Updated htmlawed to disallow many style attributes.

author brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>

Mon, 2 Nov 2009 20:48:58 +0000 (20:48 +0000)

committer brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>

Mon, 2 Nov 2009 20:48:58 +0000 (20:48 +0000)
author brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
Mon, 2 Nov 2009 20:48:58 +0000 (20:48 +0000)
committer brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
Mon, 2 Nov 2009 20:48:58 +0000 (20:48 +0000)
diff --git a/mod/htmlawed/start.php b/mod/htmlawed/start.php

index b180be811a33851ef0dc14442c438ac29ff3a425..52cefa1da06182ad5a1ded02f14b4697e5b6a11c 100644 (file)
--- a/mod/htmlawed/start.php
+++ b/mod/htmlawed/start.php
@@ -1,7 +1,7 @@
  <?php
         /**
          * Elgg htmLawed tag filtering.
-        * 
+        *
          * @package ElgghtmLawed
          * @author Curverider Ltd
          * @author Brett Profitt
@@ -20,14 +20,56 @@
                         // seems to handle about everything we need.
                         'safe' => true,
                         'deny_attribute' => 'class',
-                       
-                       'schemes' => '*: http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto;'
-                               . 'style: color,cursor,text-align,font-size,font-weight,font-style,border,margin,padding,float'
+                       'hook_tag' => 'htmlawed_hook',
+
+                       'schemes' => '*:http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto;'
+                               // apparent this doesn't work.
+                               //. 'style:color,cursor,text-align,font-size,font-weight,font-style,border,margin,padding,float'
                 );
-               
+
                 register_plugin_hook('validate', 'input', 'htmlawed_filter_tags', 1);
         }
-       
+
+       function htmlawed_hook($element, $attribute_array) {
+               $allowed_styles = array(
+                       'color', 'cursor', 'text-align', 'font-size', 'font-weight', 'font-style', 'border', 'margin', 'padding', 'float'
+               );
+
+               if (array_key_exists('style', $attribute_array)) {
+                       $string = '';
+
+                       foreach ($attribute_array as $attr => $value) {
+                               if ($attr == 'style') {
+                                       $styles = explode(';', $value);
+
+                                       $style_str = '';
+                                       foreach ($styles as $style) {
+                                               if (!$style) {
+                                                       continue;
+                                               }
+                                               list($style_attr, $style_value) = explode(':', trim($style));
+                                               $style_attr = trim($style_attr);
+                                               $style_value = trim($style_value);
+
+                                               if (in_array($style_attr, $allowed_styles)) {
+                                                       $style_str .= "$style_attr: $style_value; ";
+                                               }
+                                       }
+
+                                       if ($style_str) {
+                                               $string .= " style = \"$style_str\"";
+                                       }
+
+                               } else {
+                                       $string .= " $attr = \"$value\"";
+                               }
+                       }
+
+                       $string = trim($string);
+                       return "<$element $string >";
+               }
+       }
+
         /**
          * htmLawed filtering of tags, called on a plugin hook
          *
@@ -38,29 +80,29 @@
         {
                 $return = $returnvalue;
                 $var = $returnvalue;
-               
+
                 if (@include_once(dirname(__FILE__) . "/vendors/htmLawed/htmLawed.php")) {
-                       
+
                         global $CONFIG;
-                       
+
                         $htmlawed_config = $CONFIG->htmlawed_config;
-                       
+
                         if (!is_array($var)) {
                                 $return = "";
                                 $return = htmLawed($var, $htmlawed_config);
                         } else {
                                 $return = array();
-                               
+
                                 foreach($var as $key => $el) {
                                         $return[$key] = htmLawed($el, $htmlawed_config);
                                 }
                         }
                 }
-       
+
                 return $return;
         }
-       
-       
+
+
         register_elgg_event_handler('init','system','htmlawed_init');
-        
+
  ?>
author	brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
	Mon, 2 Nov 2009 20:48:58 +0000 (20:48 +0000)
committer	brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
	Mon, 2 Nov 2009 20:48:58 +0000 (20:48 +0000)