From 283bec0f2e2afd6ef143e248d9f0a0876743a8ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Juan=20Carlos=20Ra=C3=B1a?= <juancarlos@innovasoc.com>
Date: Wed, 21 Sep 2011 18:35:03 +0200
Subject: [PATCH] Feature #3909 HTMLPurifier wiki filter

---
 main/install/db_main.sql                    |  7 +++++--
 main/install/migrate-db-1.8.8-1.9.0-pre.sql |  5 +++++
 main/wiki/wiki.inc.php                      | 15 ++++++++++++---
 3 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/main/install/db_main.sql b/main/install/db_main.sql
index b56db2ff73..22f6c7f9f8 100755
--- a/main/install/db_main.sql
+++ b/main/install/db_main.sql
@@ -825,7 +825,8 @@ VALUES
 ('filter_terms',NULL,'textarea','Security','','FilterTermsTitle','FilterTermsComment',NULL,NULL, 0),
 ('header_extra_content', NULL, 'textarea', 'Tracking', '', 'HeaderExtraContentTitle', 'HeaderExtraContentComment', NULL, NULL, 1),
 ('show_documents_preview', NULL, 'radio', 'Tools', 'false', 'ShowDocumentPreviewTitle', 'ShowDocumentPreviewComment', NULL, NULL, 1),
-('chamilo_database_version',NULL,'textfield',NULL, '1.9.0.15650','DokeosDatabaseVersion','', NULL, NULL, 0);
+('htmlpurifier_wiki', NULL, 'radio', 'Editor', 'true', 'HtmlPurifierWikiTitle', 'HtmlPurifierWikiComment', NULL, NULL, 0),
+('chamilo_database_version',NULL,'textfield',NULL, '1.9.0.15651','DokeosDatabaseVersion','', NULL, NULL, 0);
 
 UNLOCK TABLES;
 /*!40000 ALTER TABLE settings_current ENABLE KEYS */;
@@ -1093,7 +1094,9 @@ VALUES
 ('enable_nanogong','true','Yes'),
 ('enable_nanogong','false','No'),
 ('show_documents_preview', 'true', 'Yes'),
-('show_documents_preview', 'false', 'No');
+('show_documents_preview', 'false', 'No'),
+('enabled_htmlpurifier', 'true', 'Yes'),
+('enabled_htmlpurifier', 'false', 'No');
 
 UNLOCK TABLES;
 
diff --git a/main/install/migrate-db-1.8.8-1.9.0-pre.sql b/main/install/migrate-db-1.8.8-1.9.0-pre.sql
index 4236370c60..1e4e0bf6cd 100755
--- a/main/install/migrate-db-1.8.8-1.9.0-pre.sql
+++ b/main/install/migrate-db-1.8.8-1.9.0-pre.sql
@@ -26,6 +26,11 @@ INSERT INTO settings_current (variable, subkey, type, category, selected_value,
 INSERT INTO settings_options (variable, value, display_text) VALUES ('show_documents_preview', 'true', 'Yes');
 INSERT INTO settings_options (variable, value, display_text) VALUES ('show_documents_preview', 'false', 'No');
 
+INSERT INTO settings_current (variable, subkey, type, category, selected_value, title, comment, scope, subkeytext, access_url_changeable) VALUES ('htmlpurifier_wiki',NULL,'radio','Editor','false','HtmlPurifierWikiTitle','HtmlPurifierWikiComment',NULL,NULL, 0);
+
+INSERT INTO settings_options (variable, value, display_text) VALUES ('htmlpurifier_wiki', 'true', 'Yes');
+INSERT INTO settings_options (variable, value, display_text) VALUES ('htmlpurifier_wiki', 'false', 'No');
+
 
 -- xxSTATSxx
 ALTER TABLE track_e_exercices ADD COLUMN questions_to_check TEXT  NOT NULL DEFAULT '';
diff --git a/main/wiki/wiki.inc.php b/main/wiki/wiki.inc.php
index a77a15eb38..415aa34e5c 100755
--- a/main/wiki/wiki.inc.php
+++ b/main/wiki/wiki.inc.php
@@ -262,6 +262,10 @@ function save_wiki() {
     $_clean['reflink']		= Database::escape_string(trim($_POST['reflink'])); 
     $_clean['title']		= Database::escape_string(trim($_POST['title']));
     $_clean['content']		= Database::escape_string($_POST['content']);
+	if (api_get_setting('htmlpurifier_wiki') == 'true'){
+		$purifier = new HTMLPurifier();
+		$_clean['content'] = $purifier->purify($_clean['content']);
+	}
     $_clean['user_id']		= api_get_user_id();
     $_clean['assignment']	= Database::escape_string($_POST['assignment']);
     $_clean['comment']		= Database::escape_string($_POST['comment']);
@@ -431,9 +435,14 @@ function save_new_wiki() {
     } else {
          $page = str_replace(' ','_',$_POST['title']);
     }
-    $_clean['reflink']=Database::escape_string(strip_tags(api_htmlentities($page)));
-    $_clean['title']=Database::escape_string(strip_tags(trim($_POST['title'])));
-    $_clean['content']= Database::escape_string($_POST['content']);
+    $_clean['reflink'] = Database::escape_string(strip_tags(api_htmlentities($page)));
+    $_clean['title']   = Database::escape_string(strip_tags(trim($_POST['title'])));
+    $_clean['content'] = Database::escape_string($_POST['content']);
+	
+	if (api_get_setting('htmlpurifier_wiki') == 'true'){
+		$purifier = new HTMLPurifier();
+		$_clean['content'] = $purifier->purify($_clean['content']);
+	}
 	
 	//re-check after strip_tags if the title is empty
 	if(empty($_clean['title']) || empty($_clean['reflink'])){