Singleton for enforcing just one HTML Purifier in your system
| public static getInstance ( HTMLPurifier | HTMLPurifier_Config $prototype = null ) : HTMLPurifier | ||
| $prototype | HTMLPurifier | HTMLPurifier_Config | Optional prototype HTMLPurifier instance to overload singleton with, or HTMLPurifier_Config instance to configure the generated version with. |
| return | HTMLPurifier | |
/**
* Cross-site scripting (XSS) 공격을 방어하기 위해서 위험한 문자열을 제거한다.
* @param string $data
*/
function kboard_xssfilter($data)
{
global $kboard_xssfilter_active;
if (is_array($data)) {
return array_map('kboard_xssfilter', $data);
}
if ($kboard_xssfilter_active) {
if (!isset($GLOBALS['KBOARD']) || !isset($GLOBALS['KBOARD']['HTMLPurifier']) && !$GLOBALS['KBOARD']['HTMLPurifier'] || !isset($GLOBALS['KBOARD']['HTMLPurifier_Config']) || !$GLOBALS['KBOARD']['HTMLPurifier_Config']) {
$HTMLPurifier_Config = HTMLPurifier_Config::createDefault();
$HTMLPurifier_Config->set('URI.AllowedSchemes', array('http' => true, 'https' => true, 'mailto' => true));
$HTMLPurifier_Config->set('URI.SafeIframeRegexp', '(.*)');
$HTMLPurifier_Config->set('HTML.SafeIframe', true);
$HTMLPurifier_Config->set('HTML.SafeObject', true);
$HTMLPurifier_Config->set('HTML.SafeEmbed', true);
$HTMLPurifier_Config->set('HTML.TidyLevel', 'light');
$HTMLPurifier_Config->set('HTML.FlashAllowFullScreen', true);
$HTMLPurifier_Config->set('HTML.AllowedElements', 'img,div,a,strong,font,span,em,br,p,u,i,b,sup,sub,small,table,thead,tbody,tfoot,tr,td,th,caption,pre,code,ul,li,ol,big,code,blockquote,center,hr,h1,h2,h3,h4,h5,h6,iframe');
$HTMLPurifier_Config->set('HTML.AllowedAttributes', 'a.href,a.target,img.src,iframe.src,iframe.frameborder,*.id,*.alt,*.style,*.class,*.title,*.width,*.height,*.border,*.colspan,*.rowspan');
$HTMLPurifier_Config->set('Attr.AllowedFrameTargets', array('_blank'));
$HTMLPurifier_Config->set('Output.FlashCompat', true);
$HTMLPurifier_Config->set('Core.RemoveInvalidImg', true);
$HTMLPurifier_Config->set('Cache.SerializerPath', WP_CONTENT_DIR . '/uploads/kboard_htmlpurifier');
$GLOBALS['KBOARD']['HTMLPurifier_Config'] = $HTMLPurifier_Config;
$GLOBALS['KBOARD']['HTMLPurifier'] = HTMLPurifier::getInstance();
unset($HTMLPurifier_Config);
}
$data = $GLOBALS['KBOARD']['HTMLPurifier']->purify(stripslashes($data), $GLOBALS['KBOARD']['HTMLPurifier_Config']);
}
return $data;
}
/**
* Cross-site scripting (XSS) 공격을 방어하기 위해서 위험 문자열을 제거한다.
* @param string $data
*/
function kboard_xssfilter($data)
{
global $kboard_xssfilter_active;
if (is_array($data)) {
return array_map('kboard_xssfilter', $data);
}
if ($kboard_xssfilter_active) {
if (!$GLOBALS['KBOARD']['HTMLPurifier'] || !$GLOBALS['KBOARD']['HTMLPurifier_Config']) {
$HTMLPurifier_Config = HTMLPurifier_Config::createDefault();
$HTMLPurifier_Config->set('HTML.SafeIframe', true);
$HTMLPurifier_Config->set('URI.SafeIframeRegexp', '(.*)');
$HTMLPurifier_Config->set('HTML.TidyLevel', 'light');
$HTMLPurifier_Config->set('HTML.SafeObject', true);
$HTMLPurifier_Config->set('HTML.SafeEmbed', true);
$HTMLPurifier_Config->set('Attr.AllowedFrameTargets', array('_blank'));
$HTMLPurifier_Config->set('Output.FlashCompat', true);
$HTMLPurifier_Config->set('Cache.SerializerPath', WP_CONTENT_DIR . '/uploads/kboard_htmlpurifier');
$GLOBALS['KBOARD']['HTMLPurifier_Config'] = $HTMLPurifier_Config;
$GLOBALS['KBOARD']['HTMLPurifier'] = HTMLPurifier::getInstance();
unset($HTMLPurifier_Config);
}
$data = $GLOBALS['KBOARD']['HTMLPurifier']->purify(stripslashes($data), $GLOBALS['KBOARD']['HTMLPurifier_Config']);
}
return kboard_safeiframe($data);
}
public function testCanLoadHTMLPurifier()
{
$this->config = HTMLPurifier_Config::createDefault();
$this->config->set('Core.EscapeNonASCIICharacters', false);
$this->config->set('URI.DisableResources', true);
$this->purifier = HTMLPurifier::getInstance($this->config);
$this->assertPurification('<img src="foo.jpg" />', '');
}
protected function writeHTMLDiv($html)
{
$this->startElement('div');
$purifier = HTMLPurifier::getInstance();
$html = $purifier->purify($html);
$this->writeAttribute('xmlns', 'http://www.w3.org/1999/xhtml');
$this->writeRaw($html);
$this->endElement();
}
protected function appendHTMLDiv($document, $node, $html)
{
$purifier = HTMLPurifier::getInstance();
$html = $purifier->purify($html);
$dom_html = $document->createDocumentFragment();
$dom_html->appendXML($html);
$dom_div = $document->createElement('div');
$dom_div->setAttribute('xmlns', 'http://www.w3.org/1999/xhtml');
$dom_div->appendChild($dom_html);
$node->appendChild($dom_div);
}
/**
* @return Parser
*/
public function createCreoleEx()
{
$creole = new Creole();
$creole->wikiUrl = 'http://www.example.com/wiki/';
$creole->externalWikis = ['Wiki-A' => 'http://www.wiki-a.com/wiki-a/', 'Wiki-B' => 'https://www.wiki-b.com/wiki-b/'];
$creole->useRawHtml = true;
$creole->rawHtmlFilter = function ($input) {
$config = \HTMLPurifier_Config::createDefault();
$purifier = \HTMLPurifier::getInstance($config);
return $purifier->purify($input);
};
return $creole;
}
/**
* Define the form elements.
*
*@return void
*/
private function _registerElements()
{
//URL:
$youtubeURL = isset($_POST['youtubeurl']) ? HTMLPurifier::getInstance()->purify(trim($_POST['youtubeurl'])) : '';
$this->addElement('text', 'youtubeurl', array('label' => __('Youtube URL'), 'value' => $youtubeURL, 'validators' => array(array('callback', false, array('callback' => array($this, 'validateYoutubeUrl'), 'options' => array()))), 'order' => 1, 'required' => true));
// Collection:
$this->addElement('select', 'youtubecollection', array('label' => __('Collection'), 'description' => __('To which collection would you like to add the YouTube video?'), 'value' => '0', 'order' => 2, 'multiOptions' => $this->_getCollectionOptions()));
// User Role:
$this->addElement('select', 'youtubeuserrole', array('label' => __('User Role'), 'description' => __('Which role does the Youtube user/channel play in the creation of the new Omeka item?'), 'value' => 'Publisher', 'order' => 3, 'multiOptions' => $this->_getRoleOptions()));
// Visibility (public vs private):
$this->addElement('checkbox', 'youtubepublic', array('label' => __('Public Visibility'), 'description' => __('Would you like to make the video public in Omeka?'), 'checked' => 'checked', 'order' => 4));
if (version_compare(OMEKA_VERSION, '2.2.1') >= 0) {
$this->addElement('hash', 'youtube_token');
}
// Submit:
$this->addElement('submit', 'youtube-import-submit', array('label' => __('Import Video')));
//Display Groups:
$this->addDisplayGroup(array('youtubeurl', 'youtubecollection', 'youtubeuserrole', 'youtubepublic'), 'fields');
$this->addDisplayGroup(array('youtube-import-submit'), 'submit_buttons');
}
/**
* XSS 공격을 방어하기 위해서 위험 문자열을 제거한다.
* @param string $data
*/
function kingkongboard_xssfilter($data)
{
if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
if (is_array($data)) {
return array_map('kingkongboard_xssfilter', $data);
}
$HTMLPurifier_Config = HTMLPurifier_Config::createDefault();
$HTMLPurifier_Config->set('HTML.SafeIframe', true);
$HTMLPurifier_Config->set('URI.SafeIframeRegexp', '(.*)');
$HTMLPurifier_Config->set('HTML.TidyLevel', 'light');
$HTMLPurifier_Config->set('HTML.SafeObject', true);
$HTMLPurifier_Config->set('HTML.SafeEmbed', true);
$HTMLPurifier_Config->set('Attr.AllowedFrameTargets', array('_blank'));
$HTMLPurifier_Config->set('Output.FlashCompat', true);
$HTMLPurifier_Config->set('Cache.SerializerPath', WP_CONTENT_DIR . '/uploads');
$GLOBALS['KINGKONGBOARD']['HTMLPurifier_Config'] = $HTMLPurifier_Config;
$GLOBALS['KINGKONGBOARD']['HTMLPurifier'] = HTMLPurifier::getInstance();
unset($HTMLPurifier_Config);
$data = $GLOBALS['KINGKONGBOARD']['HTMLPurifier']->purify(stripslashes($data), $GLOBALS['KINGKONGBOARD']['HTMLPurifier_Config']);
return kingkongboard_safeiframe($data);
} else {
return $data;
}
}
public function addAction()
{
$data = $_POST;
$destination = HTMLPurifier::getInstance()->purify(trim($data['path']));
$form = $this->_getForm();
$valid = $form->isValid($this->getRequest()->getPost());
if (!$valid) {
$taggingSession = new Zend_Session_Namespace('tagging');
$taggingSession->post = serialize($_POST);
$this->_helper->redirector->gotoUrl($destination . '#tagging-form');
}
// Currently, tags are allowed only on items.
if (HTMLPurifier::getInstance()->purify(trim($data['record_type'])) != 'Item') {
$this->_helper->flashMessenger(__('This record does not accept tags.'), 'warning');
$this->_helper->redirector->gotoUrl($destination);
}
// Security check.
$record = get_record_by_id(HTMLPurifier::getInstance()->purify(trim($data['record_type'])), (int) HTMLPurifier::getInstance()->purify(trim($data['record_id'])));
if (!$record) {
$this->_helper->flashMessenger(__('Record does not exist.'), 'warning');
$this->_helper->redirector->gotoUrl($destination);
}
// Moderation or not.
$user = current_user();
// If the user can moderate, the proposition is automatically approved.
$moderationRoles = unserialize(get_option('tagging_moderate_roles'));
if (in_array($user->role, $moderationRoles)) {
$status = 'approved';
} else {
if (empty($user)) {
$user_id = 0;
$requireModeration = (bool) get_option('tagging_public_require_moderation');
} else {
$user_id = $user->id;
$requireModerationRoles = unserialize(get_option('tagging_require_moderation_roles'));
$requireModeration = in_array($user->role, $requireModerationRoles);
}
$status = $requireModeration ? 'proposed' : 'allowed';
}
// Default values for tagging.
$data['ip'] = $_SERVER['REMOTE_ADDR'];
$data['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$data['status'] = $status;
// Need getValue to run the filter.
$userTagging = HTMLPurifier::getInstance()->purify(trim($form->getElement('tagging')->getValue()));
$proposedTaggingsNames = explode(get_option('tag_delimiter'), $userTagging);
// Prepare checks of existing tags.
$db = get_db();
$recordTags = $record->getTags();
$recordTaggings = $db->getTable('Tagging')->findByRecord($record);
$recordTagsNames = $this->_getTagsNames($recordTags);
$recordTaggingsNames = $this->_getTagsNames($recordTaggings);
// There is one tagging by tag to simplify management.
$tagsToAdd = array();
$approvedExistingTags = array();
foreach ($proposedTaggingsNames as $proposedTag) {
$data['name'] = $proposedTag;
$tagging = new Tagging();
$tagging->user_id = $user_id;
$tagging->setArray($data);
$sanitizedName = $tagging->sanitizeName();
// Check the quality of tag.
if (!$sanitizedName) {
continue;
}
// Check if this tagging is not a duplicate.
if (in_array($sanitizedName, $tagsToAdd)) {
continue;
}
// Check if this tagging is not already set.
if (in_array($sanitizedName, $recordTagsNames)) {
continue;
}
// Check size of a tag.
if (strlen($sanitizedName) > get_option('tagging_max_length_tag')) {
$this->_helper->flashMessenger(__('Individual tags can\'t be longer than %d characters.', get_option('tagging_max_length_tag')), 'error');
continue;
}
// Check if this tagging is not already saved.
if (in_array($sanitizedName, $recordTaggingsNames)) {
$existingTagging = $recordTaggings[array_search($sanitizedName, $recordTaggingsNames)];
// Check status.
// Normally, an existing approved tagging is already an item tag.
if ($tagging->status == 'approved') {
$existingTagging->status = 'approved';
try {
$existingTagging->save();
} catch (Exception $e) {
_log($e->getMessage());
}
$approvedExistingTags[] = $sanitizedName;
}
// In all other cases (already approved or rejected), the
// old tagging is kept in place of the new one.
continue;
}
$tagsToAdd[] = $sanitizedName;
// Taggings are automatically added to item if they are appoved.
try {
$tagging->save();
} catch (Exception $e) {
_log($e->getMessage());
}
}
// Information for user.
if (count($approvedExistingTags)) {
$this->_helper->flashMessenger(__('Your tags "%s" have been approved.', implode(', ', $approvedExistingTags)), 'success');
}
if (count($tagsToAdd) == 0 && count($approvedExistingTags) == 0) {
$this->_helper->flashMessenger(__('This tag has already been submitted "%s" or it is not correctly formatted.', $userTagging), 'warning');
} else {
if ($requireModeration) {
$this->_helper->flashMessenger(__('Your tag "%s" is awaiting approval', $userTagging), 'success');
} else {
if (count($tagsToAdd) == 0) {
// In that case, this is approved existing tags.
} elseif (count($tagsToAdd) == 1) {
$this->_helper->flashMessenger(__('Your tag "%s" has been added', implode(', ', $tagsToAdd)), 'success');
} else {
$this->_helper->flashMessenger(__('Your tags "%s" have been added', implode(', ', $tagsToAdd)), 'success');
}
}
}
$this->_helper->redirector->gotoUrl($destination);
}
/**
* Perform HTML purification depending of level purification required.
*
* There are 5 level of purification, from the most restrictive to most
* permissive:
* - CODENDI_PURIFIER_CONVERT_HTML (default)
* Transform HTML markups it in entities.
*
* - CODENDI_PURIFIER_STRIP_HTML
* Removes all HTML markups. Note: as we relly on HTML Purifier to
* perform this operation this option is not considered as secure as
* CONVERT_HTML. If you are looking for the most secure option please
* consider CONVERT_HTML.
*
* - CODENDI_PURIFIER_BASIC (need $groupId to be set for automagic links)
* Removes all user submitted HTML markups but:
* - transform typed URLs into clickable URLs.
* - transform autmagic links.
* - transform carrige return into HTML br markup.
*
* - CODENDI_PURIFIER_LIGHT
* First set of HTML formatting (@see getLightConfig() for allowed
* markups) plus all what is allowed by CODENDI_PURIFIER_BASIC.
*
* - CODENDI_PURIFIER_FULL
* Clean-up plain HTML using HTML Purifier rules (remove forms,
* javascript, ...). Warning: there is no longer codendi facilities
* (neither automagic links nor carrige return to br transformation).
*
* - CODENDI_PURIFIER_DISABLED
* No filter at all.
*/
function purify($html, $level = 0, $groupId = 0)
{
$clean = '';
switch ($level) {
case CODENDI_PURIFIER_DISABLED:
$clean = $html;
break;
case CODENDI_PURIFIER_LIGHT:
if (empty($html)) {
$clean = $html;
break;
}
$this->insertReferences($html, $groupId);
case CODENDI_PURIFIER_STRIP_HTML:
case CODENDI_PURIFIER_FULL:
require_once 'HTMLPurifier.auto.php';
$hp = HTMLPurifier::getInstance();
$config = $this->getHPConfig($level);
$clean = $hp->purify($html, $config);
// Quite big object, it's better to unset it (memory).
unset($config);
break;
case CODENDI_PURIFIER_BASIC:
$clean = nl2br($this->makeLinks(htmlentities($html, ENT_QUOTES, 'UTF-8'), $groupId));
break;
case CODENDI_PURIFIER_BASIC_NOBR:
$clean = $this->makeLinks(htmlentities($html, ENT_QUOTES, 'UTF-8'), $groupId);
break;
case CODENDI_PURIFIER_JS_QUOTE:
$json_hex_apos = 4;
//Equivalent to JSON_HEX_APOS
$clean = $this->js_string_purifier($html, $json_hex_apos);
break;
case CODENDI_PURIFIER_JS_DQUOTE:
$json_hex_quote = 8;
//Equivalent to JSON_HEX_QUOTE
$clean = $this->js_string_purifier($html, $json_hex_quote);
break;
case CODENDI_PURIFIER_CONVERT_HTML:
default:
$clean = htmlentities($html, ENT_QUOTES, 'UTF-8');
break;
}
return $clean;
}
- make XML format richer
- extend XSLT transformation (see the corresponding XSLT file)
- allow generation of packaged docs that can be easily moved
- multipage documentation
- determine how to multilingualize
- add blurbs to ToC
*/
if (version_compare(PHP_VERSION, '5.2', '<')) {
exit('PHP 5.2+ required.');
}
error_reporting(E_ALL | E_STRICT);
// load dual-libraries
require_once dirname(__FILE__) . '/../extras/HTMLPurifierExtras.auto.php';
require_once dirname(__FILE__) . '/../library/HTMLPurifier.auto.php';
// setup HTML Purifier singleton
HTMLPurifier::getInstance(array('AutoFormat.PurifierLinkify' => true));
$builder = new HTMLPurifier_ConfigSchema_InterchangeBuilder();
$interchange = new HTMLPurifier_ConfigSchema_Interchange();
$builder->buildDir($interchange);
$loader = dirname(__FILE__) . '/../config-schema.php';
if (file_exists($loader)) {
include $loader;
}
$interchange->validate();
$style = 'plain';
// use $_GET in the future, careful to validate!
$configdoc_xml = dirname(__FILE__) . '/configdoc.xml';
$xml_builder = new HTMLPurifier_ConfigSchema_Builder_Xml();
$xml_builder->openURI($configdoc_xml);
$xml_builder->build($interchange);
unset($xml_builder);
}
?>
<?php
foreach ($type->getTypeElements() as $contributionTypeElement) {
/************************************************************
*REVISIONS
* Ver Date Author Description
* -------- ---------- -------------- ----------------------
* 1.0 09/02/2015 mrs175 1. Removed description of youtube video item, added functionality for form to stay filled after failed submission
************************************************************/
$element = $contributionTypeElement->Element;
if ($type->item_type_id == 3) {
unset($element->description);
}
$value = isset($_POST['Elements'][$element->id][0]['text']) && $type->item_type_id == intval($_POST['contribution_type']) ? HTMLPurifier::getInstance()->purify(trim($_POST['Elements'][$element->id][0]['text'])) : '';
echo $this->elementForm($element, $item, array('contributionTypeElement' => $contributionTypeElement, 'value' => $value));
}
?>
<?php
if (!isset($required) && $type->isFileAllowed()) {
?>
<div class="field">
<div class="two columns alpha">
<?php
echo $this->formLabel('contributed_file', __('Upload a file (Optional)'));
?>
</div>
<div class="inputs five columns omega">
<?php
function phorum_htmlpurifier_editor_after_subject()
{
// don't show this message if it's a WYSIWYG editor, since it will
// then be handled automatically
if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'])) {
$i = $GLOBALS['PHORUM']['DATA']['MODE'];
if ($i == 'quote' || $i == 'edit' || $i == 'moderation') {
?>
<div>
<p>
<strong>Notice:</strong> HTML has been scrubbed for your safety.
If you would like to see the original, turn off WYSIWYG mode
(consult your administrator for details.)
</p>
</div>
<?php
}
return;
}
if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['suppress_message'])) {
return;
}
?>
<div class="htmlpurifier-help">
<p>
<strong>HTML input</strong> is enabled. Make sure you escape all HTML and
angled brackets with <code>&lt;</code> and <code>&gt;</code>.
</p><?php
$purifier =& HTMLPurifier::getInstance();
$config = $purifier->config;
if ($config->get('AutoFormat.AutoParagraph')) {
?>
<p>
<strong>Auto-paragraphing</strong> is enabled. Double
newlines will be converted to paragraphs; for single
newlines, use the <code>pre</code> tag.
</p><?php
}
$html_definition = $config->getDefinition('HTML');
$allowed = array();
foreach ($html_definition->info as $name => $x) {
$allowed[] = "<code>{$name}</code>";
}
sort($allowed);
$allowed_text = implode(', ', $allowed);
?>
<p><strong>Allowed tags:</strong> <?php
echo $allowed_text;
?>
.</p><?php
?>
</p>
<p>
For inputting literal code such as HTML and PHP for display, use
CDATA tags to auto-escape your angled brackets, and <code>pre</code>
to preserve newlines:
</p>
<pre><pre><![CDATA[
<em>Place code here</em>
]]></pre></pre>
<p>
Power users, you can hide this notice with:
<pre>.htmlpurifier-help {display:none;}</pre>
</p>
</div><?php
}
function testGetInstance()
{
$purifier = HTMLPurifier::getInstance();
$purifier2 = HTMLPurifier::getInstance();
$this->assertReference($purifier, $purifier2);
}
/**
* Pre-emptively performs purification if it looks like a WYSIWYG editor
* is being used
*/
function phorum_htmlpurifier_before_editor($message)
{
if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'])) {
if (!empty($message['body'])) {
$body = $message['body'];
// de-entity-ize contents
$body = str_replace(array('<', '>', '&'), array('<', '>', '&'), $body);
$purifier =& HTMLPurifier::getInstance();
$body = $purifier->purify($message['body']);
// re-entity-ize contents
$body = htmlspecialchars($body, ENT_QUOTES, $GLOBALS['PHORUM']['DATA']['CHARSET']);
}
}
return $message;
}
</div>
<?php
}
?>
<?php
/************************************************************
*REVISIONS
* Ver Date Author Description
* -------- ---------- -------------- ----------------------
* 1.0 09/02/2015 mrs175 1. aadded functionality for form to stay filled after a failed submission
************************************************************/
$tags = isset($_POST['contribution_form_tags']) ? HTMLPurifier::getInstance()->purify(trim($_POST['contribution_form_tags'])) : '';
$tagsFormElementOptions = array('name' => 'contribution_form_tags', 'value' => $tags, 'attribs' => array('id' => 'contribution_form_tags', 'maxlength' => '200'));
$name = isset($_POST['contribution_form_name_mandatory']) && !$csrf->isValid($_POST) ? HTMLPurifier::getInstance()->purify(trim($_POST['contribution_form_name_mandatory'])) : '';
$nameFormElementOptions = array('name' => 'contribution_form_name_mandatory', 'value' => $name, 'attribs' => array('id' => 'contribution_form_name_mandatory', 'required' => true, 'maxlength' => '70'));
$email = isset($_POST['contribution_simple_email']) && !$csrf->isValid($_POST) ? HTMLPurifier::getInstance()->purify(trim($_POST['contribution_simple_email'])) : '';
$emailFormElementOptions = array('name' => 'contribution_simple_email', 'value' => $email, 'attribs' => array('id' => 'contribution_simple_email', 'required' => true, 'maxlength' => '70'));
//if a user is logged in fill in the email element and make it read only
$user = current_user();
if ($user) {
$emailFormElementOptions['value'] = $user['email'];
$emailFormElementOptions['attribs']['readonly'] = true;
$emailFormElementOptions['attribs']['onfocus'] = "this.blur()";
$nameFormElementOptions['value'] = $user['name'];
$nameFormElementOptions['attribs']['readonly'] = true;
$nameFormElementOptions['attribs']['onfocus'] = "this.blur()";
}
?>
<div class="inputs">
<?php
echo $this->formLabel('contribution_form_tags', __('Keywords or Tags (separated by commas)')) . '<br>';
/**
* Returns a sanitized string.
*
* @param string $string The string to sanitize.
*
* @return string The sanitized string.
*/
private function _sanitizeString($string)
{
$string = HTMLPurifier::getInstance()->purify(trim($string));
// Quote is allowed.
$string = strip_tags($string);
// The first character is a space and the last one is a no-break space.
$string = trim($string, ' /\\?<>:*%|"`&; ');
$string = preg_replace('/[\\(\\{]/', '[', $string);
$string = preg_replace('/[\\)\\}]/', ']', $string);
$string = preg_replace('/[[:cntrl:]\\/\\\\?<>\\*\\%\\|\\"`\\&\\;+\\^\\$\\s]/', '', $string);
$string = preg_replace('~\\x{00a0}~', '', $string);
return trim(preg_replace('/\\s+/', '', $string));
}
/**
* Perform HTML purification depending of level purification required.
*
* There are 5 level of purification, from the most restrictive to most
* permissive:
* - CODENDI_PURIFIER_CONVERT_HTML (default)
* Transform HTML markups it in entities.
*
* - CODENDI_PURIFIER_STRIP_HTML
* Removes all HTML markups. Note: as we relly on HTML Purifier to
* perform this operation this option is not considered as secure as
* CONVERT_HTML. If you are looking for the most secure option please
* consider CONVERT_HTML.
*
* - CODENDI_PURIFIER_BASIC (need $groupId to be set for automagic links)
* Removes all user submitted HTML markups but:
* - transform typed URLs into clickable URLs.
* - transform autmagic links.
* - transform carrige return into HTML br markup.
*
* - CODENDI_PURIFIER_LIGHT
* First set of HTML formatting (@see getLightConfig() for allowed
* markups) plus all what is allowed by CODENDI_PURIFIER_BASIC.
*
* - CODENDI_PURIFIER_FULL
* Clean-up plain HTML using HTML Purifier rules (remove forms,
* javascript, ...). Warning: there is no longer codendi facilities
* (neither automagic links nor carrige return to br transformation).
*
* - CODENDI_PURIFIER_DISABLED
* No filter at all.
*/
function purify($html, $level = 0, $groupId = 0)
{
$clean = '';
switch ($level) {
case CODENDI_PURIFIER_DISABLED:
$clean = $html;
break;
case CODENDI_PURIFIER_LIGHT:
if (empty($html)) {
$clean = $html;
break;
}
if ($groupId) {
$referenceManager = $this->getReferenceManager();
$referenceManager->insertReferences($html, $groupId);
}
case CODENDI_PURIFIER_STRIP_HTML:
case CODENDI_PURIFIER_FULL:
require_once 'HTMLPurifier.auto.php';
$hp = HTMLPurifier::getInstance();
$config = $this->getHPConfig($level);
$clean = $hp->purify($html, $config);
// Quite big object, it's better to unset it (memory).
unset($config);
break;
case CODENDI_PURIFIER_BASIC:
$clean = nl2br($this->makeLinks(htmlentities($html, ENT_QUOTES, 'UTF-8'), $groupId));
break;
case CODENDI_PURIFIER_BASIC_NOBR:
$clean = $this->makeLinks(htmlentities($html, ENT_QUOTES, 'UTF-8'), $groupId);
break;
case CODENDI_PURIFIER_JS_QUOTE:
$clean = preg_replace('/\\<\\/script\\>/umsi', "</'+'script>", addslashes(preg_replace('/\\\\n/ums', "\n", $html)));
break;
case CODENDI_PURIFIER_JS_DQUOTE:
$clean = preg_replace('/\\<\\/script\\>/umsi', '</"+"script>', addslashes(preg_replace('/\\\\n/ums', '
', $html)));
break;
case CODENDI_PURIFIER_CONVERT_HTML:
default:
$clean = htmlentities($html, ENT_QUOTES, 'UTF-8');
break;
}
return $clean;
}
public function __construct()
{
$this->parsedown = new \Parsedown();
$this->purifier = \HTMLPurifier::getInstance();
}
/**
* Perform HTML purification depending of level purification required and create links.
*/
function purify($html, $level = 0, $groupId = 0)
{
$clean = '';
switch ($level) {
case CODENDI_PURIFIER_FORUMML:
require_once $GLOBALS['htmlpurifier_dir'] . '/HTMLPurifier.auto.php';
$hp = HTMLPurifier::getInstance();
$config = $this->getHPConfig($level);
$clean = util_make_links($hp->purify($html, $config), $groupId);
break;
default:
$clean = parent::purify($html, $level, $groupId);
}
return $clean;
}
