View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0010835 | mantisbt | feature | public | 2009-08-14 09:45 | 2014-11-07 16:39 |
Reporter | theboonster9 | Assigned To | |||
Priority | normal | Severity | feature | Reproducibility | N/A |
Status | new | Resolution | open | ||
Product Version | 1.2.0rc1 | ||||
Summary | 0010835: Allow html tags that have parameters. | ||||
Description | Currently only html tags that do not have parameters and are included in the $g_html_valid_tags global in the config file are allowed. It seems that since the user has to specify which tags are allowed, a user should be able to use tags that have parameters, such as font. | ||||
Tags | patch | ||||
Attached Files | issue10835.patch (5,423 bytes)
From ba0d0c692ef6edb7fb16868f31b20792b0a1ca23 Mon Sep 17 00:00:00 2001 From: Mark Mulrooney <thebooney@gmail.com> Date: Wed, 19 Aug 2009 16:27:57 -0400 Subject: [PATCH] Add ability to choose which tags and parameters are acceptable diff --git a/config_defaults_inc.php b/config_defaults_inc.php index 6535d57..5f5c501 100644 --- a/config_defaults_inc.php +++ b/config_defaults_inc.php @@ -1659,7 +1659,8 @@ /** * These are the valid html tags for multi-line fields (e.g. description) * do NOT include href or img tags here - * do NOT include tags that have parameters (eg. <font face="arial">) + * To include tags with parameters, you must specify which parameters + * are allowed in the $g_html_valid_parameters string. * @global string $g_html_valid_tags */ $g_html_valid_tags = 'p, li, ul, ol, br, pre, i, b, u, em'; @@ -1667,12 +1668,20 @@ /** * These are the valid html tags for single line fields (e.g. issue summary). * do NOT include href or img tags here - * do NOT include tags that have parameters (eg. <font face="arial">) + * To include tags with parameters, you must specify which parameters + * are allowed in the $g_html_valid_parameters string. * @global string $g_html_valid_tags_single_line */ $g_html_valid_tags_single_line = 'i, b, u, em'; /** + * These are the parameters that are valid for the html tags + * in $g_html_valid_tags and $g_html_valid_tags_single line + * @global string $g_html_valid_parameters + */ + $g_html_valid_parameters = OFF; + + /** * maximum length of the description in a dropdown menu (for search) * set to 0 to disable truncations * @global int $g_max_dropdown_length diff --git a/core/string_api.php b/core/string_api.php index 8d600be..3971dd2 100644 --- a/core/string_api.php +++ b/core/string_api.php @@ -33,6 +33,7 @@ require_once( 'bug_api.php' ); require_once( 'user_pref_api.php' ); $g_cache_html_valid_tags = ''; +$g_cache_html_valid_parameters = ''; $g_cache_html_valid_tags_single_line = ''; /** @@ -504,9 +505,10 @@ function string_strip_hrefs( $p_string ) { * @return string */ function string_restore_valid_html_tags( $p_string, $p_multiline = true ) { - global $g_cache_html_valid_tags_single_line, $g_cache_html_valid_tags; + global $g_cache_html_valid_tags_single_line, $g_cache_html_valid_tags, $g_cache_html_valid_parameters; $tags = ''; - if( is_blank(( $p_multiline ? $g_cache_html_valid_tags : $g_cache_html_valid_tags_single_line ) ) ) { + $t_parameters = ''; + if( is_blank( $p_multiline ? $g_cache_html_valid_tags : $g_cache_html_valid_tags_single_line ) ) { $t_html_valid_tags = config_get( $p_multiline ? 'html_valid_tags' : 'html_valid_tags_single_line' ); if( OFF === $t_html_valid_tags || is_blank( $t_html_valid_tags ) ) { @@ -520,18 +522,66 @@ function string_restore_valid_html_tags( $p_string, $p_multiline = true ) { } } $tags = implode( '|', $tags ); + if( $p_multiline ) { $g_cache_html_valid_tags = $tags; } else { $g_cache_html_valid_tags_single_line = $tags; } + } else { $tags = ( $p_multiline ? $g_cache_html_valid_tags : $g_cache_html_valid_tags_single_line ); } - $p_string = preg_replace( '/<(' . $tags . ')\s*>/ui', '<\\1>', $p_string ); - $p_string = preg_replace( '/<\/(' . $tags . ')\s*>/ui', '</\\1>', $p_string ); - $p_string = preg_replace( '/<(' . $tags . ')\s*\/>/ui', '<\\1 />', $p_string ); + if( is_blank( $g_cache_html_valid_parameters ) ) { + $t_html_valid_parameters = config_get( 'html_valid_parameters' ); + if( ! ( is_blank( $t_html_valid_parameters ) ) ) { + $t_parameters = explode( ',', $t_html_valid_parameters ); + foreach( $t_parameters as $key => $value ) { + if( !is_blank( $value ) ) { + $t_parameters[$key] = trim( $value ); + } + } + $t_parameters = implode( '|', $t_parameters); + $g_cache_html_valid_parameters = $t_parameters; + } + } else { + $t_parameters = $g_cache_html_valid_parameters; + } + + # Replace all quotes + $p_string = preg_replace( '/"/', '"', $p_string ); + + # If parameters are specified in the config file, then check the parameters. + # Otherwise, remove any parameters from the tag. + preg_match_all( '/<.+?>/', $p_string, $t_tags ); + + foreach( $t_tags[0] as $t_tag_tmp ) { + preg_match_all( '/[a-zA-Z]+\s*=\s*"*\s*[a-zA-Z0-9]+\s*"*/', $t_tag_tmp, $t_parm ); + foreach( $t_parm[0] as $t_val_parm ) { + if( ! ( is_blank( $t_parameters) ) ) { + if( ! ( preg_match( "/$t_parameters/", $t_val_parm ) ) ) { + $p_string = preg_replace( "/$t_val_parm/", '', $p_string ); + } + } else { + $p_string = preg_replace( "/$t_val_parm/", '', $p_string ); + } + } + } + + # Store anything in quotes so we dont mess it up. + preg_match_all( '/".+?"/', $p_string, $t_quot ); + $p_string = preg_replace( '/".+?"/', "REPLACE_ME", $p_string ); + + # Replace < and > with < and > if its surrounding a valid html tag. + $p_string = preg_replace( '/<\s*((?: ' . $tags . ').*?)>/ui', '<\\1>', $p_string ); + $p_string = preg_replace( '/<\s*\/\s*((?: ' . $tags . ').*?)>/ui', '</\\1>', $p_string ); + $p_string = preg_replace( '/<\s*((?: ' . $tags . ').*?)\s*\/\s*>/ui', '<\\1/>', $p_string ); + + # Put the quoted strings back. + foreach( $t_quot[0] as $t_cur ) { + $p_string = preg_replace( '/REPLACE_ME/', $t_cur, $p_string, 1 ); + } return $p_string; } -- 1.6.0.4 | ||||
I've uploaded a patch with a simple fix to allow tags with parameters as long as the tag the user wishes to allow is added in their custom config file. |
|
The fix I previously uploaded was incorrect. The newer patch file should handle everything correctly. |
|
We have to be very careful with security considerations here. For instance, by allowing someone to set the style= parameter, we effectively open ourselves to a whole range of CSS vulnerabilities. I'd be much more comfortable if the available parameters could be set in the configuration file by the administrator. BTW <font> is deprecated :) |
|
I've uploaded a patch that allows the parameters to be set in the config file. By default that string is set to off and no new tags were added to the default lists, but the capability now exists to have tags with parameters. Hope this is what you were looking for. |
|
Forgot to add cache for the parameters config, should be all set now. If anyone wants to or can, feel free to delete the three older patch files, I can't do it. |
|
OK thanks I'll review it :) |
|
Would love to see this function implemented, as the interesting plugin "jsEdit" (http://git.mantisforge.org/w/jsedit.git) seems to depend on such an option (for <div align="center"> etc.). |
|