htmlpurifier.php File Reference

Go to the source code of this file.

Functions
	phorum_htmlpurifier_format ($data)
	HTML Purifier Phorum Mod. More...
	phorum_htmlpurifier_generate_sig ($row)
	Generates a signature based on a message array. More...
	phorum_htmlpurifier_generate_editmessage ($row)
	Generates an edit message based on a message array. More...
	phorum_htmlpurifier_remove_sig_and_editmessage (&$row)
	Removes the signature and edit message from a message. More...
	phorum_htmlpurifier_posting ($message)
	Indicate that data is fully HTML and not from migration, invalidate previous caches. More...
	phorum_htmlpurifier_quote ($array)
	Overload quoting mechanism to prevent default, mail-style quote from happening. More...
	phorum_htmlpurifier_common ()
	Ensure that our format hook is processed last. More...
	phorum_htmlpurifier_before_editor ($message)
	Pre-emptively performs purification if it looks like a WYSIWYG editor is being used. More...
	phorum_htmlpurifier_editor_after_subject ()

Function Documentation

phorum_htmlpurifier_before_editor()

phorum_htmlpurifier_before_editor

(

$message

)

Pre-emptively performs purification if it looks like a WYSIWYG editor is being used.

Definition at line 240 of file htmlpurifier.php.

References $GLOBALS, $message, array, and HTMLPurifier\getInstance().

{
    if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'])) {
        if (!empty($message['body'])) {
            $body = $message['body'];
            // de-entity-ize contents
            $body = str_replace(array('&lt;','&gt;','&amp;'), array('<','>','&'), $body);
            $purifier =& HTMLPurifier::getInstance();
            $body = $purifier->purify($body);
            // re-entity-ize contents
            $body = htmlspecialchars($body, ENT_QUOTES, $GLOBALS['PHORUM']['DATA']['CHARSET']);
            $message['body'] = $body;
        }
    }
    return $message;
}

Here is the call graph for this function:

phorum_htmlpurifier_common()

phorum_htmlpurifier_common

(

)

Ensure that our format hook is processed last.

Also, loads the library. http://secretsauce.phorum.org/snippets/make_bbcode_last_formatter.php.txt

Definition at line 208 of file htmlpurifier.php.

References $config, $data, $GLOBALS, exit, HTMLPurifier\getInstance(), phorum_htmlpurifier_get_config(), and phorum_htmlpurifier_migrate().

{
    require_once(dirname(__FILE__).'/htmlpurifier/HTMLPurifier.auto.php');
    require(dirname(__FILE__).'/init-config.php');

    $config = phorum_htmlpurifier_get_config();
    HTMLPurifier::getInstance($config);

    // increment revision.txt if you want to invalidate the cache
    $GLOBALS['PHORUM']['mod_htmlpurifier']['body_cache_serial'] = $config->getSerial();

    // load migration
    if (file_exists(dirname(__FILE__) . '/migrate.php')) {
        include(dirname(__FILE__) . '/migrate.php');
    } else {
        echo '<strong>Error:</strong> No migration path specified for HTML Purifier, please check
        <tt>modes/htmlpurifier/migrate.bbcode.php</tt> for instructions on
        how to migrate from your previous markup language.';
        exit;
    }

    if (!function_exists('phorum_htmlpurifier_migrate')) {
        // Dummy function
        function phorum_htmlpurifier_migrate($data) {return $data;}
    }

}

Here is the call graph for this function:

phorum_htmlpurifier_editor_after_subject()

phorum_htmlpurifier_editor_after_subject

(

)

Definition at line 257 of file htmlpurifier.php.

References $config, $GLOBALS, $i, $name, $x, array, HTMLPurifier\getInstance(), is, PHP, and to.

{
    // don't show this message if it's a WYSIWYG editor, since it will
    // then be handled automatically
    if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'])) {
        $i = $GLOBALS['PHORUM']['DATA']['MODE'];
        if ($i == 'quote' || $i == 'edit' || $i == 'moderation') {
          ?>
          <div>
            <p>
              <strong>Notice:</strong> HTML has been scrubbed for your safety.
              If you would like to see the original, turn off WYSIWYG mode
              (consult your administrator for details.)
            </p>
          </div>
          <?php
        }
        return;
    }
    if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['suppress_message'])) return;
    ?><div class="htmlpurifier-help">
    <p>
        <strong>HTML input</strong> is enabled. Make sure you escape all HTML and
        angled brackets with <code>&amp;lt;</code> and <code>&amp;gt;</code>.
    </p><?php
            $purifier =& HTMLPurifier::getInstance();
            $config = $purifier->config;
            if ($config->get('AutoFormat.AutoParagraph')) {
                ?><p>
                    <strong>Auto-paragraphing</strong> is enabled. Double
                    newlines will be converted to paragraphs; for single
                    newlines, use the <code>pre</code> tag.
                </p><?php
            }
            $html_definition = $config->getDefinition('HTML');
            $allowed = array();
            foreach ($html_definition->info as $name => $x) $allowed[] = "<code>$name</code>";
            sort($allowed);
            $allowed_text = implode(', ', $allowed);
            ?><p><strong>Allowed tags:</strong> <?php
            echo $allowed_text;
            ?>.</p><?php
        ?>
    </p>
    <p>
        For inputting literal code such as HTML and PHP for display, use
        CDATA tags to auto-escape your angled brackets, and <code>pre</code>
        to preserve newlines:
    </p>
    <pre>&lt;pre&gt;&lt;![CDATA[
<em>Place code here</em>
]]&gt;&lt;/pre&gt;</pre>
    <p>
        Power users, you can hide this notice with:
        <pre>.htmlpurifier-help {display:none;}</pre>
    </p>
    </div><?php
}

Here is the call graph for this function:

phorum_htmlpurifier_format()

phorum_htmlpurifier_format

(

$data

)

HTML Purifier Phorum Mod.

Filter your HTML the Standards-Compliant Way!

This Phorum mod enables users to post raw HTML into Phorum. But never fear: with the help of HTML Purifier, this HTML will be beat into de-XSSed and standards-compliant form, safe for general consumption. It is not recommended, but possible to run this mod in parallel with other formatters (in short, please DISABLE the BBcode mod).

For help migrating from your previous markup language to pure HTML please check the migrate.bbcode.php file.

If you'd like to use this with a WYSIWYG editor, make sure that editor sets $PHORUM['mod_htmlpurifier']['wysiwyg'] to true. Otherwise, administrators who need to edit other people's comments may be at risk for some nasty attacks.

Tested with Phorum 5.2.11. Purifies a data array

Definition at line 31 of file htmlpurifier.php.

References $data, $GLOBALS, $message, $PHORUM, array, defined, HTMLPurifier\getInstance(), phorum_htmlpurifier_migrate(), and phorum_htmlpurifier_remove_sig_and_editmessage().

{
    $PHORUM = $GLOBALS["PHORUM"];

    $purifier =& HTMLPurifier::getInstance();
    $cache_serial = $PHORUM['mod_htmlpurifier']['body_cache_serial'];

    foreach($data as $message_id => $message){
        if(isset($message['body'])) {

            if ($message_id) {
                // we're dealing with a real message, not a fake, so
                // there a number of shortcuts that can be taken

                if (isset($message['meta']['htmlpurifier_light'])) {
                    // format hook was called outside of Phorum's normal
                    // functions, do the abridged purification
                    $data[$message_id]['body'] = $purifier->purify($message['body']);
                    continue;
                }

                if (!empty($PHORUM['args']['purge'])) {
                    // purge the cache, must be below the following if
                    unset($message['meta']['body_cache']);
                }

                if (
                    isset($message['meta']['body_cache']) &&
                    isset($message['meta']['body_cache_serial']) &&
                    $message['meta']['body_cache_serial'] == $cache_serial
                ) {
                    // cached version is present, bail out early
                    $data[$message_id]['body'] = base64_decode($message['meta']['body_cache']);
                    continue;
                }
            }

            // migration might edit this array, that's why it's defined
            // so early
            $updated_message = array();

            // create the $body variable
            if (
                $message_id && // message must be real to migrate
                !isset($message['meta']['body_cache_serial'])
            ) {
                // perform migration
                $fake_data = array();
                list($signature, $edit_message) = phorum_htmlpurifier_remove_sig_and_editmessage($message);
                $fake_data[$message_id] = $message;
                $fake_data = phorum_htmlpurifier_migrate($fake_data);
                $body = $fake_data[$message_id]['body'];
                $body = str_replace("<phorum break>\n", "\n", $body);
                $updated_message['body'] = $body; // save it in
                $body .= $signature . $edit_message; // add it back in
            } else {
                // reverse Phorum's pre-processing
                $body = $message['body'];
                // order is important
                $body = str_replace("<phorum break>\n", "\n", $body);
                $body = str_replace(array('&lt;','&gt;','&amp;', '&quot;'), array('<','>','&','"'), $body);
                if (!$message_id && defined('PHORUM_CONTROL_CENTER')) {
                    // we're in control.php, so it was double-escaped
                    $body = str_replace(array('&lt;','&gt;','&amp;', '&quot;'), array('<','>','&','"'), $body);
                }
            }

            $body = $purifier->purify($body);

            // dynamically update the cache (MUST BE DONE HERE!)
            // this is inefficient because it's one db call per
            // cache miss, but once the cache is in place things are
            // a lot zippier.

            if ($message_id) { // make sure it's not a fake id
                $updated_message['meta'] = $message['meta'];
                $updated_message['meta']['body_cache'] = base64_encode($body);
                $updated_message['meta']['body_cache_serial'] = $cache_serial;
                phorum_db_update_message($message_id, $updated_message);
            }

            // must not get overloaded until after we cache it, otherwise
            // we'll inadvertently change the original text
            $data[$message_id]['body'] = $body;

        }
    }

    return $data;
}

Here is the call graph for this function:

phorum_htmlpurifier_generate_editmessage()

phorum_htmlpurifier_generate_editmessage

(

$row

)

Generates an edit message based on a message array.

Definition at line 145 of file htmlpurifier.php.

References $GLOBALS, $PHORUM, and $row.

Referenced by phorum_htmlpurifier_remove_sig_and_editmessage().

{
    $PHORUM = $GLOBALS['PHORUM'];
    $editmessage = '';
    if(isset($row['meta']['edit_count']) && $row['meta']['edit_count'] > 0) {
        $editmessage = str_replace ("%count%", $row['meta']['edit_count'], $PHORUM["DATA"]["LANG"]["EditedMessage"]);
        $editmessage = str_replace ("%lastedit%", phorum_date($PHORUM["short_date_time"],$row['meta']['edit_date']),  $editmessage);
        $editmessage = str_replace ("%lastuser%", $row['meta']['edit_username'],  $editmessage);
        $editmessage = "\n\n\n\n$editmessage";
    }
    return $editmessage;
}

Here is the caller graph for this function:

phorum_htmlpurifier_generate_sig()

phorum_htmlpurifier_generate_sig

(

$row

)

Generates a signature based on a message array.

Definition at line 129 of file htmlpurifier.php.

References $row.

Referenced by phorum_htmlpurifier_remove_sig_and_editmessage().

{
    $phorum_sig = '';
    if(isset($row["user"]["signature"])
       && isset($row['meta']['show_signature']) && $row['meta']['show_signature']==1){
           $phorum_sig=trim($row["user"]["signature"]);
           if(!empty($phorum_sig)){
               $phorum_sig="\n\n$phorum_sig";
           }
    }
    return $phorum_sig;
}

Here is the caller graph for this function:

phorum_htmlpurifier_posting()

phorum_htmlpurifier_posting

(

$message

)

Indicate that data is fully HTML and not from migration, invalidate previous caches.

Note

This function could generate the actual cache entries, but since there's data missing that must be deferred to the first read

Definition at line 184 of file htmlpurifier.php.

References $GLOBALS, $message, and $PHORUM.

{
    $PHORUM = $GLOBALS["PHORUM"];
    unset($message['meta']['body_cache']); // invalidate the cache
    $message['meta']['body_cache_serial'] = $PHORUM['mod_htmlpurifier']['body_cache_serial'];
    return $message;
}

phorum_htmlpurifier_quote()

phorum_htmlpurifier_quote

(

$array

)

Overload quoting mechanism to prevent default, mail-style quote from happening.

Definition at line 195 of file htmlpurifier.php.

References $GLOBALS, $PHORUM, $source, $text, and HTMLPurifier\getInstance().

{
    $PHORUM = $GLOBALS["PHORUM"];
    $purifier =& HTMLPurifier::getInstance();
    $text = $purifier->purify($array[1]);
    $source = htmlspecialchars($array[0]);
    return "<blockquote cite=\"$source\">\n$text\n</blockquote>";
}

Here is the call graph for this function:

phorum_htmlpurifier_remove_sig_and_editmessage()

phorum_htmlpurifier_remove_sig_and_editmessage

(

&

$row

)

Removes the signature and edit message from a message.

Parameters

$row	Message passed by reference

Definition at line 165 of file htmlpurifier.php.

References $row, array, phorum_htmlpurifier_generate_editmessage(), and phorum_htmlpurifier_generate_sig().

Referenced by phorum_htmlpurifier_format().

{
    $signature = phorum_htmlpurifier_generate_sig($row);
    $editmessage = phorum_htmlpurifier_generate_editmessage($row);
    $replacements = array();
    // we need to remove add <phorum break> as that is the form these
    // extra bits are in.
    if ($signature) $replacements[str_replace("\n", "<phorum break>\n", $signature)] = '';
    if ($editmessage) $replacements[str_replace("\n", "<phorum break>\n", $editmessage)] = '';
    $row['body'] = strtr($row['body'], $replacements);
    return array($signature, $editmessage);
}

Here is the call graph for this function:

Here is the caller graph for this function: