issue10835.patch (5,423 bytes)
From ba0d0c692ef6edb7fb16868f31b20792b0a1ca23 Mon Sep 17 00:00:00 2001
From: Mark Mulrooney <thebooney@gmail.com>
Date: Wed, 19 Aug 2009 16:27:57 -0400
Subject: [PATCH] Add ability to choose which tags and parameters are acceptable
diff --git a/config_defaults_inc.php b/config_defaults_inc.php
index 6535d57..5f5c501 100644
--- a/config_defaults_inc.php
+++ b/config_defaults_inc.php
@@ -1659,7 +1659,8 @@
/**
* These are the valid html tags for multi-line fields (e.g. description)
* do NOT include href or img tags here
- * do NOT include tags that have parameters (eg. <font face="arial">)
+ * To include tags with parameters, you must specify which parameters
+ * are allowed in the $g_html_valid_parameters string.
* @global string $g_html_valid_tags
*/
$g_html_valid_tags = 'p, li, ul, ol, br, pre, i, b, u, em';
@@ -1667,12 +1668,20 @@
/**
* These are the valid html tags for single line fields (e.g. issue summary).
* do NOT include href or img tags here
- * do NOT include tags that have parameters (eg. <font face="arial">)
+ * To include tags with parameters, you must specify which parameters
+ * are allowed in the $g_html_valid_parameters string.
* @global string $g_html_valid_tags_single_line
*/
$g_html_valid_tags_single_line = 'i, b, u, em';
/**
+ * These are the parameters that are valid for the html tags
+ * in $g_html_valid_tags and $g_html_valid_tags_single line
+ * @global string $g_html_valid_parameters
+ */
+ $g_html_valid_parameters = OFF;
+
+ /**
* maximum length of the description in a dropdown menu (for search)
* set to 0 to disable truncations
* @global int $g_max_dropdown_length
diff --git a/core/string_api.php b/core/string_api.php
index 8d600be..3971dd2 100644
--- a/core/string_api.php
+++ b/core/string_api.php
@@ -33,6 +33,7 @@ require_once( 'bug_api.php' );
require_once( 'user_pref_api.php' );
$g_cache_html_valid_tags = '';
+$g_cache_html_valid_parameters = '';
$g_cache_html_valid_tags_single_line = '';
/**
@@ -504,9 +505,10 @@ function string_strip_hrefs( $p_string ) {
* @return string
*/
function string_restore_valid_html_tags( $p_string, $p_multiline = true ) {
- global $g_cache_html_valid_tags_single_line, $g_cache_html_valid_tags;
+ global $g_cache_html_valid_tags_single_line, $g_cache_html_valid_tags, $g_cache_html_valid_parameters;
$tags = '';
- if( is_blank(( $p_multiline ? $g_cache_html_valid_tags : $g_cache_html_valid_tags_single_line ) ) ) {
+ $t_parameters = '';
+ if( is_blank( $p_multiline ? $g_cache_html_valid_tags : $g_cache_html_valid_tags_single_line ) ) {
$t_html_valid_tags = config_get( $p_multiline ? 'html_valid_tags' : 'html_valid_tags_single_line' );
if( OFF === $t_html_valid_tags || is_blank( $t_html_valid_tags ) ) {
@@ -520,18 +522,66 @@ function string_restore_valid_html_tags( $p_string, $p_multiline = true ) {
}
}
$tags = implode( '|', $tags );
+
if( $p_multiline ) {
$g_cache_html_valid_tags = $tags;
} else {
$g_cache_html_valid_tags_single_line = $tags;
}
+
} else {
$tags = ( $p_multiline ? $g_cache_html_valid_tags : $g_cache_html_valid_tags_single_line );
}
- $p_string = preg_replace( '/<(' . $tags . ')\s*>/ui', '<\\1>', $p_string );
- $p_string = preg_replace( '/<\/(' . $tags . ')\s*>/ui', '</\\1>', $p_string );
- $p_string = preg_replace( '/<(' . $tags . ')\s*\/>/ui', '<\\1 />', $p_string );
+ if( is_blank( $g_cache_html_valid_parameters ) ) {
+ $t_html_valid_parameters = config_get( 'html_valid_parameters' );
+ if( ! ( is_blank( $t_html_valid_parameters ) ) ) {
+ $t_parameters = explode( ',', $t_html_valid_parameters );
+ foreach( $t_parameters as $key => $value ) {
+ if( !is_blank( $value ) ) {
+ $t_parameters[$key] = trim( $value );
+ }
+ }
+ $t_parameters = implode( '|', $t_parameters);
+ $g_cache_html_valid_parameters = $t_parameters;
+ }
+ } else {
+ $t_parameters = $g_cache_html_valid_parameters;
+ }
+
+ # Replace all quotes
+ $p_string = preg_replace( '/"/', '"', $p_string );
+
+ # If parameters are specified in the config file, then check the parameters.
+ # Otherwise, remove any parameters from the tag.
+ preg_match_all( '/<.+?>/', $p_string, $t_tags );
+
+ foreach( $t_tags[0] as $t_tag_tmp ) {
+ preg_match_all( '/[a-zA-Z]+\s*=\s*"*\s*[a-zA-Z0-9]+\s*"*/', $t_tag_tmp, $t_parm );
+ foreach( $t_parm[0] as $t_val_parm ) {
+ if( ! ( is_blank( $t_parameters) ) ) {
+ if( ! ( preg_match( "/$t_parameters/", $t_val_parm ) ) ) {
+ $p_string = preg_replace( "/$t_val_parm/", '', $p_string );
+ }
+ } else {
+ $p_string = preg_replace( "/$t_val_parm/", '', $p_string );
+ }
+ }
+ }
+
+ # Store anything in quotes so we dont mess it up.
+ preg_match_all( '/".+?"/', $p_string, $t_quot );
+ $p_string = preg_replace( '/".+?"/', "REPLACE_ME", $p_string );
+
+ # Replace < and > with < and > if its surrounding a valid html tag.
+ $p_string = preg_replace( '/<\s*((?: ' . $tags . ').*?)>/ui', '<\\1>', $p_string );
+ $p_string = preg_replace( '/<\s*\/\s*((?: ' . $tags . ').*?)>/ui', '</\\1>', $p_string );
+ $p_string = preg_replace( '/<\s*((?: ' . $tags . ').*?)\s*\/\s*>/ui', '<\\1/>', $p_string );
+
+ # Put the quoted strings back.
+ foreach( $t_quot[0] as $t_cur ) {
+ $p_string = preg_replace( '/REPLACE_ME/', $t_cur, $p_string, 1 );
+ }
return $p_string;
}
--
1.6.0.4
