From ba0d0c692ef6edb7fb16868f31b20792b0a1ca23 Mon Sep 17 00:00:00 2001
From: Mark Mulrooney <thebooney@gmail.com>
Date: Wed, 19 Aug 2009 16:27:57 -0400
Subject: [PATCH] Add ability to choose which tags and parameters are acceptable


diff --git a/config_defaults_inc.php b/config_defaults_inc.php
index 6535d57..5f5c501 100644
--- a/config_defaults_inc.php
+++ b/config_defaults_inc.php
@@ -1659,7 +1659,8 @@
 	/**
 	 * These are the valid html tags for multi-line fields (e.g. description)
 	 * do NOT include href or img tags here
-	 * do NOT include tags that have parameters (eg. <font face="arial">)
+	 * To include tags with parameters, you must specify which parameters
+	 * are allowed in the $g_html_valid_parameters string.
 	 * @global string $g_html_valid_tags
 	 */
 	$g_html_valid_tags		= 'p, li, ul, ol, br, pre, i, b, u, em';
@@ -1667,12 +1668,20 @@
 	/**
 	 * These are the valid html tags for single line fields (e.g. issue summary).
 	 * do NOT include href or img tags here
-	 * do NOT include tags that have parameters (eg. <font face="arial">)
+	 * To include tags with parameters, you must specify which parameters
+	 * are allowed in the $g_html_valid_parameters string.
 	 * @global string $g_html_valid_tags_single_line
 	 */
 	$g_html_valid_tags_single_line		= 'i, b, u, em';
 
 	/**
+	 * These are the parameters that are valid for the html tags 
+	 * in $g_html_valid_tags and $g_html_valid_tags_single line
+	 * @global string $g_html_valid_parameters
+	 */
+	$g_html_valid_parameters = OFF;
+
+	/**
 	 * maximum length of the description in a dropdown menu (for search)
 	 * set to 0 to disable truncations
 	 * @global int $g_max_dropdown_length
diff --git a/core/string_api.php b/core/string_api.php
index 8d600be..3971dd2 100644
--- a/core/string_api.php
+++ b/core/string_api.php
@@ -33,6 +33,7 @@ require_once( 'bug_api.php' );
 require_once( 'user_pref_api.php' );
 
 $g_cache_html_valid_tags = '';
+$g_cache_html_valid_parameters = '';
 $g_cache_html_valid_tags_single_line = '';
 
 /**
@@ -504,9 +505,10 @@ function string_strip_hrefs( $p_string ) {
  * @return string
  */
 function string_restore_valid_html_tags( $p_string, $p_multiline = true ) {
-	global $g_cache_html_valid_tags_single_line, $g_cache_html_valid_tags;
+	global $g_cache_html_valid_tags_single_line, $g_cache_html_valid_tags, $g_cache_html_valid_parameters;
 	$tags = '';
-	if( is_blank(( $p_multiline ? $g_cache_html_valid_tags : $g_cache_html_valid_tags_single_line ) ) ) {
+	$t_parameters = '';
+	if( is_blank( $p_multiline ? $g_cache_html_valid_tags : $g_cache_html_valid_tags_single_line ) ) {
 		$t_html_valid_tags = config_get( $p_multiline ? 'html_valid_tags' : 'html_valid_tags_single_line' );
 
 		if( OFF === $t_html_valid_tags || is_blank( $t_html_valid_tags ) ) {
@@ -520,18 +522,66 @@ function string_restore_valid_html_tags( $p_string, $p_multiline = true ) {
 			}
 		}
 		$tags = implode( '|', $tags );
+
 		if( $p_multiline ) {
 			$g_cache_html_valid_tags = $tags;
 		} else {
 			$g_cache_html_valid_tags_single_line = $tags;
 		}
+
 	} else {
 		$tags = ( $p_multiline ? $g_cache_html_valid_tags : $g_cache_html_valid_tags_single_line );
 	}
 
-	$p_string = preg_replace( '/&lt;(' . $tags . ')\s*&gt;/ui', '<\\1>', $p_string );
-	$p_string = preg_replace( '/&lt;\/(' . $tags . ')\s*&gt;/ui', '</\\1>', $p_string );
-	$p_string = preg_replace( '/&lt;(' . $tags . ')\s*\/&gt;/ui', '<\\1 />', $p_string );
+	if( is_blank( $g_cache_html_valid_parameters ) ) {
+		$t_html_valid_parameters = config_get( 'html_valid_parameters' );
+		if( ! ( is_blank( $t_html_valid_parameters ) ) ) {
+			$t_parameters = explode( ',', $t_html_valid_parameters );
+			foreach( $t_parameters as $key => $value ) {
+				if( !is_blank( $value ) ) {
+					$t_parameters[$key] = trim( $value );
+				}
+			}
+			$t_parameters = implode( '|', $t_parameters);
+			$g_cache_html_valid_parameters = $t_parameters;
+		}
+	} else {
+		$t_parameters = $g_cache_html_valid_parameters;
+	}
+
+	# Replace all quotes
+	$p_string = preg_replace( '/&quot;/', '"', $p_string );
+
+	# If parameters are specified in the config file, then check the parameters.
+	# Otherwise, remove any parameters from the tag.
+	preg_match_all( '/&lt;.+?&gt;/', $p_string, $t_tags );
+
+	foreach( $t_tags[0] as $t_tag_tmp ) {
+		preg_match_all( '/[a-zA-Z]+\s*=\s*"*\s*[a-zA-Z0-9]+\s*"*/', $t_tag_tmp, $t_parm );
+		foreach( $t_parm[0] as $t_val_parm ) {
+			if( ! ( is_blank( $t_parameters) ) ) {
+				if( ! ( preg_match( "/$t_parameters/", $t_val_parm ) ) ) {
+					$p_string = preg_replace( "/$t_val_parm/", '', $p_string );
+				}
+			} else {
+				$p_string = preg_replace( "/$t_val_parm/", '', $p_string );
+			}
+		}
+	}
+
+	# Store anything in quotes so we dont mess it up.
+	preg_match_all( '/".+?"/', $p_string, $t_quot );
+	$p_string = preg_replace( '/".+?"/', "REPLACE_ME", $p_string );
+
+	# Replace &lt; and &gt; with < and > if its surrounding a valid html tag.
+	$p_string = preg_replace( '/&lt;\s*((?: ' . $tags . ').*?)&gt;/ui', '<\\1>', $p_string );
+	$p_string = preg_replace( '/&lt;\s*\/\s*((?: ' . $tags . ').*?)&gt;/ui', '</\\1>', $p_string );
+	$p_string = preg_replace( '/&lt;\s*((?: ' . $tags . ').*?)\s*\/\s*&gt;/ui', '<\\1/>', $p_string );
+
+	# Put the quoted strings back.
+	foreach( $t_quot[0] as $t_cur ) {
+	   $p_string = preg_replace( '/REPLACE_ME/', $t_cur, $p_string, 1 );
+	}
 
 	return $p_string;
 }
-- 
1.6.0.4