diff options
author | friendica <info@friendica.com> | 2012-05-12 17:57:41 -0700 |
---|---|---|
committer | friendica <info@friendica.com> | 2012-07-18 20:40:31 +1000 |
commit | 7a40f4354b32809af3d0cfd6e3af0eda02ab0e0a (patch) | |
tree | a9c3d91209cff770bb4b613b1b95e61a7bbc5a2b /lib/htmlpurifier/plugins | |
parent | cd727cb26b78a1dade09d510b071446898477356 (diff) | |
download | volse-hubzilla-7a40f4354b32809af3d0cfd6e3af0eda02ab0e0a.tar.gz volse-hubzilla-7a40f4354b32809af3d0cfd6e3af0eda02ab0e0a.tar.bz2 volse-hubzilla-7a40f4354b32809af3d0cfd6e3af0eda02ab0e0a.zip |
some important stuff we'll need
Diffstat (limited to 'lib/htmlpurifier/plugins')
-rw-r--r-- | lib/htmlpurifier/plugins/modx.txt | 112 | ||||
-rw-r--r-- | lib/htmlpurifier/plugins/phorum/.gitignore | 2 | ||||
-rw-r--r-- | lib/htmlpurifier/plugins/phorum/Changelog | 27 | ||||
-rw-r--r-- | lib/htmlpurifier/plugins/phorum/INSTALL | 84 | ||||
-rw-r--r-- | lib/htmlpurifier/plugins/phorum/README | 45 | ||||
-rw-r--r-- | lib/htmlpurifier/plugins/phorum/config.default.php | 57 | ||||
-rw-r--r-- | lib/htmlpurifier/plugins/phorum/htmlpurifier.php | 309 | ||||
-rw-r--r-- | lib/htmlpurifier/plugins/phorum/info.txt | 18 | ||||
-rw-r--r-- | lib/htmlpurifier/plugins/phorum/init-config.php | 28 | ||||
-rw-r--r-- | lib/htmlpurifier/plugins/phorum/migrate.bbcode.php | 30 | ||||
-rw-r--r-- | lib/htmlpurifier/plugins/phorum/settings.php | 64 | ||||
-rw-r--r-- | lib/htmlpurifier/plugins/phorum/settings/form.php | 93 | ||||
-rw-r--r-- | lib/htmlpurifier/plugins/phorum/settings/migrate-sigs-form.php | 22 | ||||
-rw-r--r-- | lib/htmlpurifier/plugins/phorum/settings/migrate-sigs.php | 77 | ||||
-rw-r--r-- | lib/htmlpurifier/plugins/phorum/settings/save.php | 27 |
15 files changed, 995 insertions, 0 deletions
diff --git a/lib/htmlpurifier/plugins/modx.txt b/lib/htmlpurifier/plugins/modx.txt new file mode 100644 index 000000000..0763821b5 --- /dev/null +++ b/lib/htmlpurifier/plugins/modx.txt @@ -0,0 +1,112 @@ + +MODx Plugin + +MODx <http://www.modxcms.com/> is an open source PHP application framework. +I first came across them in my referrer logs when tillda asked if anyone +could implement an HTML Purifier plugin. This forum thread +<http://modxcms.com/forums/index.php/topic,6604.0.html> eventually resulted +in the fruition of this plugin that davidm says, "is on top of my favorite +list." HTML Purifier goes great with WYSIWYG editors! + + + +1. Credits + +PaulGregory wrote the overall structure of the code. I added the +slashes hack. + + + +2. Install + +First, you need to place HTML Purifier library somewhere. The code here +assumes that you've placed in MODx's assets/plugins/htmlpurifier (no version +number). + +Log into the manager, and navigate: + +Resources > Manage Resources > Plugins tab > New Plugin + +Type in a name (probably HTML Purifier), and copy paste this code into the +textarea: + +-------------------------------------------------------------------------------- +$e = &$modx->Event; +if ($e->name == 'OnBeforeDocFormSave') { + global $content; + + include_once '../assets/plugins/htmlpurifier/library/HTMLPurifier.auto.php'; + $purifier = new HTMLPurifier(); + + static $magic_quotes = null; + if ($magic_quotes === null) { + // this is an ugly hack because this hook hasn't + // had the backslashes removed yet when magic_quotes_gpc is on, + // but HTMLPurifier must not have the quotes slashed. + $magic_quotes = get_magic_quotes_gpc(); + } + + if ($magic_quotes) $content = stripslashes($content); + $content = $purifier->purify($content); + if ($magic_quotes) $content = addslashes($content); +} +-------------------------------------------------------------------------------- + +Then navigate to the System Events tab and check "OnBeforeDocFormSave". +Save the plugin. HTML Purifier now is integrated! + + + +3. Making sure it works + +You can test HTML Purifier by deliberately putting in crappy HTML and seeing +whether or not it gets fixed. A better way is to put in something like this: + +<p lang="fr">Il est bon</p> + +...and seeing whether or not the content comes out as: + +<p lang="fr" xml:lang="fr">Il est bon</p> + +(lang to xml:lang synchronization is one of the many features HTML Purifier +has). + + + +4. Caveat Emptor + +This code does not intercept save requests from the QuickEdit plugin, this may +be added in a later version. It also modifies things on save, so there's a +slight chance that HTML Purifier may make a boo-boo and accidently mess things +up (the original version is not saved). + +Finally, make sure that MODx is using UTF-8. If you are using, say, a French +localisation, you may be using Latin-1, if that's the case, configure +HTML Purifier properly like this: + +$config = HTMLPurifier_Config::createDefault(); +$config->set('Core', 'Encoding', 'ISO-8859-1'); // or whatever encoding +$purifier = new HTMLPurifier($config); + + + +5. Known Bugs + +'rn' characters sometimes mysteriously appear after purification. We are +currently investigating this issue. See: <http://htmlpurifier.org/phorum/read.php?3,1866> + + + +6. See Also + +A modified version of Jot 1.1.3 is available, which integrates with HTML +Purifier. You can check it out here: <http://modxcms.com/forums/index.php/topic,25621.msg161970.html> + + +X. Changelog + +2008-06-16 +- Updated code to work with 3.1.0 and later +- Add Known Bugs and See Also section + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/.gitignore b/lib/htmlpurifier/plugins/phorum/.gitignore new file mode 100644 index 000000000..8325e0902 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/.gitignore @@ -0,0 +1,2 @@ +migrate.php +htmlpurifier/* diff --git a/lib/htmlpurifier/plugins/phorum/Changelog b/lib/htmlpurifier/plugins/phorum/Changelog new file mode 100644 index 000000000..9f939e54a --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/Changelog @@ -0,0 +1,27 @@ +Changelog HTMLPurifier : Phorum Mod +||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + += KEY ==================== + # Breaks back-compat + ! Feature + - Bugfix + + Sub-comment + . Internal change +========================== + +Version 4.0.0 for Phorum 5.2, released July 9, 2009 +# Works only with HTML Purifier 4.0.0 +! Better installation documentation +- Fixed double encoded quotes +- Fixed fatal error when migrate.php is blank + +Version 3.0.0 for Phorum 5.2, released January 12, 2008 +# WYSIWYG and suppress_message options are now configurable via web + interface. +- Module now compatible with Phorum 5.2, primary bugs were in migration + code as well as signature and edit message handling. This module is NOT + compatible with Phorum 5.1. +- Buggy WYSIWYG mode refined +. AutoFormatParam added to list of default configuration namespaces + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/INSTALL b/lib/htmlpurifier/plugins/phorum/INSTALL new file mode 100644 index 000000000..23c76fc5c --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/INSTALL @@ -0,0 +1,84 @@ + +Install + How to install the Phorum HTML Purifier plugin + +0. PREREQUISITES +---------------- +This Phorum module only works on PHP5 and with HTML Purifier 4.0.0 +or later. + +1. UNZIP +-------- +Unzip phorum-htmlpurifier-x.y.z, producing an htmlpurifier folder. +You've already done this step if you're reading this! + +2. MOVE +------- +Move the htmlpurifier folder to the mods/ folder of your Phorum +installation, so the directory structure looks like: + +phorum/ + mods/ + htmlpurifier/ + INSTALL - this install file + info.txt, ... - the module files + htmlpurifier/ + +3. INSTALL HTML PURIFIER +------------------------ +Download and unzip HTML Purifier <htmlpurifier.org>. Place the contents of +the library/ folder in the htmlpurifier/htmlpurifier folder. Your directory +structure will look like: + +phorum/ + mods/ + htmlpurifier/ + htmlpurifier/ + HTMLPurifier.auto.php + ... - other files + HTMLPurifier/ + +Advanced users: + If you have HTML Purifier installed elsewhere on your server, + all you need is an HTMLPurifier.auto.php file in the library folder which + includes the HTMLPurifier.auto.php file in your install. + +4. MIGRATE +---------- +If you're setting up a new Phorum installation, all you need to do is create +a blank migrate.php file in the htmlpurifier module folder (NOT the library +folder. + +If you have an old Phorum installation and was using BBCode, +copy migrate.bbcode.php to migrate.php. If you were using a different input +format, follow the instructions in migrate.bbcode.php to create your own custom +migrate.php file. + +Your directory structure should now look like this: + +phorum/ + mods/ + htmlpurifier/ + migrate.php + +5. ENABLE +--------- +Navigate to your Phorum admin panel at http://example.com/phorum/admin.php, +click on Global Settings > Modules, scroll to "HTML Purifier Phorum Mod" and +turn it On. + +6. MIGRATE SIGNATURES +--------------------- +If you're setting up a new Phorum installation, skip this step. + +If you allowed your users to make signatures, navigate to the module settings +page of HTML Purifier (Global Settings > Modules > HTML Purifier Phorum Mod > +Configure), type in "yes" in the "Confirm" box, and press "Migrate." + +ONLY DO THIS ONCE! BE SURE TO BACK UP YOUR DATABASE! + +7. CONFIGURE +------------ +Configure using Edit settings. See that page for more information. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/README b/lib/htmlpurifier/plugins/phorum/README new file mode 100644 index 000000000..0524ed39d --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/README @@ -0,0 +1,45 @@ + +HTML Purifier Phorum Mod - Filter your HTML the Standards-Compliant Way! + +This Phorum mod enables HTML posting on Phorum. Under normal circumstances, +this would cause a huge security risk, but because we are running +HTML through HTML Purifier, output is guaranteed to be XSS free and +standards-compliant. + +This mod requires HTML input, and previous markup languages need to be +converted accordingly. Thus, it is vital that you create a 'migrate.php' +file that works with your installation. If you're using the built-in +BBCode formatting, simply move migrate.bbcode.php to that place; for +other markup languages, consult said file for instructions on how +to adapt it to your needs. + + -- NOTE ------------------------------------------------- + You can also run this module in parallel with another + formatting module; this module attempts to place itself + at the end of the filtering chain. However, if any + previous modules produce insecure HTML (for instance, + a JavaScript email obfuscator) they will get cleaned. + +This module will not work if 'migrate.php' is not created, and an improperly +made migration file may *CORRUPT* Phorum, so please take your time to +do this correctly. It should go without saying to *BACKUP YOUR DATABASE* +before attempting anything here. If no migration is necessary, you can +simply create a blank migrate.php file. HTML Purifier is smart and will +not re-migrate already processed messages. However, the original code +is irretrievably lost (we may change this in the future.) + +This module will not automatically migrate user signatures, because this +process may take a long time. After installing the HTML Purifier module and +then configuring 'migrate.php', navigate to Settings and click 'Migrate +Signatures' to migrate all user signatures to HTML. + +All of HTML Purifier's usual functions are configurable via the mod settings +page. If you require custom configuration, create config.php file in +the mod directory that edits a $config variable. Be sure, also, to +set $PHORUM['mod_htmlpurifier']['wysiwyg'] to TRUE if you are using a +WYSIWYG editor (you can do this through a common hook or the web +configuration form). + +Visit HTML Purifier at <http://htmlpurifier.org/>. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/config.default.php b/lib/htmlpurifier/plugins/phorum/config.default.php new file mode 100644 index 000000000..e047c0b42 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/config.default.php @@ -0,0 +1,57 @@ +<?php + +if(!defined("PHORUM")) exit; + +// default HTML Purifier configuration settings +$config->set('HTML.Allowed', + // alphabetically sorted +'a[href|title] +abbr[title] +acronym[title] +b +blockquote[cite] +br +caption +cite +code +dd +del +dfn +div +dl +dt +em +i +img[src|alt|title|class] +ins +kbd +li +ol +p +pre +s +strike +strong +sub +sup +table +tbody +td +tfoot +th +thead +tr +tt +u +ul +var'); +$config->set('AutoFormat.AutoParagraph', true); +$config->set('AutoFormat.Linkify', true); +$config->set('HTML.Doctype', 'XHTML 1.0 Transitional'); +$config->set('Core.AggressivelyFixLt', true); +$config->set('Core.Encoding', $GLOBALS['PHORUM']['DATA']['CHARSET']); // we'll change this eventually +if (strtolower($GLOBALS['PHORUM']['DATA']['CHARSET']) !== 'utf-8') { + $config->set('Core.EscapeNonASCIICharacters', true); +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/htmlpurifier.php b/lib/htmlpurifier/plugins/phorum/htmlpurifier.php new file mode 100644 index 000000000..6f74fc8c9 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/htmlpurifier.php @@ -0,0 +1,309 @@ +<?php + +/** + * HTML Purifier Phorum Mod. Filter your HTML the Standards-Compliant Way! + * + * This Phorum mod enables users to post raw HTML into Phorum. But never + * fear: with the help of HTML Purifier, this HTML will be beat into + * de-XSSed and standards-compliant form, safe for general consumption. + * It is not recommended, but possible to run this mod in parallel + * with other formatters (in short, please DISABLE the BBcode mod). + * + * For help migrating from your previous markup language to pure HTML + * please check the migrate.bbcode.php file. + * + * If you'd like to use this with a WYSIWYG editor, make sure that + * editor sets $PHORUM['mod_htmlpurifier']['wysiwyg'] to true. Otherwise, + * administrators who need to edit other people's comments may be at + * risk for some nasty attacks. + * + * Tested with Phorum 5.2.11. + */ + +// Note: Cache data is base64 encoded because Phorum insists on flinging +// to the user and expecting it to come back unharmed, newlines and +// all, which ain't happening. It's slower, it takes up more space, but +// at least it won't get mutilated + +/** + * Purifies a data array + */ +function phorum_htmlpurifier_format($data) +{ + $PHORUM = $GLOBALS["PHORUM"]; + + $purifier =& HTMLPurifier::getInstance(); + $cache_serial = $PHORUM['mod_htmlpurifier']['body_cache_serial']; + + foreach($data as $message_id => $message){ + if(isset($message['body'])) { + + if ($message_id) { + // we're dealing with a real message, not a fake, so + // there a number of shortcuts that can be taken + + if (isset($message['meta']['htmlpurifier_light'])) { + // format hook was called outside of Phorum's normal + // functions, do the abridged purification + $data[$message_id]['body'] = $purifier->purify($message['body']); + continue; + } + + if (!empty($PHORUM['args']['purge'])) { + // purge the cache, must be below the following if + unset($message['meta']['body_cache']); + } + + if ( + isset($message['meta']['body_cache']) && + isset($message['meta']['body_cache_serial']) && + $message['meta']['body_cache_serial'] == $cache_serial + ) { + // cached version is present, bail out early + $data[$message_id]['body'] = base64_decode($message['meta']['body_cache']); + continue; + } + } + + // migration might edit this array, that's why it's defined + // so early + $updated_message = array(); + + // create the $body variable + if ( + $message_id && // message must be real to migrate + !isset($message['meta']['body_cache_serial']) + ) { + // perform migration + $fake_data = array(); + list($signature, $edit_message) = phorum_htmlpurifier_remove_sig_and_editmessage($message); + $fake_data[$message_id] = $message; + $fake_data = phorum_htmlpurifier_migrate($fake_data); + $body = $fake_data[$message_id]['body']; + $body = str_replace("<phorum break>\n", "\n", $body); + $updated_message['body'] = $body; // save it in + $body .= $signature . $edit_message; // add it back in + } else { + // reverse Phorum's pre-processing + $body = $message['body']; + // order is important + $body = str_replace("<phorum break>\n", "\n", $body); + $body = str_replace(array('<','>','&', '"'), array('<','>','&','"'), $body); + if (!$message_id && defined('PHORUM_CONTROL_CENTER')) { + // we're in control.php, so it was double-escaped + $body = str_replace(array('<','>','&', '"'), array('<','>','&','"'), $body); + } + } + + $body = $purifier->purify($body); + + // dynamically update the cache (MUST BE DONE HERE!) + // this is inefficient because it's one db call per + // cache miss, but once the cache is in place things are + // a lot zippier. + + if ($message_id) { // make sure it's not a fake id + $updated_message['meta'] = $message['meta']; + $updated_message['meta']['body_cache'] = base64_encode($body); + $updated_message['meta']['body_cache_serial'] = $cache_serial; + phorum_db_update_message($message_id, $updated_message); + } + + // must not get overloaded until after we cache it, otherwise + // we'll inadvertently change the original text + $data[$message_id]['body'] = $body; + + } + } + + return $data; +} + +// ----------------------------------------------------------------------- +// This is fragile code, copied from read.php:596 (Phorum 5.2.6). Please +// keep this code in-sync with Phorum + +/** + * Generates a signature based on a message array + */ +function phorum_htmlpurifier_generate_sig($row) { + $phorum_sig = ''; + if(isset($row["user"]["signature"]) + && isset($row['meta']['show_signature']) && $row['meta']['show_signature']==1){ + $phorum_sig=trim($row["user"]["signature"]); + if(!empty($phorum_sig)){ + $phorum_sig="\n\n$phorum_sig"; + } + } + return $phorum_sig; +} + +/** + * Generates an edit message based on a message array + */ +function phorum_htmlpurifier_generate_editmessage($row) { + $PHORUM = $GLOBALS['PHORUM']; + $editmessage = ''; + if(isset($row['meta']['edit_count']) && $row['meta']['edit_count'] > 0) { + $editmessage = str_replace ("%count%", $row['meta']['edit_count'], $PHORUM["DATA"]["LANG"]["EditedMessage"]); + $editmessage = str_replace ("%lastedit%", phorum_date($PHORUM["short_date_time"],$row['meta']['edit_date']), $editmessage); + $editmessage = str_replace ("%lastuser%", $row['meta']['edit_username'], $editmessage); + $editmessage = "\n\n\n\n$editmessage"; + } + return $editmessage; +} + +// End fragile code +// ----------------------------------------------------------------------- + +/** + * Removes the signature and edit message from a message + * @param $row Message passed by reference + */ +function phorum_htmlpurifier_remove_sig_and_editmessage(&$row) { + $signature = phorum_htmlpurifier_generate_sig($row); + $editmessage = phorum_htmlpurifier_generate_editmessage($row); + $replacements = array(); + // we need to remove add <phorum break> as that is the form these + // extra bits are in. + if ($signature) $replacements[str_replace("\n", "<phorum break>\n", $signature)] = ''; + if ($editmessage) $replacements[str_replace("\n", "<phorum break>\n", $editmessage)] = ''; + $row['body'] = strtr($row['body'], $replacements); + return array($signature, $editmessage); +} + +/** + * Indicate that data is fully HTML and not from migration, invalidate + * previous caches + * @note This function could generate the actual cache entries, but + * since there's data missing that must be deferred to the first read + */ +function phorum_htmlpurifier_posting($message) { + $PHORUM = $GLOBALS["PHORUM"]; + unset($message['meta']['body_cache']); // invalidate the cache + $message['meta']['body_cache_serial'] = $PHORUM['mod_htmlpurifier']['body_cache_serial']; + return $message; +} + +/** + * Overload quoting mechanism to prevent default, mail-style quote from happening + */ +function phorum_htmlpurifier_quote($array) { + $PHORUM = $GLOBALS["PHORUM"]; + $purifier =& HTMLPurifier::getInstance(); + $text = $purifier->purify($array[1]); + $source = htmlspecialchars($array[0]); + return "<blockquote cite=\"$source\">\n$text\n</blockquote>"; +} + +/** + * Ensure that our format hook is processed last. Also, loads the library. + * @credits <http://secretsauce.phorum.org/snippets/make_bbcode_last_formatter.php.txt> + */ +function phorum_htmlpurifier_common() { + + require_once(dirname(__FILE__).'/htmlpurifier/HTMLPurifier.auto.php'); + require(dirname(__FILE__).'/init-config.php'); + + $config = phorum_htmlpurifier_get_config(); + HTMLPurifier::getInstance($config); + + // increment revision.txt if you want to invalidate the cache + $GLOBALS['PHORUM']['mod_htmlpurifier']['body_cache_serial'] = $config->getSerial(); + + // load migration + if (file_exists(dirname(__FILE__) . '/migrate.php')) { + include(dirname(__FILE__) . '/migrate.php'); + } else { + echo '<strong>Error:</strong> No migration path specified for HTML Purifier, please check + <tt>modes/htmlpurifier/migrate.bbcode.php</tt> for instructions on + how to migrate from your previous markup language.'; + exit; + } + + if (!function_exists('phorum_htmlpurifier_migrate')) { + // Dummy function + function phorum_htmlpurifier_migrate($data) {return $data;} + } + +} + +/** + * Pre-emptively performs purification if it looks like a WYSIWYG editor + * is being used + */ +function phorum_htmlpurifier_before_editor($message) { + if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'])) { + if (!empty($message['body'])) { + $body = $message['body']; + // de-entity-ize contents + $body = str_replace(array('<','>','&'), array('<','>','&'), $body); + $purifier =& HTMLPurifier::getInstance(); + $body = $purifier->purify($body); + // re-entity-ize contents + $body = htmlspecialchars($body, ENT_QUOTES, $GLOBALS['PHORUM']['DATA']['CHARSET']); + $message['body'] = $body; + } + } + return $message; +} + +function phorum_htmlpurifier_editor_after_subject() { + // don't show this message if it's a WYSIWYG editor, since it will + // then be handled automatically + if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'])) { + $i = $GLOBALS['PHORUM']['DATA']['MODE']; + if ($i == 'quote' || $i == 'edit' || $i == 'moderation') { + ?> + <div> + <p> + <strong>Notice:</strong> HTML has been scrubbed for your safety. + If you would like to see the original, turn off WYSIWYG mode + (consult your administrator for details.) + </p> + </div> + <?php + } + return; + } + if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['suppress_message'])) return; + ?><div class="htmlpurifier-help"> + <p> + <strong>HTML input</strong> is enabled. Make sure you escape all HTML and + angled brackets with <code>&lt;</code> and <code>&gt;</code>. + </p><?php + $purifier =& HTMLPurifier::getInstance(); + $config = $purifier->config; + if ($config->get('AutoFormat.AutoParagraph')) { + ?><p> + <strong>Auto-paragraphing</strong> is enabled. Double + newlines will be converted to paragraphs; for single + newlines, use the <code>pre</code> tag. + </p><?php + } + $html_definition = $config->getDefinition('HTML'); + $allowed = array(); + foreach ($html_definition->info as $name => $x) $allowed[] = "<code>$name</code>"; + sort($allowed); + $allowed_text = implode(', ', $allowed); + ?><p><strong>Allowed tags:</strong> <?php + echo $allowed_text; + ?>.</p><?php + ?> + </p> + <p> + For inputting literal code such as HTML and PHP for display, use + CDATA tags to auto-escape your angled brackets, and <code>pre</code> + to preserve newlines: + </p> + <pre><pre><![CDATA[ +<em>Place code here</em> +]]></pre></pre> + <p> + Power users, you can hide this notice with: + <pre>.htmlpurifier-help {display:none;}</pre> + </p> + </div><?php +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/info.txt b/lib/htmlpurifier/plugins/phorum/info.txt new file mode 100644 index 000000000..723465490 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/info.txt @@ -0,0 +1,18 @@ +title: HTML Purifier Phorum Mod +desc: This module enables standards-compliant HTML filtering on Phorum. Please check migrate.bbcode.php before enabling this mod. +author: Edward Z. Yang +url: http://htmlpurifier.org/ +version: 4.0.0 + +hook: format|phorum_htmlpurifier_format +hook: quote|phorum_htmlpurifier_quote +hook: posting_custom_action|phorum_htmlpurifier_posting +hook: common|phorum_htmlpurifier_common +hook: before_editor|phorum_htmlpurifier_before_editor +hook: tpl_editor_after_subject|phorum_htmlpurifier_editor_after_subject + +# This module is meant to be a drop-in for bbcode, so make it run last. +priority: run module after * +priority: run hook format after * + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/init-config.php b/lib/htmlpurifier/plugins/phorum/init-config.php new file mode 100644 index 000000000..aa7b15599 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/init-config.php @@ -0,0 +1,28 @@ +<?php + +/** + * Initializes the appropriate configuration from either a PHP file + * or a module configuration value + * @return Instance of HTMLPurifier_Config + */ +function phorum_htmlpurifier_get_config($default = false) { + global $PHORUM; + $config_exists = phorum_htmlpurifier_config_file_exists(); + if ($default || $config_exists || !isset($PHORUM['mod_htmlpurifier']['config'])) { + $config = HTMLPurifier_Config::createDefault(); + include(dirname(__FILE__) . '/config.default.php'); + if ($config_exists) { + include(dirname(__FILE__) . '/config.php'); + } + unset($PHORUM['mod_htmlpurifier']['config']); // unnecessary + } else { + $config = HTMLPurifier_Config::create($PHORUM['mod_htmlpurifier']['config']); + } + return $config; +} + +function phorum_htmlpurifier_config_file_exists() { + return file_exists(dirname(__FILE__) . '/config.php'); +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/migrate.bbcode.php b/lib/htmlpurifier/plugins/phorum/migrate.bbcode.php new file mode 100644 index 000000000..24f0ec4a9 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/migrate.bbcode.php @@ -0,0 +1,30 @@ +<?php + +/** + * This file is responsible for migrating from a specific markup language + * like BBCode or Markdown to HTML. WARNING: THIS PROCESS IS NOT REVERSIBLE + * + * Copy this file to 'migrate.php' and it will automatically work for + * BBCode; you may need to tweak this a little to get it to work for other + * languages (usually, just replace the include name and the function name). + * + * If you do NOT want to have any migration performed (for instance, you + * are installing the module on a new forum with no posts), simply remove + * phorum_htmlpurifier_migrate() function. You still need migrate.php + * present, otherwise the module won't work. This ensures that the user + * explicitly says, "No, I do not need to migrate." + */ + +if(!defined("PHORUM")) exit; + +require_once(dirname(__FILE__) . "/../bbcode/bbcode.php"); + +/** + * 'format' hook style function that will be called to convert + * legacy markup into HTML. + */ +function phorum_htmlpurifier_migrate($data) { + return phorum_mod_bbcode_format($data); // bbcode's 'format' hook +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/settings.php b/lib/htmlpurifier/plugins/phorum/settings.php new file mode 100644 index 000000000..8158f0282 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/settings.php @@ -0,0 +1,64 @@ +<?php + +// based off of BBCode's settings file + +/** + * HTML Purifier Phorum mod settings configuration. This provides + * a convenient web-interface for editing the most common HTML Purifier + * configuration directives. You can also specify custom configuration + * by creating a 'config.php' file. + */ + +if(!defined("PHORUM_ADMIN")) exit; + +// error reporting is good! +error_reporting(E_ALL ^ E_NOTICE); + +// load library and other paraphenalia +require_once './include/admin/PhorumInputForm.php'; +require_once (dirname(__FILE__) . '/htmlpurifier/HTMLPurifier.auto.php'); +require_once (dirname(__FILE__) . '/init-config.php'); +require_once (dirname(__FILE__) . '/settings/migrate-sigs-form.php'); +require_once (dirname(__FILE__) . '/settings/migrate-sigs.php'); +require_once (dirname(__FILE__) . '/settings/form.php'); +require_once (dirname(__FILE__) . '/settings/save.php'); + +// define friendly configuration directives. you can expand this array +// to get more web-definable directives +$PHORUM['mod_htmlpurifier']['directives'] = array( + 'URI.Host', // auto-detectable + 'URI.DisableExternal', + 'URI.DisableExternalResources', + 'URI.DisableResources', + 'URI.Munge', + 'URI.HostBlacklist', + 'URI.Disable', + 'HTML.TidyLevel', + 'HTML.Doctype', // auto-detectable + 'HTML.Allowed', + 'AutoFormat', + '-AutoFormat.Custom', + 'AutoFormatParam', + 'Output.TidyFormat', +); + +// lower this setting if you're getting time outs/out of memory +$PHORUM['mod_htmlpurifier']['migrate-sigs-increment'] = 100; + +if (isset($_POST['reset'])) { + unset($PHORUM['mod_htmlpurifier']['config']); +} + +if ($offset = phorum_htmlpurifier_migrate_sigs_check()) { + // migrate signatures + phorum_htmlpurifier_migrate_sigs($offset); +} elseif(!empty($_POST)){ + // save settings + phorum_htmlpurifier_save_settings(); +} + +phorum_htmlpurifier_show_migrate_sigs_form(); +echo '<br />'; +phorum_htmlpurifier_show_form(); + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/settings/form.php b/lib/htmlpurifier/plugins/phorum/settings/form.php new file mode 100644 index 000000000..a47a5fae7 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/settings/form.php @@ -0,0 +1,93 @@ +<?php + +function phorum_htmlpurifier_show_form() { + if (phorum_htmlpurifier_config_file_exists()) { + phorum_htmlpurifier_show_config_info(); + return; + } + + global $PHORUM; + + $config = phorum_htmlpurifier_get_config(); + + $frm = new PhorumInputForm ("", "post", "Save"); + $frm->hidden("module", "modsettings"); + $frm->hidden("mod", "htmlpurifier"); // this is the directory name that the Settings file lives in + + if (!empty($error)){ + echo "$error<br />"; + } + + $frm->addbreak("Edit settings for the HTML Purifier module"); + + $frm->addMessage('<p>The box below sets <code>$PHORUM[\'mod_htmlpurifier\'][\'wysiwyg\']</code>. + When checked, contents sent for edit are now purified and the + informative message is disabled. If your WYSIWYG editor is disabled for + admin edits, you can safely keep this unchecked.</p>'); + $frm->addRow('Use WYSIWYG?', $frm->checkbox('wysiwyg', '1', '', $PHORUM['mod_htmlpurifier']['wysiwyg'])); + + $frm->addMessage('<p>The box below sets <code>$PHORUM[\'mod_htmlpurifier\'][\'suppress_message\']</code>, + which removes the big how-to use + HTML Purifier message.</p>'); + $frm->addRow('Suppress information?', $frm->checkbox('suppress_message', '1', '', $PHORUM['mod_htmlpurifier']['suppress_message'])); + + $frm->addMessage('<p>Click on directive links to read what each option does + (links do not open in new windows).</p> + <p>For more flexibility (for instance, you want to edit the full + range of configuration directives), you can create a <tt>config.php</tt> + file in your <tt>mods/htmlpurifier/</tt> directory. Doing so will, + however, make the web configuration interface unavailable.</p>'); + + require_once 'HTMLPurifier/Printer/ConfigForm.php'; + $htmlpurifier_form = new HTMLPurifier_Printer_ConfigForm('config', 'http://htmlpurifier.org/live/configdoc/plain.html#%s'); + $htmlpurifier_form->setTextareaDimensions(23, 7); // widen a little, since we have space + + $frm->addMessage($htmlpurifier_form->render( + $config, $PHORUM['mod_htmlpurifier']['directives'], false)); + + $frm->addMessage("<strong>Warning: Changing HTML Purifier's configuration will invalidate + the cache. Expect to see a flurry of database activity after you change + any of these settings.</strong>"); + + $frm->addrow('Reset to defaults:', $frm->checkbox("reset", "1", "", false)); + + // hack to include extra styling + echo '<style type="text/css">' . $htmlpurifier_form->getCSS() . ' + .hp-config {margin-left:auto;margin-right:auto;} + </style>'; + $js = $htmlpurifier_form->getJavaScript(); + echo '<script type="text/javascript">'."<!--\n$js\n//-->".'</script>'; + + $frm->show(); +} + +function phorum_htmlpurifier_show_config_info() { + global $PHORUM; + + // update mod_htmlpurifier for housekeeping + phorum_htmlpurifier_commit_settings(); + + // politely tell user how to edit settings manually +?> + <div class="input-form-td-break">How to edit settings for HTML Purifier module</div> + <p> + A <tt>config.php</tt> file exists in your <tt>mods/htmlpurifier/</tt> + directory. This file contains your custom configuration: in order to + change it, please navigate to that file and edit it accordingly. + You can also set <code>$GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg']</code> + or <code>$GLOBALS['PHORUM']['mod_htmlpurifier']['suppress_message']</code> + </p> + <p> + To use the web interface, delete <tt>config.php</tt> (or rename it to + <tt>config.php.bak</tt>). + </p> + <p> + <strong>Warning: Changing HTML Purifier's configuration will invalidate + the cache. Expect to see a flurry of database activity after you change + any of these settings.</strong> + </p> +<?php + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/settings/migrate-sigs-form.php b/lib/htmlpurifier/plugins/phorum/settings/migrate-sigs-form.php new file mode 100644 index 000000000..2d63ebe48 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/settings/migrate-sigs-form.php @@ -0,0 +1,22 @@ +<?php + +function phorum_htmlpurifier_show_migrate_sigs_form() { + + $frm = new PhorumInputForm ('', "post", "Migrate"); + $frm->hidden("module", "modsettings"); + $frm->hidden("mod", "htmlpurifier"); + $frm->hidden("migrate-sigs", "1"); + $frm->addbreak("Migrate user signatures to HTML"); + $frm->addMessage('This operation will migrate your users signatures + to HTML. <strong>This process is irreversible and must only be performed once.</strong> + Type in yes in the confirmation field to migrate.'); + if (!file_exists(dirname(__FILE__) . '/../migrate.php')) { + $frm->addMessage('Migration file does not exist, cannot migrate signatures. + Please check <tt>migrate.bbcode.php</tt> on how to create an appropriate file.'); + } else { + $frm->addrow('Confirm:', $frm->text_box("confirmation", "")); + } + $frm->show(); +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/settings/migrate-sigs.php b/lib/htmlpurifier/plugins/phorum/settings/migrate-sigs.php new file mode 100644 index 000000000..81c1f0ba9 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/settings/migrate-sigs.php @@ -0,0 +1,77 @@ +<?php + +function phorum_htmlpurifier_migrate_sigs_check() { + global $PHORUM; + $offset = 0; + if (!empty($_POST['migrate-sigs'])) { + if (!isset($_POST['confirmation']) || strtolower($_POST['confirmation']) !== 'yes') { + echo 'Invalid confirmation code.'; + exit; + } + $PHORUM['mod_htmlpurifier']['migrate-sigs'] = true; + phorum_db_update_settings(array("mod_htmlpurifier"=>$PHORUM["mod_htmlpurifier"])); + $offset = 1; + } elseif (!empty($_GET['migrate-sigs']) && $PHORUM['mod_htmlpurifier']['migrate-sigs']) { + $offset = (int) $_GET['migrate-sigs']; + } + return $offset; +} + +function phorum_htmlpurifier_migrate_sigs($offset) { + global $PHORUM; + + if(!$offset) return; // bail out quick if $offset == 0 + + // theoretically, we could get rid of this multi-request + // doo-hickery if safe mode is off + @set_time_limit(0); // attempt to let this run + $increment = $PHORUM['mod_htmlpurifier']['migrate-sigs-increment']; + + require_once(dirname(__FILE__) . '/../migrate.php'); + // migrate signatures + // do this in batches so we don't run out of time/space + $end = $offset + $increment; + $user_ids = array(); + for ($i = $offset; $i < $end; $i++) { + $user_ids[] = $i; + } + $userinfos = phorum_db_user_get_fields($user_ids, 'signature'); + foreach ($userinfos as $i => $user) { + if (empty($user['signature'])) continue; + $sig = $user['signature']; + // perform standard Phorum processing on the sig + $sig = str_replace(array("&","<",">"), array("&","<",">"), $sig); + $sig = preg_replace("/<((http|https|ftp):\/\/[a-z0-9;\/\?:@=\&\$\-_\.\+!*'\(\),~%]+?)>/i", "$1", $sig); + // prepare fake data to pass to migration function + $fake_data = array(array("author"=>"", "email"=>"", "subject"=>"", 'body' => $sig)); + list($fake_message) = phorum_htmlpurifier_migrate($fake_data); + $user['signature'] = $fake_message['body']; + if (!phorum_api_user_save($user)) { + exit('Error while saving user data'); + } + } + unset($userinfos); // free up memory + + // query for highest ID in database + $type = $PHORUM['DBCONFIG']['type']; + $sql = "select MAX(user_id) from {$PHORUM['user_table']}"; + $row = phorum_db_interact(DB_RETURN_ROW, $sql); + $top_id = (int) $row[0]; + + $offset += $increment; + if ($offset > $top_id) { // test for end condition + echo 'Migration finished'; + $PHORUM['mod_htmlpurifier']['migrate-sigs'] = false; + phorum_htmlpurifier_commit_settings(); + return true; + } + $host = $_SERVER['HTTP_HOST']; + $uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\'); + $extra = 'admin.php?module=modsettings&mod=htmlpurifier&migrate-sigs=' . $offset; + // relies on output buffering to work + header("Location: http://$host$uri/$extra"); + exit; + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/settings/save.php b/lib/htmlpurifier/plugins/phorum/settings/save.php new file mode 100644 index 000000000..7dbb767d0 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/settings/save.php @@ -0,0 +1,27 @@ +<?php + +function phorum_htmlpurifier_save_settings() { + global $PHORUM; + if (phorum_htmlpurifier_config_file_exists()) { + echo "Cannot update settings, <code>mods/htmlpurifier/config.php</code> already exists. To change + settings, edit that file. To use the web form, delete that file.<br />"; + } else { + $config = phorum_htmlpurifier_get_config(true); + if (!isset($_POST['reset'])) $config->mergeArrayFromForm($_POST, 'config', $PHORUM['mod_htmlpurifier']['directives']); + $PHORUM['mod_htmlpurifier']['config'] = $config->getAll(); + } + $PHORUM['mod_htmlpurifier']['wysiwyg'] = !empty($_POST['wysiwyg']); + $PHORUM['mod_htmlpurifier']['suppress_message'] = !empty($_POST['suppress_message']); + if(!phorum_htmlpurifier_commit_settings()){ + $error="Database error while updating settings."; + } else { + echo "Settings Updated<br />"; + } +} + +function phorum_htmlpurifier_commit_settings() { + global $PHORUM; + return phorum_db_update_settings(array("mod_htmlpurifier"=>$PHORUM["mod_htmlpurifier"])); +} + +// vim: et sw=4 sts=4 |