diff --git a/main/inc/lib/htmlpurifier/library/HTMLPurifier.php b/main/inc/lib/htmlpurifier/library/HTMLPurifier.php
index b629a19c64..9a8f1df7e7 100644
--- a/main/inc/lib/htmlpurifier/library/HTMLPurifier.php
+++ b/main/inc/lib/htmlpurifier/library/HTMLPurifier.php
@@ -71,9 +71,6 @@ class HTMLPurifier
protected $strategy, $generator;
- /**allow set user status*/
- public $my_user_status;
-
/**
* Resultant HTMLPurifier_Context of last run purification. Is an array
* of contexts if the last called method was purifyArray().
@@ -88,48 +85,11 @@ class HTMLPurifier
* The parameter can also be any type that
* HTMLPurifier_Config::create() supports.
*/
- public function __construct($config = null, $user_status) {
- /*
- $this->config = HTMLPurifier_Config::create($config);
-
- $this->strategy = new HTMLPurifier_Strategy_Core();
- */
-
- if ($user_status == COURSEMANAGERLOWSECURITY) {
- //non initialize object htmlpurifier
- $this->my_user_status = COURSEMANAGERLOWSECURITY;
- } else {
- $config = HTMLPurifier_Config::createDefault();
- $config->set('Core.Encoding', api_get_system_encoding());
- $config->set('HTML.Doctype', 'XHTML 1.0 Transitional');
-
- if ($user_status == STUDENT) {
- global $tag_student, $attribute_student;
- $config->set('HTML.SafeEmbed', true);
- $config->set('HTML.SafeObject', true);
- $config->set('Filter.YouTube', true);
- $config->set('HTML.AllowedElements', $tag_student);
- $config->set('HTML.AllowedAttributes', $attribute_student);
- } elseif ($user_status == COURSEMANAGER) {
- //activate in configuration setting
- global $tag_teacher, $attribute_teacher;
- $config->set('HTML.SafeEmbed', true);
- $config->set('HTML.SafeObject', true);
- $config->set('Filter.YouTube', true);
- $config->set('HTML.AllowedElements', $tag_teacher);
- $config->set('HTML.AllowedAttributes', $attribute_teacher);
- } else {
- global $tag_anonymous,$attribute_anonymous;
- $config->set('HTML.AllowedElements', $tag_anonymous);
- $config->set('HTML.AllowedAttributes', $attribute_anonymous);
- }
- $config->set('HTML.TidyLevel', 'light');
- $config->set('CSS.AllowTricky', true); // We need the css definition display: none;
+ public function __construct($config = null) {
$this->config = HTMLPurifier_Config::create($config);
$this->strategy = new HTMLPurifier_Strategy_Core();
- }
}
@@ -154,10 +114,6 @@ class HTMLPurifier
*/
public function purify($html, $config = null) {
- if ($this->my_user_status == COURSEMANAGERLOWSECURITY) {
- return $html;
- } else {
-
// :TODO: make the config merge in, instead of replace
$config = $config ? HTMLPurifier_Config::create($config) : $this->config;
@@ -233,7 +189,6 @@ class HTMLPurifier
$this->context =& $context;
return $html;
}
- }
/**
* Filters an array of HTML snippets
@@ -242,9 +197,6 @@ class HTMLPurifier
* @return Array of purified HTML
*/
public function purifyArray($array_of_html, $config = null) {
- if ($this->my_user_status == COURSEMANAGERLOWSECURITY) {
- return $array_of_html;
- } else {
$context_array = array();
foreach ($array_of_html as $key => $html) {
$array_of_html[$key] = $this->purify($html, $config);
@@ -253,7 +205,6 @@ class HTMLPurifier
$this->context = $context_array;
return $array_of_html;
}
- }
/**
* Singleton for enforcing just one HTML Purifier in your system
diff --git a/main/inc/lib/security.lib.php b/main/inc/lib/security.lib.php
index 26bf7080ac..a31ad7181a 100755
--- a/main/inc/lib/security.lib.php
+++ b/main/inc/lib/security.lib.php
@@ -234,13 +234,40 @@ class Security {
* Filtering for XSS is very easily done by using the htmlentities() function.
* This kind of filtering prevents JavaScript snippets to be understood as such.
* @param mixed The variable to filter for XSS, this params can be a string or an array (example : array(x,y))
- * @param integer The user status,constant allowed(STUDENT,COURSEMANAGER,ANONYMOUS,COURSEMANAGERLOWSECURITY)
+ * @param integer The user status,constant allowed (STUDENT, COURSEMANAGER, ANONYMOUS, COURSEMANAGERLOWSECURITY)
* @return mixed Filtered string or array
*/
- public static function remove_XSS ($var,$user_status=ANONYMOUS) {
+ public static function remove_XSS ($var, $user_status = ANONYMOUS) {
+ if ($user_status == COURSEMANAGERLOWSECURITY) {
+ return $var; // No filtering.
+ }
static $purifier = array();
if (!isset($purifier[$user_status])) {
- $purifier[$user_status] = new HTMLPurifier(null, $user_status);
+ $config = HTMLPurifier_Config::createDefault();
+ $config->set('Core.Encoding', api_get_system_encoding());
+ $config->set('HTML.Doctype', 'XHTML 1.0 Transitional');
+ $config->set('HTML.TidyLevel', 'light');
+ $config->set('CSS.AllowTricky', true); // We need the css definition display: none;
+ if ($user_status == STUDENT) {
+ global $tag_student, $attribute_student;
+ $config->set('HTML.SafeEmbed', true);
+ $config->set('HTML.SafeObject', true);
+ $config->set('Filter.YouTube', true);
+ $config->set('HTML.AllowedElements', $tag_student);
+ $config->set('HTML.AllowedAttributes', $attribute_student);
+ } elseif ($user_status == COURSEMANAGER) {
+ global $tag_teacher, $attribute_teacher;
+ $config->set('HTML.SafeEmbed', true);
+ $config->set('HTML.SafeObject', true);
+ $config->set('Filter.YouTube', true);
+ $config->set('HTML.AllowedElements', $tag_teacher);
+ $config->set('HTML.AllowedAttributes', $attribute_teacher);
+ } else {
+ global $tag_anonymous,$attribute_anonymous;
+ $config->set('HTML.AllowedElements', $tag_anonymous);
+ $config->set('HTML.AllowedAttributes', $attribute_anonymous);
+ }
+ $purifier[$user_status] = new HTMLPurifier($config);
}
if (is_array($var)) {
return $purifier[$user_status]->purifyArray($var);