aboutsummaryrefslogtreecommitdiffstats
path: root/lib/htmlpurifier/plugins
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2012-05-12 17:57:41 -0700
committerfriendica <info@friendica.com>2012-07-18 20:40:31 +1000
commit7a40f4354b32809af3d0cfd6e3af0eda02ab0e0a (patch)
treea9c3d91209cff770bb4b613b1b95e61a7bbc5a2b /lib/htmlpurifier/plugins
parentcd727cb26b78a1dade09d510b071446898477356 (diff)
downloadvolse-hubzilla-7a40f4354b32809af3d0cfd6e3af0eda02ab0e0a.tar.gz
volse-hubzilla-7a40f4354b32809af3d0cfd6e3af0eda02ab0e0a.tar.bz2
volse-hubzilla-7a40f4354b32809af3d0cfd6e3af0eda02ab0e0a.zip
some important stuff we'll need
Diffstat (limited to 'lib/htmlpurifier/plugins')
-rw-r--r--lib/htmlpurifier/plugins/modx.txt112
-rw-r--r--lib/htmlpurifier/plugins/phorum/.gitignore2
-rw-r--r--lib/htmlpurifier/plugins/phorum/Changelog27
-rw-r--r--lib/htmlpurifier/plugins/phorum/INSTALL84
-rw-r--r--lib/htmlpurifier/plugins/phorum/README45
-rw-r--r--lib/htmlpurifier/plugins/phorum/config.default.php57
-rw-r--r--lib/htmlpurifier/plugins/phorum/htmlpurifier.php309
-rw-r--r--lib/htmlpurifier/plugins/phorum/info.txt18
-rw-r--r--lib/htmlpurifier/plugins/phorum/init-config.php28
-rw-r--r--lib/htmlpurifier/plugins/phorum/migrate.bbcode.php30
-rw-r--r--lib/htmlpurifier/plugins/phorum/settings.php64
-rw-r--r--lib/htmlpurifier/plugins/phorum/settings/form.php93
-rw-r--r--lib/htmlpurifier/plugins/phorum/settings/migrate-sigs-form.php22
-rw-r--r--lib/htmlpurifier/plugins/phorum/settings/migrate-sigs.php77
-rw-r--r--lib/htmlpurifier/plugins/phorum/settings/save.php27
15 files changed, 995 insertions, 0 deletions
diff --git a/lib/htmlpurifier/plugins/modx.txt b/lib/htmlpurifier/plugins/modx.txt
new file mode 100644
index 000000000..0763821b5
--- /dev/null
+++ b/lib/htmlpurifier/plugins/modx.txt
@@ -0,0 +1,112 @@
+
+MODx Plugin
+
+MODx <http://www.modxcms.com/> is an open source PHP application framework.
+I first came across them in my referrer logs when tillda asked if anyone
+could implement an HTML Purifier plugin. This forum thread
+<http://modxcms.com/forums/index.php/topic,6604.0.html> eventually resulted
+in the fruition of this plugin that davidm says, "is on top of my favorite
+list." HTML Purifier goes great with WYSIWYG editors!
+
+
+
+1. Credits
+
+PaulGregory wrote the overall structure of the code. I added the
+slashes hack.
+
+
+
+2. Install
+
+First, you need to place HTML Purifier library somewhere. The code here
+assumes that you've placed in MODx's assets/plugins/htmlpurifier (no version
+number).
+
+Log into the manager, and navigate:
+
+Resources > Manage Resources > Plugins tab > New Plugin
+
+Type in a name (probably HTML Purifier), and copy paste this code into the
+textarea:
+
+--------------------------------------------------------------------------------
+$e = &$modx->Event;
+if ($e->name == 'OnBeforeDocFormSave') {
+ global $content;
+
+ include_once '../assets/plugins/htmlpurifier/library/HTMLPurifier.auto.php';
+ $purifier = new HTMLPurifier();
+
+ static $magic_quotes = null;
+ if ($magic_quotes === null) {
+ // this is an ugly hack because this hook hasn't
+ // had the backslashes removed yet when magic_quotes_gpc is on,
+ // but HTMLPurifier must not have the quotes slashed.
+ $magic_quotes = get_magic_quotes_gpc();
+ }
+
+ if ($magic_quotes) $content = stripslashes($content);
+ $content = $purifier->purify($content);
+ if ($magic_quotes) $content = addslashes($content);
+}
+--------------------------------------------------------------------------------
+
+Then navigate to the System Events tab and check "OnBeforeDocFormSave".
+Save the plugin. HTML Purifier now is integrated!
+
+
+
+3. Making sure it works
+
+You can test HTML Purifier by deliberately putting in crappy HTML and seeing
+whether or not it gets fixed. A better way is to put in something like this:
+
+<p lang="fr">Il est bon</p>
+
+...and seeing whether or not the content comes out as:
+
+<p lang="fr" xml:lang="fr">Il est bon</p>
+
+(lang to xml:lang synchronization is one of the many features HTML Purifier
+has).
+
+
+
+4. Caveat Emptor
+
+This code does not intercept save requests from the QuickEdit plugin, this may
+be added in a later version. It also modifies things on save, so there's a
+slight chance that HTML Purifier may make a boo-boo and accidently mess things
+up (the original version is not saved).
+
+Finally, make sure that MODx is using UTF-8. If you are using, say, a French
+localisation, you may be using Latin-1, if that's the case, configure
+HTML Purifier properly like this:
+
+$config = HTMLPurifier_Config::createDefault();
+$config->set('Core', 'Encoding', 'ISO-8859-1'); // or whatever encoding
+$purifier = new HTMLPurifier($config);
+
+
+
+5. Known Bugs
+
+'rn' characters sometimes mysteriously appear after purification. We are
+currently investigating this issue. See: <http://htmlpurifier.org/phorum/read.php?3,1866>
+
+
+
+6. See Also
+
+A modified version of Jot 1.1.3 is available, which integrates with HTML
+Purifier. You can check it out here: <http://modxcms.com/forums/index.php/topic,25621.msg161970.html>
+
+
+X. Changelog
+
+2008-06-16
+- Updated code to work with 3.1.0 and later
+- Add Known Bugs and See Also section
+
+ vim: et sw=4 sts=4
diff --git a/lib/htmlpurifier/plugins/phorum/.gitignore b/lib/htmlpurifier/plugins/phorum/.gitignore
new file mode 100644
index 000000000..8325e0902
--- /dev/null
+++ b/lib/htmlpurifier/plugins/phorum/.gitignore
@@ -0,0 +1,2 @@
+migrate.php
+htmlpurifier/*
diff --git a/lib/htmlpurifier/plugins/phorum/Changelog b/lib/htmlpurifier/plugins/phorum/Changelog
new file mode 100644
index 000000000..9f939e54a
--- /dev/null
+++ b/lib/htmlpurifier/plugins/phorum/Changelog
@@ -0,0 +1,27 @@
+Changelog HTMLPurifier : Phorum Mod
+|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
+= KEY ====================
+ # Breaks back-compat
+ ! Feature
+ - Bugfix
+ + Sub-comment
+ . Internal change
+==========================
+
+Version 4.0.0 for Phorum 5.2, released July 9, 2009
+# Works only with HTML Purifier 4.0.0
+! Better installation documentation
+- Fixed double encoded quotes
+- Fixed fatal error when migrate.php is blank
+
+Version 3.0.0 for Phorum 5.2, released January 12, 2008
+# WYSIWYG and suppress_message options are now configurable via web
+ interface.
+- Module now compatible with Phorum 5.2, primary bugs were in migration
+ code as well as signature and edit message handling. This module is NOT
+ compatible with Phorum 5.1.
+- Buggy WYSIWYG mode refined
+. AutoFormatParam added to list of default configuration namespaces
+
+ vim: et sw=4 sts=4
diff --git a/lib/htmlpurifier/plugins/phorum/INSTALL b/lib/htmlpurifier/plugins/phorum/INSTALL
new file mode 100644
index 000000000..23c76fc5c
--- /dev/null
+++ b/lib/htmlpurifier/plugins/phorum/INSTALL
@@ -0,0 +1,84 @@
+
+Install
+ How to install the Phorum HTML Purifier plugin
+
+0. PREREQUISITES
+----------------
+This Phorum module only works on PHP5 and with HTML Purifier 4.0.0
+or later.
+
+1. UNZIP
+--------
+Unzip phorum-htmlpurifier-x.y.z, producing an htmlpurifier folder.
+You've already done this step if you're reading this!
+
+2. MOVE
+-------
+Move the htmlpurifier folder to the mods/ folder of your Phorum
+installation, so the directory structure looks like:
+
+phorum/
+ mods/
+ htmlpurifier/
+ INSTALL - this install file
+ info.txt, ... - the module files
+ htmlpurifier/
+
+3. INSTALL HTML PURIFIER
+------------------------
+Download and unzip HTML Purifier <htmlpurifier.org>. Place the contents of
+the library/ folder in the htmlpurifier/htmlpurifier folder. Your directory
+structure will look like:
+
+phorum/
+ mods/
+ htmlpurifier/
+ htmlpurifier/
+ HTMLPurifier.auto.php
+ ... - other files
+ HTMLPurifier/
+
+Advanced users:
+ If you have HTML Purifier installed elsewhere on your server,
+ all you need is an HTMLPurifier.auto.php file in the library folder which
+ includes the HTMLPurifier.auto.php file in your install.
+
+4. MIGRATE
+----------
+If you're setting up a new Phorum installation, all you need to do is create
+a blank migrate.php file in the htmlpurifier module folder (NOT the library
+folder.
+
+If you have an old Phorum installation and was using BBCode,
+copy migrate.bbcode.php to migrate.php. If you were using a different input
+format, follow the instructions in migrate.bbcode.php to create your own custom
+migrate.php file.
+
+Your directory structure should now look like this:
+
+phorum/
+ mods/
+ htmlpurifier/
+ migrate.php
+
+5. ENABLE
+---------
+Navigate to your Phorum admin panel at http://example.com/phorum/admin.php,
+click on Global Settings > Modules, scroll to "HTML Purifier Phorum Mod" and
+turn it On.
+
+6. MIGRATE SIGNATURES
+---------------------
+If you're setting up a new Phorum installation, skip this step.
+
+If you allowed your users to make signatures, navigate to the module settings
+page of HTML Purifier (Global Settings > Modules > HTML Purifier Phorum Mod >
+Configure), type in "yes" in the "Confirm" box, and press "Migrate."
+
+ONLY DO THIS ONCE! BE SURE TO BACK UP YOUR DATABASE!
+
+7. CONFIGURE
+------------
+Configure using Edit settings. See that page for more information.
+
+ vim: et sw=4 sts=4
diff --git a/lib/htmlpurifier/plugins/phorum/README b/lib/htmlpurifier/plugins/phorum/README
new file mode 100644
index 000000000..0524ed39d
--- /dev/null
+++ b/lib/htmlpurifier/plugins/phorum/README
@@ -0,0 +1,45 @@
+
+HTML Purifier Phorum Mod - Filter your HTML the Standards-Compliant Way!
+
+This Phorum mod enables HTML posting on Phorum. Under normal circumstances,
+this would cause a huge security risk, but because we are running
+HTML through HTML Purifier, output is guaranteed to be XSS free and
+standards-compliant.
+
+This mod requires HTML input, and previous markup languages need to be
+converted accordingly. Thus, it is vital that you create a 'migrate.php'
+file that works with your installation. If you're using the built-in
+BBCode formatting, simply move migrate.bbcode.php to that place; for
+other markup languages, consult said file for instructions on how
+to adapt it to your needs.
+
+ -- NOTE -------------------------------------------------
+ You can also run this module in parallel with another
+ formatting module; this module attempts to place itself
+ at the end of the filtering chain. However, if any
+ previous modules produce insecure HTML (for instance,
+ a JavaScript email obfuscator) they will get cleaned.
+
+This module will not work if 'migrate.php' is not created, and an improperly
+made migration file may *CORRUPT* Phorum, so please take your time to
+do this correctly. It should go without saying to *BACKUP YOUR DATABASE*
+before attempting anything here. If no migration is necessary, you can
+simply create a blank migrate.php file. HTML Purifier is smart and will
+not re-migrate already processed messages. However, the original code
+is irretrievably lost (we may change this in the future.)
+
+This module will not automatically migrate user signatures, because this
+process may take a long time. After installing the HTML Purifier module and
+then configuring 'migrate.php', navigate to Settings and click 'Migrate
+Signatures' to migrate all user signatures to HTML.
+
+All of HTML Purifier's usual functions are configurable via the mod settings
+page. If you require custom configuration, create config.php file in
+the mod directory that edits a $config variable. Be sure, also, to
+set $PHORUM['mod_htmlpurifier']['wysiwyg'] to TRUE if you are using a
+WYSIWYG editor (you can do this through a common hook or the web
+configuration form).
+
+Visit HTML Purifier at <http://htmlpurifier.org/>.
+
+ vim: et sw=4 sts=4
diff --git a/lib/htmlpurifier/plugins/phorum/config.default.php b/lib/htmlpurifier/plugins/phorum/config.default.php
new file mode 100644
index 000000000..e047c0b42
--- /dev/null
+++ b/lib/htmlpurifier/plugins/phorum/config.default.php
@@ -0,0 +1,57 @@
+<?php
+
+if(!defined("PHORUM")) exit;
+
+// default HTML Purifier configuration settings
+$config->set('HTML.Allowed',
+ // alphabetically sorted
+'a[href|title]
+abbr[title]
+acronym[title]
+b
+blockquote[cite]
+br
+caption
+cite
+code
+dd
+del
+dfn
+div
+dl
+dt
+em
+i
+img[src|alt|title|class]
+ins
+kbd
+li
+ol
+p
+pre
+s
+strike
+strong
+sub
+sup
+table
+tbody
+td
+tfoot
+th
+thead
+tr
+tt
+u
+ul
+var');
+$config->set('AutoFormat.AutoParagraph', true);
+$config->set('AutoFormat.Linkify', true);
+$config->set('HTML.Doctype', 'XHTML 1.0 Transitional');
+$config->set('Core.AggressivelyFixLt', true);
+$config->set('Core.Encoding', $GLOBALS['PHORUM']['DATA']['CHARSET']); // we'll change this eventually
+if (strtolower($GLOBALS['PHORUM']['DATA']['CHARSET']) !== 'utf-8') {
+ $config->set('Core.EscapeNonASCIICharacters', true);
+}
+
+// vim: et sw=4 sts=4
diff --git a/lib/htmlpurifier/plugins/phorum/htmlpurifier.php b/lib/htmlpurifier/plugins/phorum/htmlpurifier.php
new file mode 100644
index 000000000..6f74fc8c9
--- /dev/null
+++ b/lib/htmlpurifier/plugins/phorum/htmlpurifier.php
@@ -0,0 +1,309 @@
+<?php
+
+/**
+ * HTML Purifier Phorum Mod. Filter your HTML the Standards-Compliant Way!
+ *
+ * This Phorum mod enables users to post raw HTML into Phorum. But never
+ * fear: with the help of HTML Purifier, this HTML will be beat into
+ * de-XSSed and standards-compliant form, safe for general consumption.
+ * It is not recommended, but possible to run this mod in parallel
+ * with other formatters (in short, please DISABLE the BBcode mod).
+ *
+ * For help migrating from your previous markup language to pure HTML
+ * please check the migrate.bbcode.php file.
+ *
+ * If you'd like to use this with a WYSIWYG editor, make sure that
+ * editor sets $PHORUM['mod_htmlpurifier']['wysiwyg'] to true. Otherwise,
+ * administrators who need to edit other people's comments may be at
+ * risk for some nasty attacks.
+ *
+ * Tested with Phorum 5.2.11.
+ */
+
+// Note: Cache data is base64 encoded because Phorum insists on flinging
+// to the user and expecting it to come back unharmed, newlines and
+// all, which ain't happening. It's slower, it takes up more space, but
+// at least it won't get mutilated
+
+/**
+ * Purifies a data array
+ */
+function phorum_htmlpurifier_format($data)
+{
+ $PHORUM = $GLOBALS["PHORUM"];
+
+ $purifier =& HTMLPurifier::getInstance();
+ $cache_serial = $PHORUM['mod_htmlpurifier']['body_cache_serial'];
+
+ foreach($data as $message_id => $message){
+ if(isset($message['body'])) {
+
+ if ($message_id) {
+ // we're dealing with a real message, not a fake, so
+ // there a number of shortcuts that can be taken
+
+ if (isset($message['meta']['htmlpurifier_light'])) {
+ // format hook was called outside of Phorum's normal
+ // functions, do the abridged purification
+ $data[$message_id]['body'] = $purifier->purify($message['body']);
+ continue;
+ }
+
+ if (!empty($PHORUM['args']['purge'])) {
+ // purge the cache, must be below the following if
+ unset($message['meta']['body_cache']);
+ }
+
+ if (
+ isset($message['meta']['body_cache']) &&
+ isset($message['meta']['body_cache_serial']) &&
+ $message['meta']['body_cache_serial'] == $cache_serial
+ ) {
+ // cached version is present, bail out early
+ $data[$message_id]['body'] = base64_decode($message['meta']['body_cache']);
+ continue;
+ }
+ }
+
+ // migration might edit this array, that's why it's defined
+ // so early
+ $updated_message = array();
+
+ // create the $body variable
+ if (
+ $message_id && // message must be real to migrate
+ !isset($message['meta']['body_cache_serial'])
+ ) {
+ // perform migration
+ $fake_data = array();
+ list($signature, $edit_message) = phorum_htmlpurifier_remove_sig_and_editmessage($message);
+ $fake_data[$message_id] = $message;
+ $fake_data = phorum_htmlpurifier_migrate($fake_data);
+ $body = $fake_data[$message_id]['body'];
+ $body = str_replace("<phorum break>\n", "\n", $body);
+ $updated_message['body'] = $body; // save it in
+ $body .= $signature . $edit_message; // add it back in
+ } else {
+ // reverse Phorum's pre-processing
+ $body = $message['body'];
+ // order is important
+ $body = str_replace("<phorum break>\n", "\n", $body);
+ $body = str_replace(array('&lt;','&gt;','&amp;', '&quot;'), array('<','>','&','"'), $body);
+ if (!$message_id && defined('PHORUM_CONTROL_CENTER')) {
+ // we're in control.php, so it was double-escaped
+ $body = str_replace(array('&lt;','&gt;','&amp;', '&quot;'), array('<','>','&','"'), $body);
+ }
+ }
+
+ $body = $purifier->purify($body);
+
+ // dynamically update the cache (MUST BE DONE HERE!)
+ // this is inefficient because it's one db call per
+ // cache miss, but once the cache is in place things are
+ // a lot zippier.
+
+ if ($message_id) { // make sure it's not a fake id
+ $updated_message['meta'] = $message['meta'];
+ $updated_message['meta']['body_cache'] = base64_encode($body);
+ $updated_message['meta']['body_cache_serial'] = $cache_serial;
+ phorum_db_update_message($message_id, $updated_message);
+ }
+
+ // must not get overloaded until after we cache it, otherwise
+ // we'll inadvertently change the original text
+ $data[$message_id]['body'] = $body;
+
+ }
+ }
+
+ return $data;
+}
+
+// -----------------------------------------------------------------------
+// This is fragile code, copied from read.php:596 (Phorum 5.2.6). Please
+// keep this code in-sync with Phorum
+
+/**
+ * Generates a signature based on a message array
+ */
+function phorum_htmlpurifier_generate_sig($row) {
+ $phorum_sig = '';
+ if(isset($row["user"]["signature"])
+ && isset($row['meta']['show_signature']) && $row['meta']['show_signature']==1){
+ $phorum_sig=trim($row["user"]["signature"]);
+ if(!empty($phorum_sig)){
+ $phorum_sig="\n\n$phorum_sig";
+ }
+ }
+ return $phorum_sig;
+}
+
+/**
+ * Generates an edit message based on a message array
+ */
+function phorum_htmlpurifier_generate_editmessage($row) {
+ $PHORUM = $GLOBALS['PHORUM'];
+ $editmessage = '';
+ if(isset($row['meta']['edit_count']) && $row['meta']['edit_count'] > 0) {
+ $editmessage = str_replace ("%count%", $row['meta']['edit_count'], $PHORUM["DATA"]["LANG"]["EditedMessage"]);
+ $editmessage = str_replace ("%lastedit%", phorum_date($PHORUM["short_date_time"],$row['meta']['edit_date']), $editmessage);
+ $editmessage = str_replace ("%lastuser%", $row['meta']['edit_username'], $editmessage);
+ $editmessage = "\n\n\n\n$editmessage";
+ }
+ return $editmessage;
+}
+
+// End fragile code
+// -----------------------------------------------------------------------
+
+/**
+ * Removes the signature and edit message from a message
+ * @param $row Message passed by reference
+ */
+function phorum_htmlpurifier_remove_sig_and_editmessage(&$row) {
+ $signature = phorum_htmlpurifier_generate_sig($row);
+ $editmessage = phorum_htmlpurifier_generate_editmessage($row);
+ $replacements = array();
+ // we need to remove add <phorum break> as that is the form these
+ // extra bits are in.
+ if ($signature) $replacements[str_replace("\n", "<phorum break>\n", $signature)] = '';
+ if ($editmessage) $replacements[str_replace("\n", "<phorum break>\n", $editmessage)] = '';
+ $row['body'] = strtr($row['body'], $replacements);
+ return array($signature, $editmessage);
+}
+
+/**
+ * Indicate that data is fully HTML and not from migration, invalidate
+ * previous caches
+ * @note This function could generate the actual cache entries, but
+ * since there's data missing that must be deferred to the first read
+ */
+function phorum_htmlpurifier_posting($message) {
+ $PHORUM = $GLOBALS["PHORUM"];
+ unset($message['meta']['body_cache']); // invalidate the cache
+ $message['meta']['body_cache_serial'] = $PHORUM['mod_htmlpurifier']['body_cache_serial'];
+ return $message;
+}
+
+/**
+ * Overload quoting mechanism to prevent default, mail-style quote from happening
+ */
+function phorum_htmlpurifier_quote($array) {
+ $PHORUM = $GLOBALS["PHORUM"];
+ $purifier =& HTMLPurifier::getInstance();
+ $text = $purifier->purify($array[1]);
+ $source = htmlspecialchars($array[0]);
+ return "<blockquote cite=\"$source\">\n$text\n</blockquote>";
+}
+
+/**
+ * Ensure that our format hook is processed last. Also, loads the library.
+ * @credits <http://secretsauce.phorum.org/snippets/make_bbcode_last_formatter.php.txt>
+ */
+function phorum_htmlpurifier_common() {
+
+ require_once(dirname(__FILE__).'/htmlpurifier/HTMLPurifier.auto.php');
+ require(dirname(__FILE__).'/init-config.php');
+
+ $config = phorum_htmlpurifier_get_config();
+ HTMLPurifier::getInstance($config);
+
+ // increment revision.txt if you want to invalidate the cache
+ $GLOBALS['PHORUM']['mod_htmlpurifier']['body_cache_serial'] = $config->getSerial();
+
+ // load migration
+ if (file_exists(dirname(__FILE__) . '/migrate.php')) {
+ include(dirname(__FILE__) . '/migrate.php');
+ } else {
+ echo '<strong>Error:</strong> No migration path specified for HTML Purifier, please check
+ <tt>modes/htmlpurifier/migrate.bbcode.php</tt> for instructions on
+ how to migrate from your previous markup language.';
+ exit;
+ }
+
+ if (!function_exists('phorum_htmlpurifier_migrate')) {
+ // Dummy function
+ function phorum_htmlpurifier_migrate($data) {return $data;}
+ }
+
+}
+
+/**
+ * Pre-emptively performs purification if it looks like a WYSIWYG editor
+ * is being used
+ */
+function phorum_htmlpurifier_before_editor($message) {
+ if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'])) {
+ if (!empty($message['body'])) {
+ $body = $message['body'];
+ // de-entity-ize contents
+ $body = str_replace(array('&lt;','&gt;','&amp;'), array('<','>','&'), $body);
+ $purifier =& HTMLPurifier::getInstance();
+ $body = $purifier->purify($body);
+ // re-entity-ize contents
+ $body = htmlspecialchars($body, ENT_QUOTES, $GLOBALS['PHORUM']['DATA']['CHARSET']);
+ $message['body'] = $body;
+ }
+ }
+ return $message;
+}
+
+function phorum_htmlpurifier_editor_after_subject() {
+ // don't show this message if it's a WYSIWYG editor, since it will
+ // then be handled automatically
+ if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'])) {
+ $i = $GLOBALS['PHORUM']['DATA']['MODE'];
+ if ($i == 'quote' || $i == 'edit' || $i == 'moderation') {
+ ?>
+ <div>
+ <p>
+ <strong>Notice:</strong> HTML has been scrubbed for your safety.
+ If you would like to see the original, turn off WYSIWYG mode
+ (consult your administrator for details.)
+ </p>
+ </div>
+ <?php
+ }
+ return;
+ }
+ if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['suppress_message'])) return;
+ ?><div class="htmlpurifier-help">
+ <p>
+ <strong>HTML input</strong> is enabled. Make sure you escape all HTML and
+ angled brackets with <code>&amp;lt;</code> and <code>&amp;gt;</code>.
+ </p><?php
+ $purifier =& HTMLPurifier::getInstance();
+ $config = $purifier->config;
+ if ($config->get('AutoFormat.AutoParagraph')) {
+ ?><p>
+ <strong>Auto-paragraphing</strong> is enabled. Double
+ newlines will be converted to paragraphs; for single
+ newlines, use the <code>pre</code> tag.
+ </p><?php
+ }
+ $html_definition = $config->getDefinition('HTML');
+ $allowed = array();
+ foreach ($html_definition->info as $name => $x) $allowed[] = "<code>$name</code>";
+ sort($allowed);
+ $allowed_text = implode(', ', $allowed);
+ ?><p><strong>Allowed tags:</strong> <?php
+ echo $allowed_text;
+ ?>.</p><?php
+ ?>
+ </p>
+ <p>
+ For inputting literal code such as HTML and PHP for display, use
+ CDATA tags to auto-escape your angled brackets, and <code>pre</code>
+ to preserve newlines:
+ </p>
+ <pre>&lt;pre&gt;&lt;![CDATA[
+<em>Place code here</em>
+]]&gt;&lt;/pre&gt;</pre>
+ <p>
+ Power users, you can hide this notice with:
+ <pre>.htmlpurifier-help {display:none;}</pre>
+ </p>
+ </div><?php
+}
+
+// vim: et sw=4 sts=4
diff --git a/lib/htmlpurifier/plugins/phorum/info.txt b/lib/htmlpurifier/plugins/phorum/info.txt
new file mode 100644
index 000000000..723465490
--- /dev/null
+++ b/lib/htmlpurifier/plugins/phorum/info.txt
@@ -0,0 +1,18 @@
+title: HTML Purifier Phorum Mod
+desc: This module enables standards-compliant HTML filtering on Phorum. Please check migrate.bbcode.php before enabling this mod.
+author: Edward Z. Yang
+url: http://htmlpurifier.org/
+version: 4.0.0
+
+hook: format|phorum_htmlpurifier_format
+hook: quote|phorum_htmlpurifier_quote
+hook: posting_custom_action|phorum_htmlpurifier_posting
+hook: common|phorum_htmlpurifier_common
+hook: before_editor|phorum_htmlpurifier_before_editor
+hook: tpl_editor_after_subject|phorum_htmlpurifier_editor_after_subject
+
+# This module is meant to be a drop-in for bbcode, so make it run last.
+priority: run module after *
+priority: run hook format after *
+
+ vim: et sw=4 sts=4
diff --git a/lib/htmlpurifier/plugins/phorum/init-config.php b/lib/htmlpurifier/plugins/phorum/init-config.php
new file mode 100644
index 000000000..aa7b15599
--- /dev/null
+++ b/lib/htmlpurifier/plugins/phorum/init-config.php
@@ -0,0 +1,28 @@
+<?php
+
+/**
+ * Initializes the appropriate configuration from either a PHP file
+ * or a module configuration value
+ * @return Instance of HTMLPurifier_Config
+ */
+function phorum_htmlpurifier_get_config($default = false) {
+ global $PHORUM;
+ $config_exists = phorum_htmlpurifier_config_file_exists();
+ if ($default || $config_exists || !isset($PHORUM['mod_htmlpurifier']['config'])) {
+ $config = HTMLPurifier_Config::createDefault();
+ include(dirname(__FILE__) . '/config.default.php');
+ if ($config_exists) {
+ include(dirname(__FILE__) . '/config.php');
+ }
+ unset($PHORUM['mod_htmlpurifier']['config']); // unnecessary
+ } else {
+ $config = HTMLPurifier_Config::create($PHORUM['mod_htmlpurifier']['config']);
+ }
+ return $config;
+}
+
+function phorum_htmlpurifier_config_file_exists() {
+ return file_exists(dirname(__FILE__) . '/config.php');
+}
+
+// vim: et sw=4 sts=4
diff --git a/lib/htmlpurifier/plugins/phorum/migrate.bbcode.php b/lib/htmlpurifier/plugins/phorum/migrate.bbcode.php
new file mode 100644
index 000000000..24f0ec4a9
--- /dev/null
+++ b/lib/htmlpurifier/plugins/phorum/migrate.bbcode.php
@@ -0,0 +1,30 @@
+<?php
+
+/**
+ * This file is responsible for migrating from a specific markup language
+ * like BBCode or Markdown to HTML. WARNING: THIS PROCESS IS NOT REVERSIBLE
+ *
+ * Copy this file to 'migrate.php' and it will automatically work for
+ * BBCode; you may need to tweak this a little to get it to work for other
+ * languages (usually, just replace the include name and the function name).
+ *
+ * If you do NOT want to have any migration performed (for instance, you
+ * are installing the module on a new forum with no posts), simply remove
+ * phorum_htmlpurifier_migrate() function. You still need migrate.php
+ * present, otherwise the module won't work. This ensures that the user
+ * explicitly says, "No, I do not need to migrate."
+ */
+
+if(!defined("PHORUM")) exit;
+
+require_once(dirname(__FILE__) . "/../bbcode/bbcode.php");
+
+/**
+ * 'format' hook style function that will be called to convert
+ * legacy markup into HTML.
+ */
+function phorum_htmlpurifier_migrate($data) {
+ return phorum_mod_bbcode_format($data); // bbcode's 'format' hook
+}
+
+// vim: et sw=4 sts=4
diff --git a/lib/htmlpurifier/plugins/phorum/settings.php b/lib/htmlpurifier/plugins/phorum/settings.php
new file mode 100644
index 000000000..8158f0282
--- /dev/null
+++ b/lib/htmlpurifier/plugins/phorum/settings.php
@@ -0,0 +1,64 @@
+<?php
+
+// based off of BBCode's settings file
+
+/**
+ * HTML Purifier Phorum mod settings configuration. This provides
+ * a convenient web-interface for editing the most common HTML Purifier
+ * configuration directives. You can also specify custom configuration
+ * by creating a 'config.php' file.
+ */
+
+if(!defined("PHORUM_ADMIN")) exit;
+
+// error reporting is good!
+error_reporting(E_ALL ^ E_NOTICE);
+
+// load library and other paraphenalia
+require_once './include/admin/PhorumInputForm.php';
+require_once (dirname(__FILE__) . '/htmlpurifier/HTMLPurifier.auto.php');
+require_once (dirname(__FILE__) . '/init-config.php');
+require_once (dirname(__FILE__) . '/settings/migrate-sigs-form.php');
+require_once (dirname(__FILE__) . '/settings/migrate-sigs.php');
+require_once (dirname(__FILE__) . '/settings/form.php');
+require_once (dirname(__FILE__) . '/settings/save.php');
+
+// define friendly configuration directives. you can expand this array
+// to get more web-definable directives
+$PHORUM['mod_htmlpurifier']['directives'] = array(
+ 'URI.Host', // auto-detectable
+ 'URI.DisableExternal',
+ 'URI.DisableExternalResources',
+ 'URI.DisableResources',
+ 'URI.Munge',
+ 'URI.HostBlacklist',
+ 'URI.Disable',
+ 'HTML.TidyLevel',
+ 'HTML.Doctype', // auto-detectable
+ 'HTML.Allowed',
+ 'AutoFormat',
+ '-AutoFormat.Custom',
+ 'AutoFormatParam',
+ 'Output.TidyFormat',
+);
+
+// lower this setting if you're getting time outs/out of memory
+$PHORUM['mod_htmlpurifier']['migrate-sigs-increment'] = 100;
+
+if (isset($_POST['reset'])) {
+ unset($PHORUM['mod_htmlpurifier']['config']);
+}
+
+if ($offset = phorum_htmlpurifier_migrate_sigs_check()) {
+ // migrate signatures
+ phorum_htmlpurifier_migrate_sigs($offset);
+} elseif(!empty($_POST)){
+ // save settings
+ phorum_htmlpurifier_save_settings();
+}
+
+phorum_htmlpurifier_show_migrate_sigs_form();
+echo '<br />';
+phorum_htmlpurifier_show_form();
+
+// vim: et sw=4 sts=4
diff --git a/lib/htmlpurifier/plugins/phorum/settings/form.php b/lib/htmlpurifier/plugins/phorum/settings/form.php
new file mode 100644
index 000000000..a47a5fae7
--- /dev/null
+++ b/lib/htmlpurifier/plugins/phorum/settings/form.php
@@ -0,0 +1,93 @@
+<?php
+
+function phorum_htmlpurifier_show_form() {
+ if (phorum_htmlpurifier_config_file_exists()) {
+ phorum_htmlpurifier_show_config_info();
+ return;
+ }
+
+ global $PHORUM;
+
+ $config = phorum_htmlpurifier_get_config();
+
+ $frm = new PhorumInputForm ("", "post", "Save");
+ $frm->hidden("module", "modsettings");
+ $frm->hidden("mod", "htmlpurifier"); // this is the directory name that the Settings file lives in
+
+ if (!empty($error)){
+ echo "$error<br />";
+ }
+
+ $frm->addbreak("Edit settings for the HTML Purifier module");
+
+ $frm->addMessage('<p>The box below sets <code>$PHORUM[\'mod_htmlpurifier\'][\'wysiwyg\']</code>.
+ When checked, contents sent for edit are now purified and the
+ informative message is disabled. If your WYSIWYG editor is disabled for
+ admin edits, you can safely keep this unchecked.</p>');
+ $frm->addRow('Use WYSIWYG?', $frm->checkbox('wysiwyg', '1', '', $PHORUM['mod_htmlpurifier']['wysiwyg']));
+
+ $frm->addMessage('<p>The box below sets <code>$PHORUM[\'mod_htmlpurifier\'][\'suppress_message\']</code>,
+ which removes the big how-to use
+ HTML Purifier message.</p>');
+ $frm->addRow('Suppress information?', $frm->checkbox('suppress_message', '1', '', $PHORUM['mod_htmlpurifier']['suppress_message']));
+
+ $frm->addMessage('<p>Click on directive links to read what each option does
+ (links do not open in new windows).</p>
+ <p>For more flexibility (for instance, you want to edit the full
+ range of configuration directives), you can create a <tt>config.php</tt>
+ file in your <tt>mods/htmlpurifier/</tt> directory. Doing so will,
+ however, make the web configuration interface unavailable.</p>');
+
+ require_once 'HTMLPurifier/Printer/ConfigForm.php';
+ $htmlpurifier_form = new HTMLPurifier_Printer_ConfigForm('config', 'http://htmlpurifier.org/live/configdoc/plain.html#%s');
+ $htmlpurifier_form->setTextareaDimensions(23, 7); // widen a little, since we have space
+
+ $frm->addMessage($htmlpurifier_form->render(
+ $config, $PHORUM['mod_htmlpurifier']['directives'], false));
+
+ $frm->addMessage("<strong>Warning: Changing HTML Purifier's configuration will invalidate
+ the cache. Expect to see a flurry of database activity after you change
+ any of these settings.</strong>");
+
+ $frm->addrow('Reset to defaults:', $frm->checkbox("reset", "1", "", false));
+
+ // hack to include extra styling
+ echo '<style type="text/css">' . $htmlpurifier_form->getCSS() . '
+ .hp-config {margin-left:auto;margin-right:auto;}
+ </style>';
+ $js = $htmlpurifier_form->getJavaScript();
+ echo '<script type="text/javascript">'."<!--\n$js\n//-->".'</script>';
+
+ $frm->show();
+}
+
+function phorum_htmlpurifier_show_config_info() {
+ global $PHORUM;
+
+ // update mod_htmlpurifier for housekeeping
+ phorum_htmlpurifier_commit_settings();
+
+ // politely tell user how to edit settings manually
+?>
+ <div class="input-form-td-break">How to edit settings for HTML Purifier module</div>
+ <p>
+ A <tt>config.php</tt> file exists in your <tt>mods/htmlpurifier/</tt>
+ directory. This file contains your custom configuration: in order to
+ change it, please navigate to that file and edit it accordingly.
+ You can also set <code>$GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg']</code>
+ or <code>$GLOBALS['PHORUM']['mod_htmlpurifier']['suppress_message']</code>
+ </p>
+ <p>
+ To use the web interface, delete <tt>config.php</tt> (or rename it to
+ <tt>config.php.bak</tt>).
+ </p>
+ <p>
+ <strong>Warning: Changing HTML Purifier's configuration will invalidate
+ the cache. Expect to see a flurry of database activity after you change
+ any of these settings.</strong>
+ </p>
+<?php
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/lib/htmlpurifier/plugins/phorum/settings/migrate-sigs-form.php b/lib/htmlpurifier/plugins/phorum/settings/migrate-sigs-form.php
new file mode 100644
index 000000000..2d63ebe48
--- /dev/null
+++ b/lib/htmlpurifier/plugins/phorum/settings/migrate-sigs-form.php
@@ -0,0 +1,22 @@
+<?php
+
+function phorum_htmlpurifier_show_migrate_sigs_form() {
+
+ $frm = new PhorumInputForm ('', "post", "Migrate");
+ $frm->hidden("module", "modsettings");
+ $frm->hidden("mod", "htmlpurifier");
+ $frm->hidden("migrate-sigs", "1");
+ $frm->addbreak("Migrate user signatures to HTML");
+ $frm->addMessage('This operation will migrate your users signatures
+ to HTML. <strong>This process is irreversible and must only be performed once.</strong>
+ Type in yes in the confirmation field to migrate.');
+ if (!file_exists(dirname(__FILE__) . '/../migrate.php')) {
+ $frm->addMessage('Migration file does not exist, cannot migrate signatures.
+ Please check <tt>migrate.bbcode.php</tt> on how to create an appropriate file.');
+ } else {
+ $frm->addrow('Confirm:', $frm->text_box("confirmation", ""));
+ }
+ $frm->show();
+}
+
+// vim: et sw=4 sts=4
diff --git a/lib/htmlpurifier/plugins/phorum/settings/migrate-sigs.php b/lib/htmlpurifier/plugins/phorum/settings/migrate-sigs.php
new file mode 100644
index 000000000..81c1f0ba9
--- /dev/null
+++ b/lib/htmlpurifier/plugins/phorum/settings/migrate-sigs.php
@@ -0,0 +1,77 @@
+<?php
+
+function phorum_htmlpurifier_migrate_sigs_check() {
+ global $PHORUM;
+ $offset = 0;
+ if (!empty($_POST['migrate-sigs'])) {
+ if (!isset($_POST['confirmation']) || strtolower($_POST['confirmation']) !== 'yes') {
+ echo 'Invalid confirmation code.';
+ exit;
+ }
+ $PHORUM['mod_htmlpurifier']['migrate-sigs'] = true;
+ phorum_db_update_settings(array("mod_htmlpurifier"=>$PHORUM["mod_htmlpurifier"]));
+ $offset = 1;
+ } elseif (!empty($_GET['migrate-sigs']) && $PHORUM['mod_htmlpurifier']['migrate-sigs']) {
+ $offset = (int) $_GET['migrate-sigs'];
+ }
+ return $offset;
+}
+
+function phorum_htmlpurifier_migrate_sigs($offset) {
+ global $PHORUM;
+
+ if(!$offset) return; // bail out quick if $offset == 0
+
+ // theoretically, we could get rid of this multi-request
+ // doo-hickery if safe mode is off
+ @set_time_limit(0); // attempt to let this run
+ $increment = $PHORUM['mod_htmlpurifier']['migrate-sigs-increment'];
+
+ require_once(dirname(__FILE__) . '/../migrate.php');
+ // migrate signatures
+ // do this in batches so we don't run out of time/space
+ $end = $offset + $increment;
+ $user_ids = array();
+ for ($i = $offset; $i < $end; $i++) {
+ $user_ids[] = $i;
+ }
+ $userinfos = phorum_db_user_get_fields($user_ids, 'signature');
+ foreach ($userinfos as $i => $user) {
+ if (empty($user['signature'])) continue;
+ $sig = $user['signature'];
+ // perform standard Phorum processing on the sig
+ $sig = str_replace(array("&","<",">"), array("&amp;","&lt;","&gt;"), $sig);
+ $sig = preg_replace("/<((http|https|ftp):\/\/[a-z0-9;\/\?:@=\&\$\-_\.\+!*'\(\),~%]+?)>/i", "$1", $sig);
+ // prepare fake data to pass to migration function
+ $fake_data = array(array("author"=>"", "email"=>"", "subject"=>"", 'body' => $sig));
+ list($fake_message) = phorum_htmlpurifier_migrate($fake_data);
+ $user['signature'] = $fake_message['body'];
+ if (!phorum_api_user_save($user)) {
+ exit('Error while saving user data');
+ }
+ }
+ unset($userinfos); // free up memory
+
+ // query for highest ID in database
+ $type = $PHORUM['DBCONFIG']['type'];
+ $sql = "select MAX(user_id) from {$PHORUM['user_table']}";
+ $row = phorum_db_interact(DB_RETURN_ROW, $sql);
+ $top_id = (int) $row[0];
+
+ $offset += $increment;
+ if ($offset > $top_id) { // test for end condition
+ echo 'Migration finished';
+ $PHORUM['mod_htmlpurifier']['migrate-sigs'] = false;
+ phorum_htmlpurifier_commit_settings();
+ return true;
+ }
+ $host = $_SERVER['HTTP_HOST'];
+ $uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
+ $extra = 'admin.php?module=modsettings&mod=htmlpurifier&migrate-sigs=' . $offset;
+ // relies on output buffering to work
+ header("Location: http://$host$uri/$extra");
+ exit;
+
+}
+
+// vim: et sw=4 sts=4
diff --git a/lib/htmlpurifier/plugins/phorum/settings/save.php b/lib/htmlpurifier/plugins/phorum/settings/save.php
new file mode 100644
index 000000000..7dbb767d0
--- /dev/null
+++ b/lib/htmlpurifier/plugins/phorum/settings/save.php
@@ -0,0 +1,27 @@
+<?php
+
+function phorum_htmlpurifier_save_settings() {
+ global $PHORUM;
+ if (phorum_htmlpurifier_config_file_exists()) {
+ echo "Cannot update settings, <code>mods/htmlpurifier/config.php</code> already exists. To change
+ settings, edit that file. To use the web form, delete that file.<br />";
+ } else {
+ $config = phorum_htmlpurifier_get_config(true);
+ if (!isset($_POST['reset'])) $config->mergeArrayFromForm($_POST, 'config', $PHORUM['mod_htmlpurifier']['directives']);
+ $PHORUM['mod_htmlpurifier']['config'] = $config->getAll();
+ }
+ $PHORUM['mod_htmlpurifier']['wysiwyg'] = !empty($_POST['wysiwyg']);
+ $PHORUM['mod_htmlpurifier']['suppress_message'] = !empty($_POST['suppress_message']);
+ if(!phorum_htmlpurifier_commit_settings()){
+ $error="Database error while updating settings.";
+ } else {
+ echo "Settings Updated<br />";
+ }
+}
+
+function phorum_htmlpurifier_commit_settings() {
+ global $PHORUM;
+ return phorum_db_update_settings(array("mod_htmlpurifier"=>$PHORUM["mod_htmlpurifier"]));
+}
+
+// vim: et sw=4 sts=4