From b70ccfe63fd434832e5b7ad1af8eb0633993931c Mon Sep 17 00:00:00 2001 From: Felix Eckhofer Date: Wed, 27 Mar 2013 11:44:29 +0100 Subject: [PATCH] allow ON_SANITIZE plugins to modify the list of tags and attributes that are permissible --- include/functions.php | 41 ++++++++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/include/functions.php b/include/functions.php index bbddd30b..b2f1a655 100644 --- a/include/functions.php +++ b/include/functions.php @@ -2666,37 +2666,44 @@ } + $allowed_elements = array('a', 'address', 'audio', 'article', + 'b', 'big', 'blockquote', 'body', 'br', 'cite', 'center', + 'code', 'dd', 'del', 'details', 'div', 'dl', 'font', + 'dt', 'em', 'footer', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', + 'header', 'html', 'i', 'img', 'ins', 'kbd', + 'li', 'nav', 'ol', 'p', 'pre', 'q', 's','small', + 'source', 'span', 'strike', 'strong', 'sub', 'summary', + 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', + 'tr', 'track', 'tt', 'u', 'ul', 'var', 'wbr', 'video' ); + + if ($_SESSION['hasSandbox']) $allowed_elements[] = 'iframe'; + + $disallowed_attributes = array('id', 'style', 'class'); + global $pluginhost; if (isset($pluginhost)) { foreach ($pluginhost->get_hooks($pluginhost::HOOK_SANITIZE) as $plugin) { - $doc = $plugin->hook_sanitize($doc, $site_url); + $retval = $plugin->hook_sanitize($doc, $site_url, $allowed_elements, $disallowed_attributes); + if (is_array($retval)) { + $doc = $retval[0]; + $allowed_elements = $retval[1]; + $disallowed_attributes = $retval[2]; + } else { + $doc = $retval; + } } } $doc->removeChild($doc->firstChild); //remove doctype - $doc = strip_harmful_tags($doc); + $doc = strip_harmful_tags($doc, $allowed_elements, $disallowed_attributes); $res = $doc->saveHTML(); return $res; } - function strip_harmful_tags($doc) { + function strip_harmful_tags($doc, $allowed_elements, $disallowed_attributes) { $entries = $doc->getElementsByTagName("*"); - $allowed_elements = array('a', 'address', 'audio', 'article', - 'b', 'big', 'blockquote', 'body', 'br', 'cite', 'center', - 'code', 'dd', 'del', 'details', 'div', 'dl', 'font', - 'dt', 'em', 'footer', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', - 'header', 'html', 'i', 'img', 'ins', 'kbd', - 'li', 'nav', 'ol', 'p', 'pre', 'q', 's','small', - 'source', 'span', 'strike', 'strong', 'sub', 'summary', - 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', - 'tr', 'track', 'tt', 'u', 'ul', 'var', 'wbr', 'video' ); - - if ($_SESSION['hasSandbox']) array_push($allowed_elements, 'iframe'); - - $disallowed_attributes = array('id', 'style', 'class'); - foreach ($entries as $entry) { if (!in_array($entry->nodeName, $allowed_elements)) { $entry->parentNode->removeChild($entry); -- 2.39.2