public function outputFilter(GenericEvent $event)
{
if (System::getVar('outputfilter') > 1) {
return;
}
// recursive call for arrays
// [removed as it's duplicated in datautil]
// prepare htmlpurifier class
static $safecache;
$purifier = SecurityCenterUtil::getpurifier();
$md5 = md5($event->data);
// check if the value is in the safecache
if (isset($safecache[$md5])) {
$event->data = $safecache[$md5];
} else {
// save renderer delimiters
$event->data = str_replace('{', '%VIEW_LEFT_DELIMITER%', $event->data);
$event->data = str_replace('{', '%VIEW_RIGHT_DELIMITER%', $event->data);
$event->data = $purifier->purify($event->data);
// restore renderer delimiters
$event->data = str_replace('%VIEW_LEFT_DELIMITER%', '{', $event->data);
$event->data = str_replace('%VIEW_RIGHT_DELIMITER%', '}', $event->data);
// cache the value
$safecache[$md5] = $event->data;
}
return $event->data;
}
/**
* initialise the SecurityCenter module
* This function is only ever called once during the lifetime of a particular
* module instance
* @return bool true on success, false otherwise
*/
public function install()
{
// create the table
try {
DoctrineHelper::createSchema($this->entityManager, array('SecurityCenterModule\\Entity\\Intrusion'));
} catch (\Exception $e) {
return false;
}
// Set up an initial value for a module variable.
$this->setVar('itemsperpage', 10);
// We use config vars for the rest of the configuration as config vars
System::setVar('updatecheck', 1);
System::setVar('updatefrequency', 7);
System::setVar('updatelastchecked', 0);
System::setVar('updateversion', Core::VERSION_NUM);
System::setVar('keyexpiry', 0);
System::setVar('sessionauthkeyua', false);
System::setVar('secure_domain', '');
System::setVar('signcookies', 1);
System::setVar('signingkey', sha1(mt_rand(0, time())));
System::setVar('seclevel', 'Medium');
System::setVar('secmeddays', 7);
System::setVar('secinactivemins', 20);
System::setVar('sessionstoretofile', 0);
System::setVar('sessionsavepath', '');
System::setVar('gc_probability', 100);
System::setVar('anonymoussessions', 1);
System::setVar('sessionrandregenerate', true);
System::setVar('sessionregenerate', true);
System::setVar('sessionregeneratefreq', 10);
System::setVar('sessionipcheck', 0);
System::setVar('sessionname', '_zsid');
System::setVar('sessioncsrftokenonetime', 0);
// 1 means use same token for entire session
System::setVar('filtergetvars', 1);
System::setVar('filterpostvars', 1);
System::setVar('filtercookievars', 1);
System::setVar('outputfilter', 1);
// Location of HTML Purifier
System::setVar('htmlpurifierlocation', __DIR__ . '/vendor/htmlpurifier/');
// HTML Purifier cache dir
$purifierCacheDir = CacheUtil::getLocalDir() . '/purifierCache';
if (!file_exists($purifierCacheDir)) {
CacheUtil::clearLocalDir('purifierCache');
}
// HTML Purifier default settings
$purifierDefaultConfig = SecurityCenterUtil::getpurifierconfig(array('forcedefault' => true));
$this->setVar('htmlpurifierConfig', serialize($purifierDefaultConfig));
// create vars for phpids usage
System::setVar('useids', 0);
System::setVar('idsmail', 0);
System::setVar('idsrulepath', __DIR__ . '/Resources/config/phpids_zikula_default.xml');
System::setVar('idssoftblock', 1);
// do not block requests, but warn for debugging
System::setVar('idsfilter', 'xml');
// filter type
System::setVar('idsimpactthresholdone', 1);
// db logging
System::setVar('idsimpactthresholdtwo', 10);
// mail admin
System::setVar('idsimpactthresholdthree', 25);
// block request
System::setVar('idsimpactthresholdfour', 75);
// kick user, destroy session
System::setVar('idsimpactmode', 1);
// per request per default
System::setVar('idshtmlfields', array('POST.__wysiwyg'));
System::setVar('idsjsonfields', array('POST.__jsondata'));
System::setVar('idsexceptions', array('GET.__utmz', 'GET.__utmc', 'REQUEST.linksorder', 'POST.linksorder', 'REQUEST.fullcontent', 'POST.fullcontent', 'REQUEST.summarycontent', 'POST.summarycontent', 'REQUEST.filter.page', 'POST.filter.page', 'REQUEST.filter.value', 'POST.filter.value'));
// now lets set the default mail message contents
// file is read from includes directory
$summarycontent = implode('', __DIR__ . '/vendor/summary.txt');
System::setVar('summarycontent', $summarycontent);
$fullcontent = implode('', __DIR__ . '/vendor/full.txt');
System::setVar('fullcontent', $fullcontent);
// cci vars, see pndocs/ccisecuritystrings.txt
System::setVar('usehtaccessbans', 0);
System::setVar('extrapostprotection', 0);
System::setVar('extragetprotection', 0);
System::setVar('checkmultipost', 0);
System::setVar('maxmultipost', 4);
System::setVar('cpuloadmonitor', 0);
System::setVar('cpumaxload', 10.0);
System::setVar('ccisessionpath', '');
System::setVar('htaccessfilelocation', '.htaccess');
System::setVar('nocookiebanthreshold', 10);
System::setVar('nocookiewarningthreshold', 2);
System::setVar('fastaccessbanthreshold', 40);
System::setVar('fastaccesswarnthreshold', 10);
System::setVar('javababble', 0);
System::setVar('javaencrypt', 0);
System::setVar('preservehead', 0);
System::setVar('filterarrays', 1);
System::setVar('htmlentities', '1');
// default values for AllowableHTML
$defhtml = array('!--' => 2, 'a' => 2, 'abbr' => 1, 'acronym' => 1, 'address' => 1, 'applet' => 0, 'area' => 0, 'article' => 1, 'aside' => 1, 'audio' => 0, 'b' => 1, 'base' => 0, 'basefont' => 0, 'bdo' => 0, 'big' => 0, 'blockquote' => 2, 'br' => 2, 'button' => 0, 'canvas' => 0, 'caption' => 1, 'center' => 2, 'cite' => 1, 'code' => 0, 'col' => 1, 'colgroup' => 1, 'command' => 0, 'datalist' => 0, 'dd' => 1, 'del' => 0, 'details' => 1, 'dfn' => 0, 'dir' => 0, 'div' => 2, 'dl' => 1, 'dt' => 1, 'em' => 2, 'embed' => 0, 'fieldset' => 1, 'figcaption' => 0, 'figure' => 0, 'footer' => 0, 'font' => 0, 'form' => 0, 'h1' => 1, 'h2' => 1, 'h3' => 1, 'h4' => 1, 'h5' => 1, 'h6' => 1, 'header' => 0, 'hgroup' => 0, 'hr' => 2, 'i' => 1, 'iframe' => 0, 'img' => 2, 'input' => 0, 'ins' => 0, 'keygen' => 0, 'kbd' => 0, 'label' => 1, 'legend' => 1, 'li' => 2, 'map' => 0, 'mark' => 0, 'menu' => 0, 'marquee' => 0, 'meter' => 0, 'nav' => 0, 'nobr' => 0, 'object' => 0, 'ol' => 2, 'optgroup' => 0, 'option' => 0, 'output' => 0, 'p' => 2, 'param' => 0, 'pre' => 2, 'progress' => 0, 'q' => 0, 'rp' => 0, 'rt' => 0, 'ruby' => 0, 's' => 0, 'samp' => 0, 'script' => 0, 'section' => 0, 'select' => 0, 'small' => 0, 'source' => 0, 'span' => 2, 'strike' => 0, 'strong' => 2, 'sub' => 1, 'summary' => 1, 'sup' => 0, 'table' => 2, 'tbody' => 1, 'td' => 2, 'textarea' => 0, 'tfoot' => 1, 'th' => 2, 'thead' => 0, 'time' => 0, 'tr' => 2, 'tt' => 2, 'u' => 0, 'ul' => 2, 'var' => 0, 'video' => 0, 'wbr' => 0);
System::setVar('AllowableHTML', $defhtml);
// Initialisation successful
return true;
}
/**
* Update HTMLPurifier configuration.
*
* @return void
*/
public function updatepurifierconfigAction()
{
$this->checkCsrfToken();
// Security check
if (!SecurityUtil::checkPermission('SecurityCenter::', '::', ACCESS_ADMIN)) {
throw new \Zikula\Framework\Exception\ForbiddenException();
}
// Load HTMLPurifier Classes
$purifier = SecurityCenterUtil::getpurifier();
// Update module variables.
$config = $this->request->request->get('purifierConfig', null);
$config = \HTMLPurifier_Config::prepareArrayFromForm($config, false, true, true, $purifier->config->def);
//echo "\r\n\r\n<pre>" . print_r($config, true) . "</pre>\r\n\r\n";
$allowed = \HTMLPurifier_Config::getAllowedDirectivesForForm(true, $purifier->config->def);
foreach ($allowed as $allowedDirective) {
list($namespace, $directive) = $allowedDirective;
$directiveKey = $namespace . '.' . $directive;
$def = $purifier->config->def->info[$directiveKey];
if (isset($config[$namespace]) && array_key_exists($directive, $config[$namespace]) && is_null($config[$namespace][$directive])) {
unset($config[$namespace][$directive]);
if (count($config[$namespace]) <= 0) {
unset($config[$namespace]);
}
}
if (isset($config[$namespace]) && isset($config[$namespace][$directive])) {
if (is_int($def)) {
$directiveType = abs($def);
} else {
$directiveType = isset($def->type) ? $def->type : 0;
}
switch ($directiveType) {
case \HTMLPurifier_VarParser::LOOKUP:
$value = explode(PHP_EOL, $config[$namespace][$directive]);
$config[$namespace][$directive] = array();
foreach ($value as $val) {
$val = trim($val);
if (!empty($val)) {
$config[$namespace][$directive][$val] = true;
}
}
if (empty($config[$namespace][$directive])) {
unset($config[$namespace][$directive]);
}
break;
case \HTMLPurifier_VarParser::ALIST:
$value = explode(PHP_EOL, $config[$namespace][$directive]);
$config[$namespace][$directive] = array();
foreach ($value as $val) {
$val = trim($val);
if (!empty($val)) {
$config[$namespace][$directive][] = $val;
}
}
if (empty($config[$namespace][$directive])) {
unset($config[$namespace][$directive]);
}
break;
case \HTMLPurifier_VarParser::HASH:
$value = explode(PHP_EOL, $config[$namespace][$directive]);
$config[$namespace][$directive] = array();
foreach ($value as $val) {
list($i, $v) = explode(':', $val);
$i = trim($i);
$v = trim($v);
if (!empty($i) && !empty($v)) {
$config[$namespace][$directive][$i] = $v;
}
}
if (empty($config[$namespace][$directive])) {
unset($config[$namespace][$directive]);
}
break;
}
}
if (isset($config[$namespace]) && array_key_exists($directive, $config[$namespace]) && is_null($config[$namespace][$directive])) {
unset($config[$namespace][$directive]);
if (count($config[$namespace]) <= 0) {
unset($config[$namespace]);
}
}
}
//echo "\r\n\r\n<pre>" . print_r($config, true) . "</pre>\r\n\r\n"; exit;
$this->setVar('htmlpurifierConfig', serialize($config));
$purifier = SecurityCenterUtil::getpurifier(true);
// clear all cache and compile directories
ModUtil::apiFunc('SettingsModule', 'admin', 'clearallcompiledcaches');
// the module configuration has been updated successfuly
LogUtil::registerStatus($this->__('Done! Saved HTMLPurifier configuration.'));
// This function generated no output, and so now it is complete we redirect
// the user to an appropriate page for them to carry on their work
return $this->redirect(ModUtil::url('SecurityCenter', 'admin', 'modifyconfig'));
}
