allow ON_SANITIZE plugins to modify the list of tags and attributes that are permissible

diff --git a/include/functions.php b/include/functions.php
index bbddd30bdc1b0cce81f11120cd9ea87375f9d97d..b2f1a655959540c2338bad9affee5326c8d09928 100644 (file)
--- a/include/functions.php
+++ b/include/functions.php
@@ -2666,37 +2666,44 @@
 
                }
 
+               $allowed_elements = array('a', 'address', 'audio', 'article',
+                       'b', 'big', 'blockquote', 'body', 'br', 'cite', 'center',
+                       'code', 'dd', 'del', 'details', 'div', 'dl', 'font',
+                       'dt', 'em', 'footer', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
+                       'header', 'html', 'i', 'img', 'ins', 'kbd',
+                       'li', 'nav', 'ol', 'p', 'pre', 'q', 's','small',
+                       'source', 'span', 'strike', 'strong', 'sub', 'summary',
+                       'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead',
+                       'tr', 'track', 'tt', 'u', 'ul', 'var', 'wbr', 'video' );
+
+               if ($_SESSION['hasSandbox']) $allowed_elements[] = 'iframe';
+
+               $disallowed_attributes = array('id', 'style', 'class');
+
                global $pluginhost;
 
                if (isset($pluginhost)) {
                        foreach ($pluginhost->get_hooks($pluginhost::HOOK_SANITIZE) as $plugin) {
-                               $doc = $plugin->hook_sanitize($doc, $site_url);
+                               $retval = $plugin->hook_sanitize($doc, $site_url, $allowed_elements, $disallowed_attributes);
+                               if (is_array($retval)) {
+                                       $doc = $retval[0];
+                                       $allowed_elements = $retval[1];
+                                       $disallowed_attributes = $retval[2];
+                               } else {
+                                       $doc = $retval;
+                               }
                        }
                }
 
                $doc->removeChild($doc->firstChild); //remove doctype
-               $doc = strip_harmful_tags($doc);
+               $doc = strip_harmful_tags($doc, $allowed_elements, $disallowed_attributes);
                $res = $doc->saveHTML();
                return $res;
        }
 
-       function strip_harmful_tags($doc) {
+       function strip_harmful_tags($doc, $allowed_elements, $disallowed_attributes) {
                $entries = $doc->getElementsByTagName("*");
 
-               $allowed_elements = array('a', 'address', 'audio', 'article',
-                       'b', 'big', 'blockquote', 'body', 'br', 'cite', 'center',
-                       'code', 'dd', 'del', 'details', 'div', 'dl', 'font',
-                       'dt', 'em', 'footer', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
-                       'header', 'html', 'i', 'img', 'ins', 'kbd',
-                       'li', 'nav', 'ol', 'p', 'pre', 'q', 's','small',
-                       'source', 'span', 'strike', 'strong', 'sub', 'summary',
-                       'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead',
-                       'tr', 'track', 'tt', 'u', 'ul', 'var', 'wbr', 'video' );
-
-               if ($_SESSION['hasSandbox']) array_push($allowed_elements, 'iframe');
-
-               $disallowed_attributes = array('id', 'style', 'class');
-
                foreach ($entries as $entry) {
                        if (!in_array($entry->nodeName, $allowed_elements)) {
                                $entry->parentNode->removeChild($entry);