From f9d6209b23fd8dab6e7a129841a6041d325339ba Mon Sep 17 00:00:00 2001 From: Isaac Flores Date: Mon, 18 May 2009 19:29:21 +0200 Subject: [PATCH] [svn r20790] logic changes - improvements in remove_XSS - (partial FS#3909) --- main/course_description/index.php | 8 +- .../lib/htmlpurifier/library/HTMLPurifier.php | 181 ++++++++++-------- main/inc/lib/main_api.lib.php | 2 + main/inc/lib/security.lib.php | 29 +-- 4 files changed, 110 insertions(+), 110 deletions(-) diff --git a/main/course_description/index.php b/main/course_description/index.php index 0a2cb4b851..42d8353984 100644 --- a/main/course_description/index.php +++ b/main/course_description/index.php @@ -1,4 +1,4 @@ -= ADD_BLOCK) { if ($description['add']=='1') { //if this element has been submitted for addition $result = api_sql_query($sql, __FILE__, __LINE__); - $sql = "INSERT IGNORE INTO $tbl_course_description SET id = '".$description_id."', title = '".Database::escape_string(Security::remove_XSS($title))."', content = '".Database::escape_string(Security::remove_XSS($content))."'"; + $sql = "INSERT IGNORE INTO $tbl_course_description SET id = '".$description_id."', title = '".Database::escape_string(Security::remove_XSS($title,COURSEMANAGERLOWSECURITY))."', content = '".Database::escape_string(Security::remove_XSS($content,COURSEMANAGERLOWSECURITY))."'"; api_sql_query($sql, __FILE__, __LINE__); } else { - $sql = "UPDATE $tbl_course_description SET title = '".Database::escape_string(Security::remove_XSS($title))."', content = '".Database::escape_string(Security::remove_XSS($content))."' WHERE id = '".$description_id."' "; + $sql = "UPDATE $tbl_course_description SET title = '".Database::escape_string(Security::remove_XSS($title,COURSEMANAGERLOWSECURITY))."', content = '".Database::escape_string(Security::remove_XSS($content,COURSEMANAGERLOWSECURITY))."' WHERE id = '".$description_id."' "; api_sql_query($sql, __FILE__, __LINE__); } } else { @@ -225,7 +225,7 @@ if (api_is_allowed_to_edit() && !is_null($description_id) || $action =='add') { } $sql = "DELETE FROM $tbl_course_description WHERE id = '".$description_id."'"; api_sql_query($sql, __FILE__, __LINE__); - $sql = "INSERT INTO $tbl_course_description SET id = '".$description_id."', title = '".Database::escape_string(Security::remove_XSS($title))."', content = '".Database::escape_string(Security::remove_XSS($content))."'"; + $sql = "INSERT INTO $tbl_course_description SET id = '".$description_id."', title = '".Database::escape_string(Security::remove_XSS($title,COURSEMANAGERLOWSECURITY))."', content = '".Database::escape_string(Security::remove_XSS($content,COURSEMANAGERLOWSECURITY))."'"; api_sql_query($sql, __FILE__, __LINE__); } Display :: display_confirmation_message(get_lang('CourseDescriptionUpdated')); diff --git a/main/inc/lib/htmlpurifier/library/HTMLPurifier.php b/main/inc/lib/htmlpurifier/library/HTMLPurifier.php index b542d20b43..d8808044c3 100755 --- a/main/inc/lib/htmlpurifier/library/HTMLPurifier.php +++ b/main/inc/lib/htmlpurifier/library/HTMLPurifier.php @@ -71,6 +71,8 @@ class HTMLPurifier protected $strategy, $generator; + /**allow set user status*/ + public $my_user_status; /** * Resultant HTMLPurifier_Context of last run purification. Is an array * of contexts if the last called method was purifyArray(). @@ -87,7 +89,10 @@ class HTMLPurifier */ public function __construct($config = null,$user_status) { global $charset; - + if ($user_status==COURSEMANAGERLOWSECURITY) { + //non initialize object htmlpurifier + $this->my_user_status=COURSEMANAGERLOWSECURITY; + } else { $config = HTMLPurifier_Config::createDefault(); $config->set('Core', 'Encoding',$charset); $config->set('HTML', 'Doctype', 'XHTML 1.0 Transitional'); @@ -100,11 +105,11 @@ class HTMLPurifier $config->set('HTML', 'AllowedAttributes',$attribute_student); } elseif ($user_status==COURSEMANAGER) { //activate in configuration setting - /*global $tag_teacher,$attribute_teacher; + global $tag_teacher,$attribute_teacher; $config->set('HTML', 'SafeEmbed',true); $config->set('Filter', 'YouTube', true); $config->set('HTML', 'AllowedElements',$tag_teacher); - $config->set('HTML', 'AllowedAttributes', $attribute_teacher); */ + $config->set('HTML', 'AllowedAttributes', $attribute_teacher); } else { global $tag_anonymous,$attribute_anonymous; $config->set('HTML', 'AllowedElements', $tag_anonymous); @@ -113,6 +118,7 @@ class HTMLPurifier $config->set('HTML', 'TidyLevel', 'light'); $this->config = HTMLPurifier_Config::create($config); $this->strategy = new HTMLPurifier_Strategy_Core(); + } } /** @@ -136,79 +142,83 @@ class HTMLPurifier */ public function purify($html, $config = null) { - // :TODO: make the config merge in, instead of replace - $config = $config ? HTMLPurifier_Config::create($config) : $this->config; - - // implementation is partially environment dependant, partially - // configuration dependant - $lexer = HTMLPurifier_Lexer::create($config); - - $context = new HTMLPurifier_Context(); - - // setup HTML generator - $this->generator = new HTMLPurifier_Generator($config, $context); - $context->register('Generator', $this->generator); - - // set up global context variables - if ($config->get('Core', 'CollectErrors')) { - // may get moved out if other facilities use it - $language_factory = HTMLPurifier_LanguageFactory::instance(); - $language = $language_factory->create($config, $context); - $context->register('Locale', $language); - - $error_collector = new HTMLPurifier_ErrorCollector($context); - $context->register('ErrorCollector', $error_collector); - } - - // setup id_accumulator context, necessary due to the fact that - // AttrValidator can be called from many places - $id_accumulator = HTMLPurifier_IDAccumulator::build($config, $context); - $context->register('IDAccumulator', $id_accumulator); - - $html = HTMLPurifier_Encoder::convertToUTF8($html, $config, $context); - - // setup filters - $filter_flags = $config->getBatch('Filter'); - $custom_filters = $filter_flags['Custom']; - unset($filter_flags['Custom']); - $filters = array(); - foreach ($filter_flags as $filter => $flag) { - if (!$flag) continue; - $class = "HTMLPurifier_Filter_$filter"; - $filters[] = new $class; - } - foreach ($custom_filters as $filter) { - // maybe "HTMLPurifier_Filter_$filter", but be consistent with AutoFormat - $filters[] = $filter; - } - $filters = array_merge($filters, $this->filters); - // maybe prepare(), but later - - for ($i = 0, $filter_size = count($filters); $i < $filter_size; $i++) { - $html = $filters[$i]->preFilter($html, $config, $context); - } - - // purified HTML - $html = - $this->generator->generateFromTokens( - // list of tokens - $this->strategy->execute( - // list of un-purified tokens - $lexer->tokenizeHTML( - // un-purified HTML - $html, $config, $context - ), - $config, $context - ) - ); - - for ($i = $filter_size - 1; $i >= 0; $i--) { - $html = $filters[$i]->postFilter($html, $config, $context); - } - - $html = HTMLPurifier_Encoder::convertFromUTF8($html, $config, $context); - $this->context =& $context; - return $html; + if ($this->my_user_status==COURSEMANAGERLOWSECURITY) { + return $html; + } else { + // :TODO: make the config merge in, instead of replace + $config = $config ? HTMLPurifier_Config::create($config) : $this->config; + + // implementation is partially environment dependant, partially + // configuration dependant + $lexer = HTMLPurifier_Lexer::create($config); + + $context = new HTMLPurifier_Context(); + + // setup HTML generator + $this->generator = new HTMLPurifier_Generator($config, $context); + $context->register('Generator', $this->generator); + + // set up global context variables + if ($config->get('Core', 'CollectErrors')) { + // may get moved out if other facilities use it + $language_factory = HTMLPurifier_LanguageFactory::instance(); + $language = $language_factory->create($config, $context); + $context->register('Locale', $language); + + $error_collector = new HTMLPurifier_ErrorCollector($context); + $context->register('ErrorCollector', $error_collector); + } + + // setup id_accumulator context, necessary due to the fact that + // AttrValidator can be called from many places + $id_accumulator = HTMLPurifier_IDAccumulator::build($config, $context); + $context->register('IDAccumulator', $id_accumulator); + + $html = HTMLPurifier_Encoder::convertToUTF8($html, $config, $context); + + // setup filters + $filter_flags = $config->getBatch('Filter'); + $custom_filters = $filter_flags['Custom']; + unset($filter_flags['Custom']); + $filters = array(); + foreach ($filter_flags as $filter => $flag) { + if (!$flag) continue; + $class = "HTMLPurifier_Filter_$filter"; + $filters[] = new $class; + } + foreach ($custom_filters as $filter) { + // maybe "HTMLPurifier_Filter_$filter", but be consistent with AutoFormat + $filters[] = $filter; + } + $filters = array_merge($filters, $this->filters); + // maybe prepare(), but later + + for ($i = 0, $filter_size = count($filters); $i < $filter_size; $i++) { + $html = $filters[$i]->preFilter($html, $config, $context); + } + + // purified HTML + $html = + $this->generator->generateFromTokens( + // list of tokens + $this->strategy->execute( + // list of un-purified tokens + $lexer->tokenizeHTML( + // un-purified HTML + $html, $config, $context + ), + $config, $context + ) + ); + + for ($i = $filter_size - 1; $i >= 0; $i--) { + $html = $filters[$i]->postFilter($html, $config, $context); + } + + $html = HTMLPurifier_Encoder::convertFromUTF8($html, $config, $context); + $this->context =& $context; + return $html; + } } /** @@ -218,13 +228,17 @@ class HTMLPurifier * @return Array of purified HTML */ public function purifyArray($array_of_html, $config = null) { - $context_array = array(); - foreach ($array_of_html as $key => $html) { - $array_of_html[$key] = $this->purify($html, $config); - $context_array[$key] = $this->context; - } - $this->context = $context_array; - return $array_of_html; + if ($this->my_user_status==COURSEMANAGERLOWSECURITY) { + return $array_of_html; + } else { + $context_array = array(); + foreach ($array_of_html as $key => $html) { + $array_of_html[$key] = $this->purify($html, $config); + $context_array[$key] = $this->context; + } + $this->context = $context_array; + return $array_of_html; + } } /** @@ -252,7 +266,6 @@ class HTMLPurifier public static function getInstance($prototype = null) { return HTMLPurifier::instance($prototype); } - } // vim: et sw=4 sts=4 diff --git a/main/inc/lib/main_api.lib.php b/main/inc/lib/main_api.lib.php index fd13918d1c..8adf619ae0 100644 --- a/main/inc/lib/main_api.lib.php +++ b/main/inc/lib/main_api.lib.php @@ -72,6 +72,8 @@ define('SESSIONADMIN', 3); define('DRH', 4); /** global status of a user: human ressource manager */ define('ANONYMOUS', 6); +/** global status of a user: low security,it's necessary for inserting data from the teacher */ +define('COURSEMANAGERLOWSECURITY',10); // table of status $_status_list[STUDENT] = 'user'; diff --git a/main/inc/lib/security.lib.php b/main/inc/lib/security.lib.php index 29af7f659a..e273d187b9 100755 --- a/main/inc/lib/security.lib.php +++ b/main/inc/lib/security.lib.php @@ -245,32 +245,17 @@ class Security{ * Filtering for XSS is very easily done by using the htmlentities() function. * This kind of filtering prevents JavaScript snippets to be understood as such. * @param mixed The variable to filter for XSS, this params can be a string or an array (example : array(x,y)) - * @param integer The user status,constant allowed(STUDENT,COURSEMANAGER,ANONYMOUS) + * @param integer The user status,constant allowed(STUDENT,COURSEMANAGER,ANONYMOUS,COURSEMANAGERLOWSECURITY) * @return mixed Filtered string or array */ function remove_XSS($var,$user_status=ANONYMOUS) { global $charset; - if ($user_status==COURSEMANAGER) { - if (is_array($var)) { - if (count($var)>0) { - foreach ($var as &$value_var) { - $value_var=api_htmlentities($value_var,ENT_QUOTES,$charset); - } - } else { - return ''; - } - return $var; - - } else { - return api_htmlentities($var,ENT_QUOTES,$charset); - } + $purifier = new HTMLPurifier(null,$user_status); + if (is_array($var)) { + return $purifier->purifyArray($var); } else { - $purifier = new HTMLPurifier(null,$user_status); - if (is_array($var)) { - return $purifier->purifyArray($var); - } else { - return $purifier->purify($var); - } - } + return $purifier->purify($var); + } + } }