HTMLPurifier 4.4.0
|
00001 <?php 00002 00023 // Note: Cache data is base64 encoded because Phorum insists on flinging 00024 // to the user and expecting it to come back unharmed, newlines and 00025 // all, which ain't happening. It's slower, it takes up more space, but 00026 // at least it won't get mutilated 00027 00031 function phorum_htmlpurifier_format($data) 00032 { 00033 $PHORUM = $GLOBALS["PHORUM"]; 00034 00035 $purifier =& HTMLPurifier::getInstance(); 00036 $cache_serial = $PHORUM['mod_htmlpurifier']['body_cache_serial']; 00037 00038 foreach($data as $message_id => $message){ 00039 if(isset($message['body'])) { 00040 00041 if ($message_id) { 00042 // we're dealing with a real message, not a fake, so 00043 // there a number of shortcuts that can be taken 00044 00045 if (isset($message['meta']['htmlpurifier_light'])) { 00046 // format hook was called outside of Phorum's normal 00047 // functions, do the abridged purification 00048 $data[$message_id]['body'] = $purifier->purify($message['body']); 00049 continue; 00050 } 00051 00052 if (!empty($PHORUM['args']['purge'])) { 00053 // purge the cache, must be below the following if 00054 unset($message['meta']['body_cache']); 00055 } 00056 00057 if ( 00058 isset($message['meta']['body_cache']) && 00059 isset($message['meta']['body_cache_serial']) && 00060 $message['meta']['body_cache_serial'] == $cache_serial 00061 ) { 00062 // cached version is present, bail out early 00063 $data[$message_id]['body'] = base64_decode($message['meta']['body_cache']); 00064 continue; 00065 } 00066 } 00067 00068 // migration might edit this array, that's why it's defined 00069 // so early 00070 $updated_message = array(); 00071 00072 // create the $body variable 00073 if ( 00074 $message_id && // message must be real to migrate 00075 !isset($message['meta']['body_cache_serial']) 00076 ) { 00077 // perform migration 00078 $fake_data = array(); 00079 list($signature, $edit_message) = phorum_htmlpurifier_remove_sig_and_editmessage($message); 00080 $fake_data[$message_id] = $message; 00081 $fake_data = phorum_htmlpurifier_migrate($fake_data); 00082 $body = $fake_data[$message_id]['body']; 00083 $body = str_replace("<phorum break>\n", "\n", $body); 00084 $updated_message['body'] = $body; // save it in 00085 $body .= $signature . $edit_message; // add it back in 00086 } else { 00087 // reverse Phorum's pre-processing 00088 $body = $message['body']; 00089 // order is important 00090 $body = str_replace("<phorum break>\n", "\n", $body); 00091 $body = str_replace(array('<','>','&', '"'), array('<','>','&','"'), $body); 00092 if (!$message_id && defined('PHORUM_CONTROL_CENTER')) { 00093 // we're in control.php, so it was double-escaped 00094 $body = str_replace(array('<','>','&', '"'), array('<','>','&','"'), $body); 00095 } 00096 } 00097 00098 $body = $purifier->purify($body); 00099 00100 // dynamically update the cache (MUST BE DONE HERE!) 00101 // this is inefficient because it's one db call per 00102 // cache miss, but once the cache is in place things are 00103 // a lot zippier. 00104 00105 if ($message_id) { // make sure it's not a fake id 00106 $updated_message['meta'] = $message['meta']; 00107 $updated_message['meta']['body_cache'] = base64_encode($body); 00108 $updated_message['meta']['body_cache_serial'] = $cache_serial; 00109 phorum_db_update_message($message_id, $updated_message); 00110 } 00111 00112 // must not get overloaded until after we cache it, otherwise 00113 // we'll inadvertently change the original text 00114 $data[$message_id]['body'] = $body; 00115 00116 } 00117 } 00118 00119 return $data; 00120 } 00121 00122 // ----------------------------------------------------------------------- 00123 // This is fragile code, copied from read.php:596 (Phorum 5.2.6). Please 00124 // keep this code in-sync with Phorum 00125 00129 function phorum_htmlpurifier_generate_sig($row) { 00130 $phorum_sig = ''; 00131 if(isset($row["user"]["signature"]) 00132 && isset($row['meta']['show_signature']) && $row['meta']['show_signature']==1){ 00133 $phorum_sig=trim($row["user"]["signature"]); 00134 if(!empty($phorum_sig)){ 00135 $phorum_sig="\n\n$phorum_sig"; 00136 } 00137 } 00138 return $phorum_sig; 00139 } 00140 00144 function phorum_htmlpurifier_generate_editmessage($row) { 00145 $PHORUM = $GLOBALS['PHORUM']; 00146 $editmessage = ''; 00147 if(isset($row['meta']['edit_count']) && $row['meta']['edit_count'] > 0) { 00148 $editmessage = str_replace ("%count%", $row['meta']['edit_count'], $PHORUM["DATA"]["LANG"]["EditedMessage"]); 00149 $editmessage = str_replace ("%lastedit%", phorum_date($PHORUM["short_date_time"],$row['meta']['edit_date']), $editmessage); 00150 $editmessage = str_replace ("%lastuser%", $row['meta']['edit_username'], $editmessage); 00151 $editmessage = "\n\n\n\n$editmessage"; 00152 } 00153 return $editmessage; 00154 } 00155 00156 // End fragile code 00157 // ----------------------------------------------------------------------- 00158 00163 function phorum_htmlpurifier_remove_sig_and_editmessage(&$row) { 00164 $signature = phorum_htmlpurifier_generate_sig($row); 00165 $editmessage = phorum_htmlpurifier_generate_editmessage($row); 00166 $replacements = array(); 00167 // we need to remove add <phorum break> as that is the form these 00168 // extra bits are in. 00169 if ($signature) $replacements[str_replace("\n", "<phorum break>\n", $signature)] = ''; 00170 if ($editmessage) $replacements[str_replace("\n", "<phorum break>\n", $editmessage)] = ''; 00171 $row['body'] = strtr($row['body'], $replacements); 00172 return array($signature, $editmessage); 00173 } 00174 00181 function phorum_htmlpurifier_posting($message) { 00182 $PHORUM = $GLOBALS["PHORUM"]; 00183 unset($message['meta']['body_cache']); // invalidate the cache 00184 $message['meta']['body_cache_serial'] = $PHORUM['mod_htmlpurifier']['body_cache_serial']; 00185 return $message; 00186 } 00187 00191 function phorum_htmlpurifier_quote($array) { 00192 $PHORUM = $GLOBALS["PHORUM"]; 00193 $purifier =& HTMLPurifier::getInstance(); 00194 $text = $purifier->purify($array[1]); 00195 $source = htmlspecialchars($array[0]); 00196 return "<blockquote cite=\"$source\">\n$text\n</blockquote>"; 00197 } 00198 00203 function phorum_htmlpurifier_common() { 00204 00205 require_once(dirname(__FILE__).'/htmlpurifier/HTMLPurifier.auto.php'); 00206 require(dirname(__FILE__).'/init-config.php'); 00207 00208 $config = phorum_htmlpurifier_get_config(); 00209 HTMLPurifier::getInstance($config); 00210 00211 // increment revision.txt if you want to invalidate the cache 00212 $GLOBALS['PHORUM']['mod_htmlpurifier']['body_cache_serial'] = $config->getSerial(); 00213 00214 // load migration 00215 if (file_exists(dirname(__FILE__) . '/migrate.php')) { 00216 include(dirname(__FILE__) . '/migrate.php'); 00217 } else { 00218 echo '<strong>Error:</strong> No migration path specified for HTML Purifier, please check 00219 <tt>modes/htmlpurifier/migrate.bbcode.php</tt> for instructions on 00220 how to migrate from your previous markup language.'; 00221 exit; 00222 } 00223 00224 if (!function_exists('phorum_htmlpurifier_migrate')) { 00225 // Dummy function 00226 function phorum_htmlpurifier_migrate($data) {return $data;} 00227 } 00228 00229 } 00230 00235 function phorum_htmlpurifier_before_editor($message) { 00236 if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'])) { 00237 if (!empty($message['body'])) { 00238 $body = $message['body']; 00239 // de-entity-ize contents 00240 $body = str_replace(array('<','>','&'), array('<','>','&'), $body); 00241 $purifier =& HTMLPurifier::getInstance(); 00242 $body = $purifier->purify($body); 00243 // re-entity-ize contents 00244 $body = htmlspecialchars($body, ENT_QUOTES, $GLOBALS['PHORUM']['DATA']['CHARSET']); 00245 $message['body'] = $body; 00246 } 00247 } 00248 return $message; 00249 } 00250 00251 function phorum_htmlpurifier_editor_after_subject() { 00252 // don't show this message if it's a WYSIWYG editor, since it will 00253 // then be handled automatically 00254 if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'])) { 00255 $i = $GLOBALS['PHORUM']['DATA']['MODE']; 00256 if ($i == 'quote' || $i == 'edit' || $i == 'moderation') { 00257 ?> 00258 <div> 00259 <p> 00260 <strong>Notice:</strong> HTML has been scrubbed for your safety. 00261 If you would like to see the original, turn off WYSIWYG mode 00262 (consult your administrator for details.) 00263 </p> 00264 </div> 00265 <?php 00266 } 00267 return; 00268 } 00269 if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['suppress_message'])) return; 00270 ?><div class="htmlpurifier-help"> 00271 <p> 00272 <strong>HTML input</strong> is enabled. Make sure you escape all HTML and 00273 angled brackets with <code>&lt;</code> and <code>&gt;</code>. 00274 </p><?php 00275 $purifier =& HTMLPurifier::getInstance(); 00276 $config = $purifier->config; 00277 if ($config->get('AutoFormat.AutoParagraph')) { 00278 ?><p> 00279 <strong>Auto-paragraphing</strong> is enabled. Double 00280 newlines will be converted to paragraphs; for single 00281 newlines, use the <code>pre</code> tag. 00282 </p><?php 00283 } 00284 $html_definition = $config->getDefinition('HTML'); 00285 $allowed = array(); 00286 foreach ($html_definition->info as $name => $x) $allowed[] = "<code>$name</code>"; 00287 sort($allowed); 00288 $allowed_text = implode(', ', $allowed); 00289 ?><p><strong>Allowed tags:</strong> <?php 00290 echo $allowed_text; 00291 ?>.</p><?php 00292 ?> 00293 </p> 00294 <p> 00295 For inputting literal code such as HTML and PHP for display, use 00296 CDATA tags to auto-escape your angled brackets, and <code>pre</code> 00297 to preserve newlines: 00298 </p> 00299 <pre><pre><![CDATA[ 00300 <em>Place code here</em> 00301 ]]></pre></pre> 00302 <p> 00303 Power users, you can hide this notice with: 00304 <pre>.htmlpurifier-help {display:none;}</pre> 00305 </p> 00306 </div><?php 00307 } 00308 00309 // vim: et sw=4 sts=4