View Issue Details

IDProjectCategoryView StatusLast Update
0010835mantisbtfeaturepublic2014-11-07 16:39
Reportertheboonster9 Assigned To 
PrioritynormalSeverityfeatureReproducibilityN/A
Status newResolutionopen 
Product Version1.2.0rc1 
Summary0010835: Allow html tags that have parameters.
Description

Currently only html tags that do not have parameters and are included in the $g_html_valid_tags global in the config file are allowed. It seems that since the user has to specify which tags are allowed, a user should be able to use tags that have parameters, such as font.

Tagspatch

Relationships

has duplicate 0005395 closeddhx allow html certain html tags with parameters 

Activities

theboonster9

theboonster9

2009-08-14 09:52

reporter   ~0022730

I've uploaded a patch with a simple fix to allow tags with parameters as long as the tag the user wishes to allow is added in their custom config file.

theboonster9

theboonster9

2009-08-17 13:03

reporter   ~0022739

The fix I previously uploaded was incorrect. The newer patch file should handle everything correctly.

dhx

dhx

2009-08-18 21:15

reporter   ~0022758

Last edited: 2009-08-18 21:19

View 2 revisions

We have to be very careful with security considerations here. For instance, by allowing someone to set the style= parameter, we effectively open ourselves to a whole range of CSS vulnerabilities.

I'd be much more comfortable if the available parameters could be set in the configuration file by the administrator.

BTW <font> is deprecated :)

theboonster9

theboonster9

2009-08-19 13:28

reporter   ~0022769

I've uploaded a patch that allows the parameters to be set in the config file. By default that string is set to off and no new tags were added to the default lists, but the capability now exists to have tags with parameters. Hope this is what you were looking for.

theboonster9

theboonster9

2009-08-19 16:29

reporter  

issue10835.patch (5,423 bytes)   
From ba0d0c692ef6edb7fb16868f31b20792b0a1ca23 Mon Sep 17 00:00:00 2001
From: Mark Mulrooney <thebooney@gmail.com>
Date: Wed, 19 Aug 2009 16:27:57 -0400
Subject: [PATCH] Add ability to choose which tags and parameters are acceptable


diff --git a/config_defaults_inc.php b/config_defaults_inc.php
index 6535d57..5f5c501 100644
--- a/config_defaults_inc.php
+++ b/config_defaults_inc.php
@@ -1659,7 +1659,8 @@
 	/**
 	 * These are the valid html tags for multi-line fields (e.g. description)
 	 * do NOT include href or img tags here
-	 * do NOT include tags that have parameters (eg. <font face="arial">)
+	 * To include tags with parameters, you must specify which parameters
+	 * are allowed in the $g_html_valid_parameters string.
 	 * @global string $g_html_valid_tags
 	 */
 	$g_html_valid_tags		= 'p, li, ul, ol, br, pre, i, b, u, em';
@@ -1667,12 +1668,20 @@
 	/**
 	 * These are the valid html tags for single line fields (e.g. issue summary).
 	 * do NOT include href or img tags here
-	 * do NOT include tags that have parameters (eg. <font face="arial">)
+	 * To include tags with parameters, you must specify which parameters
+	 * are allowed in the $g_html_valid_parameters string.
 	 * @global string $g_html_valid_tags_single_line
 	 */
 	$g_html_valid_tags_single_line		= 'i, b, u, em';
 
 	/**
+	 * These are the parameters that are valid for the html tags 
+	 * in $g_html_valid_tags and $g_html_valid_tags_single line
+	 * @global string $g_html_valid_parameters
+	 */
+	$g_html_valid_parameters = OFF;
+
+	/**
 	 * maximum length of the description in a dropdown menu (for search)
 	 * set to 0 to disable truncations
 	 * @global int $g_max_dropdown_length
diff --git a/core/string_api.php b/core/string_api.php
index 8d600be..3971dd2 100644
--- a/core/string_api.php
+++ b/core/string_api.php
@@ -33,6 +33,7 @@ require_once( 'bug_api.php' );
 require_once( 'user_pref_api.php' );
 
 $g_cache_html_valid_tags = '';
+$g_cache_html_valid_parameters = '';
 $g_cache_html_valid_tags_single_line = '';
 
 /**
@@ -504,9 +505,10 @@ function string_strip_hrefs( $p_string ) {
  * @return string
  */
 function string_restore_valid_html_tags( $p_string, $p_multiline = true ) {
-	global $g_cache_html_valid_tags_single_line, $g_cache_html_valid_tags;
+	global $g_cache_html_valid_tags_single_line, $g_cache_html_valid_tags, $g_cache_html_valid_parameters;
 	$tags = '';
-	if( is_blank(( $p_multiline ? $g_cache_html_valid_tags : $g_cache_html_valid_tags_single_line ) ) ) {
+	$t_parameters = '';
+	if( is_blank( $p_multiline ? $g_cache_html_valid_tags : $g_cache_html_valid_tags_single_line ) ) {
 		$t_html_valid_tags = config_get( $p_multiline ? 'html_valid_tags' : 'html_valid_tags_single_line' );
 
 		if( OFF === $t_html_valid_tags || is_blank( $t_html_valid_tags ) ) {
@@ -520,18 +522,66 @@ function string_restore_valid_html_tags( $p_string, $p_multiline = true ) {
 			}
 		}
 		$tags = implode( '|', $tags );
+
 		if( $p_multiline ) {
 			$g_cache_html_valid_tags = $tags;
 		} else {
 			$g_cache_html_valid_tags_single_line = $tags;
 		}
+
 	} else {
 		$tags = ( $p_multiline ? $g_cache_html_valid_tags : $g_cache_html_valid_tags_single_line );
 	}
 
-	$p_string = preg_replace( '/&lt;(' . $tags . ')\s*&gt;/ui', '<\\1>', $p_string );
-	$p_string = preg_replace( '/&lt;\/(' . $tags . ')\s*&gt;/ui', '</\\1>', $p_string );
-	$p_string = preg_replace( '/&lt;(' . $tags . ')\s*\/&gt;/ui', '<\\1 />', $p_string );
+	if( is_blank( $g_cache_html_valid_parameters ) ) {
+		$t_html_valid_parameters = config_get( 'html_valid_parameters' );
+		if( ! ( is_blank( $t_html_valid_parameters ) ) ) {
+			$t_parameters = explode( ',', $t_html_valid_parameters );
+			foreach( $t_parameters as $key => $value ) {
+				if( !is_blank( $value ) ) {
+					$t_parameters[$key] = trim( $value );
+				}
+			}
+			$t_parameters = implode( '|', $t_parameters);
+			$g_cache_html_valid_parameters = $t_parameters;
+		}
+	} else {
+		$t_parameters = $g_cache_html_valid_parameters;
+	}
+
+	# Replace all quotes
+	$p_string = preg_replace( '/&quot;/', '"', $p_string );
+
+	# If parameters are specified in the config file, then check the parameters.
+	# Otherwise, remove any parameters from the tag.
+	preg_match_all( '/&lt;.+?&gt;/', $p_string, $t_tags );
+
+	foreach( $t_tags[0] as $t_tag_tmp ) {
+		preg_match_all( '/[a-zA-Z]+\s*=\s*"*\s*[a-zA-Z0-9]+\s*"*/', $t_tag_tmp, $t_parm );
+		foreach( $t_parm[0] as $t_val_parm ) {
+			if( ! ( is_blank( $t_parameters) ) ) {
+				if( ! ( preg_match( "/$t_parameters/", $t_val_parm ) ) ) {
+					$p_string = preg_replace( "/$t_val_parm/", '', $p_string );
+				}
+			} else {
+				$p_string = preg_replace( "/$t_val_parm/", '', $p_string );
+			}
+		}
+	}
+
+	# Store anything in quotes so we dont mess it up.
+	preg_match_all( '/".+?"/', $p_string, $t_quot );
+	$p_string = preg_replace( '/".+?"/', "REPLACE_ME", $p_string );
+
+	# Replace &lt; and &gt; with < and > if its surrounding a valid html tag.
+	$p_string = preg_replace( '/&lt;\s*((?: ' . $tags . ').*?)&gt;/ui', '<\\1>', $p_string );
+	$p_string = preg_replace( '/&lt;\s*\/\s*((?: ' . $tags . ').*?)&gt;/ui', '</\\1>', $p_string );
+	$p_string = preg_replace( '/&lt;\s*((?: ' . $tags . ').*?)\s*\/\s*&gt;/ui', '<\\1/>', $p_string );
+
+	# Put the quoted strings back.
+	foreach( $t_quot[0] as $t_cur ) {
+	   $p_string = preg_replace( '/REPLACE_ME/', $t_cur, $p_string, 1 );
+	}
 
 	return $p_string;
 }
-- 
1.6.0.4

issue10835.patch (5,423 bytes)   
theboonster9

theboonster9

2009-08-19 16:31

reporter   ~0022770

Forgot to add cache for the parameters config, should be all set now.

If anyone wants to or can, feel free to delete the three older patch files, I can't do it.

dhx

dhx

2009-08-21 04:43

reporter   ~0022777

OK thanks I'll review it :)

PAB

PAB

2010-04-29 09:12

reporter   ~0025347

Would love to see this function implemented, as the interesting plugin "jsEdit" (http://git.mantisforge.org/w/jsedit.git) seems to depend on such an option (for <div align="center"> etc.).

Issue History

Date Modified Username Field Change
2009-08-14 09:45 theboonster9 New Issue
2009-08-14 09:51 theboonster9 File Added: isse10835.patch
2009-08-14 09:52 theboonster9 Note Added: 0022730
2009-08-17 13:02 theboonster9 File Added: 10835.patch
2009-08-17 13:03 theboonster9 Note Added: 0022739
2009-08-18 21:15 dhx Note Added: 0022758
2009-08-18 21:19 dhx Note Edited: 0022758 View Revisions
2009-08-19 13:19 theboonster9 File Added: isse_10835.patch
2009-08-19 13:28 theboonster9 Note Added: 0022769
2009-08-19 16:29 theboonster9 File Added: issue10835.patch
2009-08-19 16:31 theboonster9 Note Added: 0022770
2009-08-21 04:43 dhx Note Added: 0022777
2009-08-21 04:44 dhx Relationship added has duplicate 0005395
2010-04-29 09:12 PAB Note Added: 0025347
2011-08-14 08:53 atrol File Deleted: isse10835.patch
2011-08-14 08:53 atrol File Deleted: 10835.patch
2011-08-14 08:53 atrol File Deleted: isse_10835.patch
2011-08-14 08:53 atrol Tag Attached: patch
2012-03-03 08:38 grangeway Assigned To => grangeway
2012-03-03 08:38 grangeway Status new => assigned
2014-11-07 16:39 atrol Assigned To grangeway =>
2014-11-07 16:39 atrol Status assigned => new