/** * output filter to implement html purifier * * @param \Zikula_Event $event event object * * @return mixed modified event data */ public function outputFilter(Zikula_Event $event) { if (System::getVar('outputfilter') > 1) { return; } // recursive call for arrays // [removed as it's duplicated in datautil] // prepare htmlpurifier class static $safecache; $purifier = SecurityCenterUtil::getpurifier(); $md5 = md5($event->data); // check if the value is in the safecache if (isset($safecache[$md5])) { $event->data = $safecache[$md5]; } else { // save renderer delimiters $event->data = str_replace('{', '%VIEW_LEFT_DELIMITER%', $event->data); $event->data = str_replace('}', '%VIEW_RIGHT_DELIMITER%', $event->data); $event->data = $purifier->purify($event->data); // restore renderer delimiters $event->data = str_replace('%VIEW_LEFT_DELIMITER%', '{', $event->data); $event->data = str_replace('%VIEW_RIGHT_DELIMITER%', '}', $event->data); // cache the value $safecache[$md5] = $event->data; } return $event->data; }
/** * initialise the SecurityCenter module * * @return bool true on success, false otherwise */ public function install() { // create the table try { DoctrineHelper::createSchema($this->entityManager, array('Zikula\\SecurityCenterModule\\Entity\\IntrusionEntity')); } catch (\Exception $e) { return false; } // Set up an initial value for a module variable. $this->setVar('itemsperpage', 10); // We use config vars for the rest of the configuration as config vars System::setVar('updatecheck', 1); System::setVar('updatefrequency', 7); System::setVar('updatelastchecked', 0); System::setVar('updateversion', Zikula_Core::VERSION_NUM); System::setVar('keyexpiry', 0); System::setVar('sessionauthkeyua', false); System::setVar('secure_domain', ''); System::setVar('signcookies', 1); System::setVar('signingkey', sha1(mt_rand(0, time()))); System::setVar('seclevel', 'Medium'); System::setVar('secmeddays', 7); System::setVar('secinactivemins', 20); System::setVar('sessionstoretofile', 0); System::setVar('sessionsavepath', ''); System::setVar('gc_probability', 100); System::setVar('anonymoussessions', 1); System::setVar('sessionrandregenerate', true); System::setVar('sessionregenerate', true); System::setVar('sessionregeneratefreq', 10); System::setVar('sessionipcheck', 0); System::setVar('sessionname', '_zsid'); System::setVar('sessioncsrftokenonetime', 1); // 1 means use same token for entire session System::setVar('filtergetvars', 1); System::setVar('filterpostvars', 1); System::setVar('filtercookievars', 1); System::setVar('outputfilter', 1); // Location of HTML Purifier System::setVar('htmlpurifierlocation', __DIR__ . '/vendor/htmlpurifier/'); // HTML Purifier cache dir $purifierCacheDir = CacheUtil::getLocalDir() . '/purifierCache'; if (!file_exists($purifierCacheDir)) { CacheUtil::clearLocalDir('purifierCache'); } // HTML Purifier default settings $purifierDefaultConfig = SecurityCenterUtil::getpurifierconfig(array('forcedefault' => true)); $this->setVar('htmlpurifierConfig', serialize($purifierDefaultConfig)); // create vars for phpids usage System::setVar('useids', 0); System::setVar('idsmail', 0); System::setVar('idsrulepath', __DIR__ . '/Resources/config/phpids_zikula_default.xml'); System::setVar('idssoftblock', 1); // do not block requests, but warn for debugging System::setVar('idsfilter', 'xml'); // filter type System::setVar('idsimpactthresholdone', 1); // db logging System::setVar('idsimpactthresholdtwo', 10); // mail admin System::setVar('idsimpactthresholdthree', 25); // block request System::setVar('idsimpactthresholdfour', 75); // kick user, destroy session System::setVar('idsimpactmode', 1); // per request per default System::setVar('idshtmlfields', array('POST.__wysiwyg')); System::setVar('idsjsonfields', array('POST.__jsondata')); System::setVar('idsexceptions', array('GET.__utmz', 'GET.__utmc', 'REQUEST.linksorder', 'POST.linksorder', 'REQUEST.fullcontent', 'POST.fullcontent', 'REQUEST.summarycontent', 'POST.summarycontent', 'REQUEST.filter.page', 'POST.filter.page', 'REQUEST.filter.value', 'POST.filter.value')); System::setVar('htmlentities', '1'); // default values for AllowableHTML $defhtml = array('!--' => 2, 'a' => 2, 'abbr' => 1, 'acronym' => 1, 'address' => 1, 'applet' => 0, 'area' => 0, 'article' => 1, 'aside' => 1, 'audio' => 0, 'b' => 1, 'base' => 0, 'basefont' => 0, 'bdo' => 0, 'big' => 0, 'blockquote' => 2, 'br' => 2, 'button' => 0, 'canvas' => 0, 'caption' => 1, 'center' => 2, 'cite' => 1, 'code' => 0, 'col' => 1, 'colgroup' => 1, 'command' => 0, 'datalist' => 0, 'dd' => 1, 'del' => 0, 'details' => 1, 'dfn' => 0, 'dir' => 0, 'div' => 2, 'dl' => 1, 'dt' => 1, 'em' => 2, 'embed' => 0, 'fieldset' => 1, 'figcaption' => 0, 'figure' => 0, 'footer' => 0, 'font' => 0, 'form' => 0, 'h1' => 1, 'h2' => 1, 'h3' => 1, 'h4' => 1, 'h5' => 1, 'h6' => 1, 'header' => 0, 'hgroup' => 0, 'hr' => 2, 'i' => 1, 'iframe' => 0, 'img' => 2, 'input' => 0, 'ins' => 0, 'keygen' => 0, 'kbd' => 0, 'label' => 1, 'legend' => 1, 'li' => 2, 'map' => 0, 'mark' => 0, 'menu' => 0, 'marquee' => 0, 'meter' => 0, 'nav' => 0, 'nobr' => 0, 'object' => 0, 'ol' => 2, 'optgroup' => 0, 'option' => 0, 'output' => 0, 'p' => 2, 'param' => 0, 'pre' => 2, 'progress' => 0, 'q' => 0, 'rp' => 0, 'rt' => 0, 'ruby' => 0, 's' => 0, 'samp' => 0, 'script' => 0, 'section' => 0, 'select' => 0, 'small' => 0, 'source' => 0, 'span' => 2, 'strike' => 0, 'strong' => 2, 'sub' => 1, 'summary' => 1, 'sup' => 0, 'table' => 2, 'tbody' => 1, 'td' => 2, 'textarea' => 0, 'tfoot' => 1, 'th' => 2, 'thead' => 0, 'time' => 0, 'tr' => 2, 'tt' => 2, 'u' => 0, 'ul' => 2, 'var' => 0, 'video' => 0, 'wbr' => 0); System::setVar('AllowableHTML', $defhtml); // Initialisation successful return true; }