[svn r20428] logic changes - changed remove_XSS with htmlpurifier - (partial FS#4169)

main/inc/global.inc.php

@@ -330,13 +330,21 @@ require($includePath."/local.inc.php");
 
 // ===== "who is logged in?" module section =====
 
-include_once($includePath."/lib/online.inc.php");
+require_once($includePath."/lib/online.inc.php");
 // check and modify the date of user in the track.e.online table
 if (!$x=strpos($_SERVER['PHP_SELF'],'whoisonline.php'))
 {
 	LoginCheck(isset($_user['user_id']) ? $_user['user_id'] : '',$_configuration['statistics_database']);
 }
-
+//load array Kses for Htmlpurifier
+require_once $includePath."/lib/formvalidator/Rule/allowed_tags.inc.php";
+//load htmpurifier
+require_once $includePath."/lib/htmlpurifier/library/HTMLPurifier.auto.php";
+global $config_purifier;
+$charset = api_get_setting('platform_charset');
+$config_purifier = HTMLPurifier_Config::createDefault();
+$config_purifier->set('Core', 'Encoding',$charset);
+$config_purifier->set('HTML', 'Doctype', 'XHTML 1.0 Transitional');	
 // ===== end "who is logged in?" module section =====
 
 if(get_setting('server_type') == 'test')

main/inc/lib/formvalidator/Rule/allowed_tags.inc.php

@@ -32,6 +32,25 @@
  *    $allowed_tags_XXXX['tagname']['attributename'] = array();
  * - please keep the content of this file alphabetically structured
  */
+//============================================================
+// INIT GLOBAL ARRAYS
+//============================================================
+
+
+global $tag_student,$attribute_student,$tag_teacher,$attribute_teacher,$tag_anonymous,$attribute_anonymous;
+
+// In choose is STUDENT
+$tag_student=array();
+$attribute_student=array();
+
+// In choose is COURSEMANAGER
+$tag_teacher=array();
+$attribute_teacher=array();
+
+// In choose is ANONYMOUS
+$tag_anonymous=array();
+$attribute_anonymous=array();
+
 //============================================================
 // ALLOWED HTML FOR STUDENTS
 //============================================================
@@ -470,5 +489,54 @@ $allowed_tags_teacher['body']['text'] =  array();
 $allowed_tags_teacher['body']['vlink'] =  array();
 
 
+//============================================================
+// ALLOWED HTML FOR TEACHERS FOR HTMLPURIFIER
+//============================================================
+// NOSCRIPT
+$allowed_tags_teachers['noscript'] =  array();
+// SCRIPT
+$allowed_tags_teachers['script'] = array();
+$allowed_tags_teachers['script']['type'] = array();
+
+$allowed_tags_teachers['html'] =  array();
+$allowed_tags_teachers['html']['xmlns'] =  array();
+
+$allowed_tags_teachers['head'] =  array();
+$allowed_tags_teachers['head']['profile'] =  array();
+
+// BODY
+$allowed_tags_teachers['body'] =  array();
+$allowed_tags_teachers['body']['alink'] =  array();
+$allowed_tags_teachers['body']['background'] =  array();
+$allowed_tags_teachers['body']['bgcolor'] =  array();
+$allowed_tags_teachers['body']['link'] =  array();
+$allowed_tags_teachers['body']['text'] =  array();
+$allowed_tags_teachers['body']['vlink'] =  array();
+
+
+foreach ($allowed_tags_student as $student_index =>$student_value) {
+	if (count($allowed_tags_student[$student_index])==0) {
+		$tag_student[]=$student_index;
+	} else {
+		$tag_student[]=$student_index;
+		foreach ($allowed_tags_student[$student_index] as $my_student_attribute_index => $my_student_value_index) {
+			$attribute_student[]=$student_index.'.'.$my_student_attribute_index;
+		}
+	}	
+}
+
+$tag_teacher=$tag_student;
+$attribute_teacher=$attribute_student;
+foreach ($allowed_tags_teachers as $teacher_index =>$teacher_value) {
+	if (count($allowed_tags_teachers[$teacher_index])==0) {
+		$tag_teacher[]=$teacher_index;
+	} else {
+		$tag_teacher[]=$teacher_index;
+		foreach ($allowed_tags_teachers[$teacher_index] as $my_teacher_attribute_index => $my_teacher_value_index) {
+			$attribute_teacher[]=$teacher_index.'.'.$my_teacher_attribute_index;
+		}
+	}	
+}
+
 $allowed_tags_teacher_full_page = $allowed_tags_student_full_page;
 ?>

main/inc/lib/htmlpurifier/library/HTMLPurifier.php

@@ -85,7 +85,22 @@ class HTMLPurifier
      *                The parameter can also be any type that
      *                HTMLPurifier_Config::create() supports.
      */
-    public function __construct($config = null) {
+    public function __construct($config = null,$user_status) {
+		if ($user_status==STUDENT) {
+			
+			global $tag_student,$attribute_student;//$tag_student
+	   		$config->set('HTML', 'AllowedElements',$tag_student);//'a,em,blockquote,p,code,pre,strong,b,img,span'
+			$config->set('HTML', 'AllowedAttributes',$attribute_student);//'a.href,a.title,img.src'
+		} elseif ($user_status==COURSEMANAGER) {
+			global $tag_teacher,$attribute_teacher;			
+	   		$config->set('HTML', 'AllowedElements',$tag_teacher);
+			$config->set('HTML', 'AllowedAttributes', $attribute_teacher);//'a.href,a.title,img.src'				
+		} else {
+			global $tag_anonymous,$attribute_anonymous;			
+	   		$config->set('HTML', 'AllowedElements', $tag_anonymous);
+			$config->set('HTML', 'AllowedAttributes',$attribute_anonymous);//'a.href,a.title,img.src'			
+		}
+			$config->set('HTML', 'TidyLevel', 'light');
 
         $this->config = HTMLPurifier_Config::create($config);
 

main/inc/lib/security.lib.php

@@ -247,8 +247,10 @@ class Security{
 	 * @param	mixed	The variable to filter for XSS, this params can be a string or an array (example : array(x,y)) 
 	 * @return	mixed	Filtered string or array
 	 */
-	function remove_XSS($var) {
+	function remove_XSS($var,$user_status=null) {
 		global $charset;
+		global $config_purifier;
+		if (is_null($user_status)) {
 			if (is_array($var)) {
 				if (count($var)>0) {
 					foreach ($var as &$value_var) {
@@ -262,5 +264,9 @@ class Security{
 			} else {
 				return htmlentities($var,ENT_QUOTES,$charset);	
 			}			
+		} else {
+		$purifier = new HTMLPurifier($config_purifier,$user_status);
+		return $purifier->purify($var);
+		}		
 	}
 }