
76 ) {
77 // perform migration
78 $fake_data = array();
79 list($signature, $edit_message) = phorum_htmlpurifier_remove_sig_and_editmessage($message);
80 $fake_data[$message_id] = $message;
81 $fake_data = phorum_htmlpurifier_migrate($fake_data);
82 $body = $fake_data[$message_id]['body'];
83 $body = str_replace("<phorum break>\n", "\n", $body);
84 $updated_message['body'] = $body; // save it in
85 $body .= $signature . $edit_message; // add it back in
86 } else {
87 // reverse Phorum's pre-processing
88 $body = $message['body'];
89 // order is important
90 $body = str_replace("<phorum break>\n", "\n", $body);
91 $body = str_replace(array('&lt;','&gt;','&amp;', '&quot;'), array('<','>','&','"'), $body);
92 if (!$message_id && defined('PHORUM_CONTROL_CENTER')) {
93 // we're in control.php, so it was double-escaped
94 $body = str_replace(array('&lt;','&gt;','&amp;', '&quot;'), array('<','>','&','"'), $body);
95 }
96 }
97
98 $body = $purifier->purify($body);
99
100 // dynamically update the cache (MUST BE DONE HERE!)
101 // this is inefficient because it's one db call per
102 // cache miss, but once the cache is in place things are
103 // a lot zippier.
104
105 if ($message_id) { // make sure it's not a fake id
106 $updated_message['meta'] = $message['meta'];
107 $updated_message['meta']['body_cache'] = base64_encode($body);
108 $updated_message['meta']['body_cache_serial'] = $cache_serial;
109 phorum_db_update_message($message_id, $updated_message);
110 }
111
112 // must not get overloaded until after we cache it, otherwise
113 // we'll inadvertently change the original text
114 $data[$message_id]['body'] = $body;
115
116 }
117 }
118
119 return $data;
120}
phorum_htmlpurifier_remove_sig_and_editmessage(&$row)
Removes the signature and edit message from a message.
$PHORUM['mod_htmlpurifier']['directives']
Definition: settings.php:28
defined( 'APPLICATION_ENV')||define( 'APPLICATION_ENV'
Definition: bootstrap.php:27

References $data, $GLOBALS, $PHORUM, defined, HTMLPurifier\getInstance(), phorum_htmlpurifier_migrate(), and phorum_htmlpurifier_remove_sig_and_editmessage().

+ Here is the call graph for this function:

◆ phorum_htmlpurifier_generate_editmessage()

phorum_htmlpurifier_generate_editmessage (   $row)

Generates an edit message based on a message array.

Definition at line 145 of file htmlpurifier.php.

146{
147 $PHORUM = $GLOBALS['PHORUM'];
148 $editmessage = '';
149 if(isset($row['meta']['edit_count']) && $row['meta']['edit_count'] > 0) {
150 $editmessage = str_replace ("%count%", $row['meta']['edit_count'], $PHORUM["DATA"]["LANG"]["EditedMessage"]);
151 $editmessage = str_replace ("%lastedit%", phorum_date($PHORUM["short_date_time"],$row['meta']['edit_date']), $editmessage);
152 $editmessage = str_replace ("%lastuser%", $row['meta']['edit_username'], $editmessage);
153 $editmessage = "\n\n\n\n$editmessage";
154 }
155 return $editmessage;
156}

References $GLOBALS, $PHORUM, and $row.

Referenced by phorum_htmlpurifier_remove_sig_and_editmessage().

+ Here is the caller graph for this function:

◆ phorum_htmlpurifier_generate_sig()

phorum_htmlpurifier_generate_sig (   $row)

Generates a signature based on a message array.

Definition at line 129 of file htmlpurifier.php.

130{
131 $phorum_sig = '';
132 if(isset($row["user"]["signature"])
133 && isset($row['meta']['show_signature']) && $row['meta']['show_signature']==1){
134 $phorum_sig=trim($row["user"]["signature"]);
135 if(!empty($phorum_sig)){
136 $phorum_sig="\n\n$phorum_sig";
137 }
138 }
139 return $phorum_sig;
140}

References $row.

Referenced by phorum_htmlpurifier_remove_sig_and_editmessage().

+ Here is the caller graph for this function:

◆ phorum_htmlpurifier_posting()

phorum_htmlpurifier_posting (   $message)

Indicate that data is fully HTML and not from migration, invalidate previous caches.

Note
This function could generate the actual cache entries, but since there's data missing that must be deferred to the first read

Definition at line 184 of file htmlpurifier.php.

185{
186 $PHORUM = $GLOBALS["PHORUM"];
187 unset($message['meta']['body_cache']); // invalidate the cache
188 $message['meta']['body_cache_serial'] = $PHORUM['mod_htmlpurifier']['body_cache_serial'];
189 return $message;
190}

References $GLOBALS, and $PHORUM.

◆ phorum_htmlpurifier_quote()

phorum_htmlpurifier_quote (   $array)

Overload quoting mechanism to prevent default, mail-style quote from happening.

Definition at line 195 of file htmlpurifier.php.

196{
197 $PHORUM = $GLOBALS["PHORUM"];
198 $purifier =& HTMLPurifier::getInstance();
199 $text = $purifier->purify($array[1]);
200 $source = htmlspecialchars($array[0]);
201 return "<blockquote cite=\"$source\">\n$text\n</blockquote>";
202}
$text

References $GLOBALS, $PHORUM, $text, and HTMLPurifier\getInstance().

+ Here is the call graph for this function:

◆ phorum_htmlpurifier_remove_sig_and_editmessage()

phorum_htmlpurifier_remove_sig_and_editmessage ( $row)

Removes the signature and edit message from a message.

Parameters
$rowMessage passed by reference

Definition at line 165 of file htmlpurifier.php.

166{
169 $replacements = array();
170 // we need to remove add <phorum break> as that is the form these
171 // extra bits are in.
172 if ($signature) $replacements[str_replace("\n", "<phorum break>\n", $signature)] = '';
173 if ($editmessage) $replacements[str_replace("\n", "<phorum break>\n", $editmessage)] = '';
174 $row['body'] = strtr($row['body'], $replacements);
175 return array($signature, $editmessage);
176}
phorum_htmlpurifier_generate_editmessage($row)
Generates an edit message based on a message array.
phorum_htmlpurifier_generate_sig($row)
Generates a signature based on a message array.

References $row, phorum_htmlpurifier_generate_editmessage(), and phorum_htmlpurifier_generate_sig().

Referenced by phorum_htmlpurifier_format().

+ Here is the call graph for this function:
+ Here is the caller graph for this function: