[svn r20790] logic changes - improvements in remove_XSS - (partial FS#3909)

17 years ago · f9d6209b23
parent 776c459517
commit f9d6209b23
4 changed files with 110 additions and 110 deletions
--- a/main/course_description/index.php
+++ b/main/course_description/index.php
@ -1,4 +1,4 @@
-<?php // $Id: index.php 20715 2009-05-15 23:42:57Z juliomontoya $
+<?php // $Id: index.php 20790 2009-05-18 17:29:21Z iflorespaz $
 /* For licensing terms, see /dokeos_license.txt */
 /**
 ==============================================================================
@ -212,10 +212,10 @@ if (api_is_allowed_to_edit() && !is_null($description_id) || $action =='add') {
 			if ($description['description_id'] >= ADD_BLOCK) {
 				if ($description['add']=='1') { //if this element has been submitted for addition					
 					$result = api_sql_query($sql, __FILE__, __LINE__);
-					$sql = "INSERT IGNORE INTO $tbl_course_description SET id = '".$description_id."', title = '".Database::escape_string(Security::remove_XSS($title))."', content = '".Database::escape_string(Security::remove_XSS($content))."'";				
+					$sql = "INSERT IGNORE INTO $tbl_course_description SET id = '".$description_id."', title = '".Database::escape_string(Security::remove_XSS($title,COURSEMANAGERLOWSECURITY))."', content = '".Database::escape_string(Security::remove_XSS($content,COURSEMANAGERLOWSECURITY))."'";				
 					api_sql_query($sql, __FILE__, __LINE__);
 				} else {								
-					$sql = "UPDATE $tbl_course_description SET  title = '".Database::escape_string(Security::remove_XSS($title))."', content = '".Database::escape_string(Security::remove_XSS($content))."' WHERE id = '".$description_id."' ";				
+					$sql = "UPDATE $tbl_course_description SET  title = '".Database::escape_string(Security::remove_XSS($title,COURSEMANAGERLOWSECURITY))."', content = '".Database::escape_string(Security::remove_XSS($content,COURSEMANAGERLOWSECURITY))."' WHERE id = '".$description_id."' ";				
 					api_sql_query($sql, __FILE__, __LINE__);					
 				}
 			} else {
@ -225,7 +225,7 @@ if (api_is_allowed_to_edit() && !is_null($description_id) || $action =='add') {
 				}
 				$sql = "DELETE FROM $tbl_course_description WHERE id = '".$description_id."'";
 				api_sql_query($sql, __FILE__, __LINE__);
-				$sql = "INSERT INTO $tbl_course_description SET id = '".$description_id."', title = '".Database::escape_string(Security::remove_XSS($title))."', content = '".Database::escape_string(Security::remove_XSS($content))."'";
+				$sql = "INSERT INTO $tbl_course_description SET id = '".$description_id."', title = '".Database::escape_string(Security::remove_XSS($title,COURSEMANAGERLOWSECURITY))."', content = '".Database::escape_string(Security::remove_XSS($content,COURSEMANAGERLOWSECURITY))."'";
 				api_sql_query($sql, __FILE__, __LINE__);
 			}
 			Display :: display_confirmation_message(get_lang('CourseDescriptionUpdated'));
--- a/main/inc/lib/htmlpurifier/library/HTMLPurifier.php
+++ b/main/inc/lib/htmlpurifier/library/HTMLPurifier.php
@ -71,6 +71,8 @@ class HTMLPurifier

    protected $strategy, $generator;

+	/**allow set user status*/
+	 public $my_user_status;
    /**
     * Resultant HTMLPurifier_Context of last run purification. Is an array
     * of contexts if the last called method was purifyArray().
@ -87,7 +89,10 @@ class HTMLPurifier
     */
    public function __construct($config = null,$user_status) {
    	global $charset;
-
+		if ($user_status==COURSEMANAGERLOWSECURITY) {
+			//non initialize object htmlpurifier
+			$this->my_user_status=COURSEMANAGERLOWSECURITY;
+		} else {
 		$config = HTMLPurifier_Config::createDefault();
 		$config->set('Core', 'Encoding',$charset);
 		$config->set('HTML', 'Doctype', 'XHTML 1.0 Transitional');
@ -100,11 +105,11 @@ class HTMLPurifier
 			$config->set('HTML', 'AllowedAttributes',$attribute_student);
 		} elseif ($user_status==COURSEMANAGER) {
 			//activate in configuration setting 
-			/*global $tag_teacher,$attribute_teacher;
+			global $tag_teacher,$attribute_teacher;
 	   		$config->set('HTML', 'SafeEmbed',true);				
 			$config->set('Filter', 'YouTube', true);						
 	   		$config->set('HTML', 'AllowedElements',$tag_teacher);
-			$config->set('HTML', 'AllowedAttributes', $attribute_teacher);	*/			
+			$config->set('HTML', 'AllowedAttributes', $attribute_teacher);			
 		} else {
 			global $tag_anonymous,$attribute_anonymous;			
 	   		$config->set('HTML', 'AllowedElements', $tag_anonymous);
@ -113,6 +118,7 @@ class HTMLPurifier
 			$config->set('HTML', 'TidyLevel', 'light');
        	$this->config = HTMLPurifier_Config::create($config);
        	$this->strategy     = new HTMLPurifier_Strategy_Core();
+        }
    }

    /**
@ -136,79 +142,83 @@ class HTMLPurifier
     */
    public function purify($html, $config = null) {

-        // :TODO: make the config merge in, instead of replace
-        $config = $config ? HTMLPurifier_Config::create($config) : $this->config;
-
-        // implementation is partially environment dependant, partially
-        // configuration dependant
-        $lexer = HTMLPurifier_Lexer::create($config);
-
-        $context = new HTMLPurifier_Context();
-
-        // setup HTML generator
-        $this->generator = new HTMLPurifier_Generator($config, $context);
-        $context->register('Generator', $this->generator);
-
-        // set up global context variables
-        if ($config->get('Core', 'CollectErrors')) {
-            // may get moved out if other facilities use it
-            $language_factory = HTMLPurifier_LanguageFactory::instance();
-            $language = $language_factory->create($config, $context);
-            $context->register('Locale', $language);
-
-            $error_collector = new HTMLPurifier_ErrorCollector($context);
-            $context->register('ErrorCollector', $error_collector);
-        }
-
-        // setup id_accumulator context, necessary due to the fact that
-        // AttrValidator can be called from many places
-        $id_accumulator = HTMLPurifier_IDAccumulator::build($config, $context);
-        $context->register('IDAccumulator', $id_accumulator);
-
-        $html = HTMLPurifier_Encoder::convertToUTF8($html, $config, $context);
-
-        // setup filters
-        $filter_flags = $config->getBatch('Filter');
-        $custom_filters = $filter_flags['Custom'];
-        unset($filter_flags['Custom']);
-        $filters = array();
-        foreach ($filter_flags as $filter => $flag) {
-            if (!$flag) continue;
-            $class = "HTMLPurifier_Filter_$filter";
-            $filters[] = new $class;
-        }
-        foreach ($custom_filters as $filter) {
-            // maybe "HTMLPurifier_Filter_$filter", but be consistent with AutoFormat
-            $filters[] = $filter;
-        }
-        $filters = array_merge($filters, $this->filters);
-        // maybe prepare(), but later
-
-        for ($i = 0, $filter_size = count($filters); $i < $filter_size; $i++) {
-            $html = $filters[$i]->preFilter($html, $config, $context);
-        }
-
-        // purified HTML
-        $html =
-            $this->generator->generateFromTokens(
-                // list of tokens
-                $this->strategy->execute(
-                    // list of un-purified tokens
-                    $lexer->tokenizeHTML(
-                        // un-purified HTML
-                        $html, $config, $context
-                    ),
-                    $config, $context
-                )
-            );
-
-        for ($i = $filter_size - 1; $i >= 0; $i--) {
-            $html = $filters[$i]->postFilter($html, $config, $context);
-        }
-
-        $html = HTMLPurifier_Encoder::convertFromUTF8($html, $config, $context);
-        $this->context =& $context;
-        return $html;
+		if ($this->my_user_status==COURSEMANAGERLOWSECURITY) {
+			return $html;
+		} else {
+	        // :TODO: make the config merge in, instead of replace
+	        $config = $config ? HTMLPurifier_Config::create($config) : $this->config;
+	
+	        // implementation is partially environment dependant, partially
+	        // configuration dependant
+	        $lexer = HTMLPurifier_Lexer::create($config);
+	
+	        $context = new HTMLPurifier_Context();
+	
+	        // setup HTML generator
+	        $this->generator = new HTMLPurifier_Generator($config, $context);
+	        $context->register('Generator', $this->generator);
+	
+	        // set up global context variables
+	        if ($config->get('Core', 'CollectErrors')) {
+	            // may get moved out if other facilities use it
+	            $language_factory = HTMLPurifier_LanguageFactory::instance();
+	            $language = $language_factory->create($config, $context);
+	            $context->register('Locale', $language);
+	
+	            $error_collector = new HTMLPurifier_ErrorCollector($context);
+	            $context->register('ErrorCollector', $error_collector);
+	        }
+	
+	        // setup id_accumulator context, necessary due to the fact that
+	        // AttrValidator can be called from many places
+	        $id_accumulator = HTMLPurifier_IDAccumulator::build($config, $context);
+	        $context->register('IDAccumulator', $id_accumulator);
+	
+	        $html = HTMLPurifier_Encoder::convertToUTF8($html, $config, $context);
+	
+	        // setup filters
+	        $filter_flags = $config->getBatch('Filter');
+	        $custom_filters = $filter_flags['Custom'];
+	        unset($filter_flags['Custom']);
+	        $filters = array();
+	        foreach ($filter_flags as $filter => $flag) {
+	            if (!$flag) continue;
+	            $class = "HTMLPurifier_Filter_$filter";
+	            $filters[] = new $class;
+	        }
+	        foreach ($custom_filters as $filter) {
+	            // maybe "HTMLPurifier_Filter_$filter", but be consistent with AutoFormat
+	            $filters[] = $filter;
+	        }
+	        $filters = array_merge($filters, $this->filters);
+	        // maybe prepare(), but later
+	
+	        for ($i = 0, $filter_size = count($filters); $i < $filter_size; $i++) {
+	            $html = $filters[$i]->preFilter($html, $config, $context);
+	        }
+	
+	        // purified HTML
+	        $html =
+	            $this->generator->generateFromTokens(
+	                // list of tokens
+	                $this->strategy->execute(
+	                    // list of un-purified tokens
+	                    $lexer->tokenizeHTML(
+	                        // un-purified HTML
+	                        $html, $config, $context
+	                    ),
+	                    $config, $context
+	                )
+	            );
+	
+	        for ($i = $filter_size - 1; $i >= 0; $i--) {
+	            $html = $filters[$i]->postFilter($html, $config, $context);
+	        }
+	
+	        $html = HTMLPurifier_Encoder::convertFromUTF8($html, $config, $context);
+	        $this->context =& $context;
+	        return $html;
+      }
    }

    /**
@ -218,13 +228,17 @@ class HTMLPurifier
     * @return Array of purified HTML
     */
    public function purifyArray($array_of_html, $config = null) {
-        $context_array = array();
-        foreach ($array_of_html as $key => $html) {
-            $array_of_html[$key] = $this->purify($html, $config);
-            $context_array[$key] = $this->context;
-        }
-        $this->context = $context_array;
-        return $array_of_html;
+ 		if ($this->my_user_status==COURSEMANAGERLOWSECURITY) {
+			return $array_of_html;
+		} else {   	
+	        $context_array = array();
+	        foreach ($array_of_html as $key => $html) {
+	            $array_of_html[$key] = $this->purify($html, $config);
+	            $context_array[$key] = $this->context;
+	        }
+	        $this->context = $context_array;
+	        return $array_of_html;
+ 		}
    }

    /**
@ -252,7 +266,6 @@ class HTMLPurifier
    public static function getInstance($prototype = null) {
        return HTMLPurifier::instance($prototype);
    }
-
 }

 // vim: et sw=4 sts=4
--- a/main/inc/lib/main_api.lib.php
+++ b/main/inc/lib/main_api.lib.php
@ -72,6 +72,8 @@ define('SESSIONADMIN', 3);
 define('DRH', 4);
 /** global status of a user: human ressource manager */
 define('ANONYMOUS', 6);
+/** global status of a user: low security,it's necessary for inserting data from the teacher */
+define('COURSEMANAGERLOWSECURITY',10);

 // table of status
 $_status_list[STUDENT] = 'user';
--- a/main/inc/lib/security.lib.php
+++ b/main/inc/lib/security.lib.php
@ -245,32 +245,17 @@ class Security{
 	 * Filtering for XSS is very easily done by using the htmlentities() function.
 	 * This kind of filtering prevents JavaScript snippets to be understood as such.
 	 * @param	mixed	The variable to filter for XSS, this params can be a string or an array (example : array(x,y)) 
-	 * @param   integer The user status,constant allowed(STUDENT,COURSEMANAGER,ANONYMOUS)
+	 * @param   integer The user status,constant allowed(STUDENT,COURSEMANAGER,ANONYMOUS,COURSEMANAGERLOWSECURITY)
 	 * @return	mixed	Filtered string or array
 	 */
 	function remove_XSS($var,$user_status=ANONYMOUS) {
 		global $charset;
-		if ($user_status==COURSEMANAGER) {
-			if (is_array($var)) {
-				if (count($var)>0) {
-					foreach ($var as &$value_var) {
-						$value_var=api_htmlentities($value_var,ENT_QUOTES,$charset);	
-					}				
-				} else {
-					return '';
-				} 
-				return $var;
-	
-			} else {
-				return api_htmlentities($var,ENT_QUOTES,$charset);	
-			}			
+		$purifier = new HTMLPurifier(null,$user_status);		
+		if (is_array($var)) {
+			return $purifier->purifyArray($var);				
 		} else {
-			$purifier = new HTMLPurifier(null,$user_status);		
-			if (is_array($var)) {
-				return $purifier->purifyArray($var);				
-			} else {
-				return $purifier->purify($var);	
-			}
-		}	
+			return $purifier->purify($var);	
+		}
+			
 	}
 }