We are no longer offering accounts on this server. Consider https://gitlab.freedesktop.org/ as a place to host projects.

Commit 3a85318b authored by Brion Vibber's avatar Brion Vibber

First stab redoing argument loading for TinyMCE (to avoid hacking checks for...

First stab redoing argument loading for TinyMCE (to avoid hacking checks for all notice saves everywhere)
parent e54d441a
......@@ -203,6 +203,7 @@ class NewnoticeAction extends Action
$options = array_merge($options, $locOptions);
}
Event::handle('SaveNewNoticeWeb', array($this, $user, &$content_shortened, &$options));
$notice = Notice::saveNew($user->id, $content_shortened, 'web', $options);
if (isset($upload)) {
......
......@@ -78,36 +78,48 @@ class TinyMCEPlugin extends Plugin
return true;
}
function onArgsInitialize(&$args)
/**
* Sanitize HTML input and strip out potentially dangerous bits.
*
* @param string $raw HTML
* @return string HTML
*/
private function sanitizeHtml($raw)
{
if (!array_key_exists('action', $args) ||
$args['action'] != 'newnotice') {
return true;
}
$raw = $this->_scrub($args['status_textarea']);
require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php';
$config = array('safe' => 1,
'deny_attribute' => 'id,style,on*');
$this->html = htmLawed($raw, $config);
$text = html_entity_decode(strip_tags($this->html));
$args['status_textarea'] = $text;
return true;
return htmLawed($raw, $config);
}
function onStartNoticeSave($notice)
/**
* Strip HTML to plaintext string
*
* @param string $html HTML
* @return string plaintext, single line
*/
private function stripHtml($html)
{
if (!empty($this->html)) {
// Stomp on any rendering
$notice->rendered = $this->html;
}
return str_replace("\n", " ", html_entity_decode(strip_tags($html)));
}
/**
* Hook for new-notice form processing to take our HTML goodies;
* won't affect API posting etc.
*
* @param NewNoticeAction $action
* @param User $user
* @param string $content
* @param array $options
* @return boolean hook return
*/
function onSaveNewNoticeWeb($action, $user, &$content, &$options)
{
$html = $this->sanitizeHtml($action->arg('status_textarea'));
$options['rendered'] = $html;
$content = $this->stripHtml($html);
return true;
}
......@@ -135,15 +147,5 @@ END_OF_SCRIPT;
return $scr;
}
function _scrub($txt)
{
$strip = get_magic_quotes_gpc();
if ($strip) {
return stripslashes($txt);
} else {
return $txt;
}
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment