chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Task #2972 - Restoring the original file HTMLPurifier.php, moving our customizations in the file security.lib.php.

Browse Source
skala
Ivan Tcholakov 15 years ago
parent 74e0091eb0
commit 9b5ea4d30b
2 changed files with 31 additions and 53 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 51
      main/inc/lib/htmlpurifier/library/HTMLPurifier.php
  2. 33
      main/inc/lib/security.lib.php

51
main/inc/lib/htmlpurifier/library/HTMLPurifier.php
Unescape View File

@ -71,9 +71,6 @@ class HTMLPurifier
protected $strategy, $generator; protected $strategy, $generator;
/**allow set user status*/
public $my_user_status;
/** /**
* Resultant HTMLPurifier_Context of last run purification. Is an array * Resultant HTMLPurifier_Context of last run purification. Is an array
* of contexts if the last called method was purifyArray(). * of contexts if the last called method was purifyArray().
@ -88,48 +85,11 @@ class HTMLPurifier
* The parameter can also be any type that * The parameter can also be any type that
* HTMLPurifier_Config::create() supports. * HTMLPurifier_Config::create() supports.
*/ */
public function __construct($config = null, $user_status) { public function __construct($config = null) {
/*
$this->config = HTMLPurifier_Config::create($config);
$this->strategy = new HTMLPurifier_Strategy_Core();
*/
if ($user_status == COURSEMANAGERLOWSECURITY) {
//non initialize object htmlpurifier
$this->my_user_status = COURSEMANAGERLOWSECURITY;
} else {
$config = HTMLPurifier_Config::createDefault();
$config->set('Core.Encoding', api_get_system_encoding());
$config->set('HTML.Doctype', 'XHTML 1.0 Transitional');
if ($user_status == STUDENT) {
global $tag_student, $attribute_student;
$config->set('HTML.SafeEmbed', true);
$config->set('HTML.SafeObject', true);
$config->set('Filter.YouTube', true);
$config->set('HTML.AllowedElements', $tag_student);
$config->set('HTML.AllowedAttributes', $attribute_student);
} elseif ($user_status == COURSEMANAGER) {
//activate in configuration setting
global $tag_teacher, $attribute_teacher;
$config->set('HTML.SafeEmbed', true);
$config->set('HTML.SafeObject', true);
$config->set('Filter.YouTube', true);
$config->set('HTML.AllowedElements', $tag_teacher);
$config->set('HTML.AllowedAttributes', $attribute_teacher);
} else {
global $tag_anonymous,$attribute_anonymous;
$config->set('HTML.AllowedElements', $tag_anonymous);
$config->set('HTML.AllowedAttributes', $attribute_anonymous);
}
$config->set('HTML.TidyLevel', 'light');
$config->set('CSS.AllowTricky', true); // We need the css definition display: none;
$this->config = HTMLPurifier_Config::create($config); $this->config = HTMLPurifier_Config::create($config);
$this->strategy = new HTMLPurifier_Strategy_Core(); $this->strategy = new HTMLPurifier_Strategy_Core();
}
} }
@ -154,10 +114,6 @@ class HTMLPurifier
*/ */
public function purify($html, $config = null) { public function purify($html, $config = null) {
if ($this->my_user_status == COURSEMANAGERLOWSECURITY) {
return $html;
} else {
// :TODO: make the config merge in, instead of replace // :TODO: make the config merge in, instead of replace
$config = $config ? HTMLPurifier_Config::create($config) : $this->config; $config = $config ? HTMLPurifier_Config::create($config) : $this->config;
@ -233,7 +189,6 @@ class HTMLPurifier
$this->context =& $context; $this->context =& $context;
return $html; return $html;
} }
}
/** /**
* Filters an array of HTML snippets * Filters an array of HTML snippets
@ -242,9 +197,6 @@ class HTMLPurifier
* @return Array of purified HTML * @return Array of purified HTML
*/ */
public function purifyArray($array_of_html, $config = null) { public function purifyArray($array_of_html, $config = null) {
if ($this->my_user_status == COURSEMANAGERLOWSECURITY) {
return $array_of_html;
} else {
$context_array = array(); $context_array = array();
foreach ($array_of_html as $key => $html) { foreach ($array_of_html as $key => $html) {
$array_of_html[$key] = $this->purify($html, $config); $array_of_html[$key] = $this->purify($html, $config);
@ -253,7 +205,6 @@ class HTMLPurifier
$this->context = $context_array; $this->context = $context_array;
return $array_of_html; return $array_of_html;
} }
}
/** /**
* Singleton for enforcing just one HTML Purifier in your system * Singleton for enforcing just one HTML Purifier in your system

33
main/inc/lib/security.lib.php
Unescape View File

@ -234,13 +234,40 @@ class Security {
* Filtering for XSS is very easily done by using the htmlentities() function. * Filtering for XSS is very easily done by using the htmlentities() function.
* This kind of filtering prevents JavaScript snippets to be understood as such. * This kind of filtering prevents JavaScript snippets to be understood as such.
* @param mixed The variable to filter for XSS, this params can be a string or an array (example : array(x,y)) * @param mixed The variable to filter for XSS, this params can be a string or an array (example : array(x,y))
* @param integer The user status,constant allowed(STUDENT,COURSEMANAGER,ANONYMOUS,COURSEMANAGERLOWSECURITY) * @param integer The user status,constant allowed (STUDENT, COURSEMANAGER, ANONYMOUS, COURSEMANAGERLOWSECURITY)
* @return mixed Filtered string or array * @return mixed Filtered string or array
*/ */
public static function remove_XSS ($var,$user_status=ANONYMOUS) { public static function remove_XSS ($var, $user_status = ANONYMOUS) {
if ($user_status == COURSEMANAGERLOWSECURITY) {
return $var; // No filtering.
}
static $purifier = array(); static $purifier = array();
if (!isset($purifier[$user_status])) { if (!isset($purifier[$user_status])) {
$purifier[$user_status] = new HTMLPurifier(null, $user_status); $config = HTMLPurifier_Config::createDefault();
$config->set('Core.Encoding', api_get_system_encoding());
$config->set('HTML.Doctype', 'XHTML 1.0 Transitional');
$config->set('HTML.TidyLevel', 'light');
$config->set('CSS.AllowTricky', true); // We need the css definition display: none;
if ($user_status == STUDENT) {
global $tag_student, $attribute_student;
$config->set('HTML.SafeEmbed', true);
$config->set('HTML.SafeObject', true);
$config->set('Filter.YouTube', true);
$config->set('HTML.AllowedElements', $tag_student);
$config->set('HTML.AllowedAttributes', $attribute_student);
} elseif ($user_status == COURSEMANAGER) {
global $tag_teacher, $attribute_teacher;
$config->set('HTML.SafeEmbed', true);
$config->set('HTML.SafeObject', true);
$config->set('Filter.YouTube', true);
$config->set('HTML.AllowedElements', $tag_teacher);
$config->set('HTML.AllowedAttributes', $attribute_teacher);
} else {
global $tag_anonymous,$attribute_anonymous;
$config->set('HTML.AllowedElements', $tag_anonymous);
$config->set('HTML.AllowedAttributes', $attribute_anonymous);
}
$purifier[$user_status] = new HTMLPurifier($config);
} }
if (is_array($var)) { if (is_array($var)) {
return $purifier[$user_status]->purifyArray($var); return $purifier[$user_status]->purifyArray($var);

Write Preview
Loading…
Cancel
Save